PHorensically Speaking: Cost of Data Breach and New COSO Guidance On Cyber, Risk Appetite Statements, Compliance, and Boards Management of Strategic Risks

The Cost of Data Breach Report (“Report) found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages:

The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent

The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent

The average size of the data breaches in this research increased by 2.2 percent

The Report also highlights the relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences.

The mean time to identify (MTTI) was 197 days

The mean time to contain (MTTC) was 69 days

Companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve

USD 3.92 million – Average total cost of a data breach

United States – Most expensive country: USD 8.19 million

Healthcare – Most expensive industry: USD 6.45 million

25,575 records – Average size of a data breach

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. From lost business to regulatory fines and remediation costs, data breaches have far reaching consequences.

The annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, analyzes data breach costs reported by 507 organizations across 16 geographies and 17 industries.

You should read the report to discover all the factors that influence the cost of a data breach and which security measures can help organizations reduce the financial impact.

Risk Management

In the works, The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) is in the process of developing guidance for companies on how to manage cybersecurity and other risks.

The COSO guidance is intended to help companies provide more detailed instructions on how to apply the 5 interrelated components, which are broken down to 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security. Specifically, how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks.

Other COSO Guidance expected soon should include how to better craft risk-appetite statements; how to better manage risk and compliance across an enterprise; and guid­ance for board di­rec­tors on man­ag­ing strate­gic risks—the kind that arise when com­pa­nies ex­pand, launch new prod­ucts or change pric­ing mod­els.

Compliance

COSO’s guidance On compliance is being drafted in partnership with the Society of Corporate Compliance and Ethics (“SCCE”). More to come…

I welcome your thoughts and comments!

Best,

Jonathan T. Marks

Attribution:

IBM, Ponemon, WSJ, COSO