What does a data breach cost in 2026? IBM’s Cost of a Data Breach Report 2025 put the global average total cost at USD 4.88 million – up 10% from USD 4.45 million in 2023 and the largest single-year increase since the pandemic. That headline figure is not the most useful number for a board. The useful question is what it contains, when the cash actually leaves the business, and which parts can be reduced through disciplined investment. Around 40% of breach cost sits in direct, visible categories such as detection, containment, forensic work, legal advice, notification, and recovery labour. The remaining 60% sits in the long tail: customer churn, delayed deals, operational downtime, management distraction, and increased insurance premiums.
Data breach cost – at a glance:
- IBM 2024: global average breach cost reached USD 4.88 million – up 10% year-on-year, the largest increase since the pandemic
- IBM 2024: organisations with extensive security AI and automation averaged USD 3.31 million per breach vs USD 5.72 million for those with no automation – a USD 2.41 million spread
- IBM 2024: average breach lifecycle is 194 days to identify plus 64 days to contain – roughly 60% of financial damage accumulates in the months after the initial incident, not on day one
- IBM 2024: healthcare breaches averaged USD 9.77 million; financial services averaged USD 6.08 million – sector matters for both your own exposure and your supply-chain obligations
- Sophos State of Ransomware 2024: average ransomware downtime is 22 days; average recovery cost (excluding ransom) reached USD 2.73 million
- GDPR Article 83: fines for security failures under Articles 32–34 can reach EUR 10 million or 2% of global annual turnover – whichever is higher
- Latitude Financial 2023: disclosed AUD 68.3 million in cyberattack-related costs – approximately EUR 42 million at ECB reference rates from March 2026
What are the direct and indirect components of a data breach cost?
IBM’s component analysis shows the 2025 cost spike was driven primarily by lost business and post-breach response activity – not by technical clean-up costs. Finance teams often model the invoice costs and miss the commercial drag that follows for quarters.
| Cost category | Typical range (USD) | Typical range (GBP) | What sits inside the number |
|---|---|---|---|
| Detection and containment | $200K–$500K | £157K–£393K | Forensics, IR retainers, log analysis, threat hunting, containment engineering |
| Notification and customer response | $50K–$200K | £39K–£157K | Regulator submissions, customer notices, call centres, credit monitoring |
| Legal and regulatory | $100K–$500K+ | £79K–£393K+ | External counsel, regulator response, document production; GDPR fines sit above this |
| Operational downtime | $250K–$1M+ | £197K–£787K+ | Lost output, stalled transactions, delayed invoicing, overtime, manual workarounds |
| Recovery and remediation | $150K–$600K | £118K–£472K | System rebuilds, hardening, patching, new tooling, consulting, post-incident projects |
| Reputational and lost business | $300K–$2M+ | £236K–£1.57M+ | Customer churn, lower renewal rates, procurement friction, delayed enterprise deals |
GBP conversion shown at approximately £0.787 per USD; boards should recalculate using current treasury assumptions.
A second financial point that is frequently missed: not every breach cost lands in the same quarter. Detection and containment hit immediately. Lost business, higher insurance premiums, and remediation projects can drag into the next two to six quarters. This matters when covenant tests, fundraising, or procurement reviews are scheduled in the same period.
Why do small and mid-sized companies pay proportionally more per breach than large enterprises?
The absolute cost of a breach is usually lower for a 150-person company than for a global healthcare network. But the proportional cost often runs the other way. A large enterprise may absorb a USD 5 million event as a painful but manageable 0.1–0.5% of annual revenue. A mid-market firm can experience the same categories of cost as 3–8% of annual revenue, because it lacks the fixed infrastructure large organisations use to absorb shock.
Three structural reasons explain the SME multiplier. First, smaller companies typically do not maintain a dedicated incident response team, privacy counsel panel, crisis communications function, and pre-negotiated forensic retainer. They buy these under stress, at premium rates, while losing time. Second, customer concentration is higher – if three enterprise customers represent 40% of revenue, one breach does not need to trigger mass churn to become strategically serious. Third, management bandwidth is thin. In a 150-person company, the CFO, CTO, COO, and CEO are all pulled directly into the response – expensive in labour terms and in opportunity-cost terms.
IBM found breach lifecycles exceeding 200 days were materially more expensive. Large companies are not always better at security, but they are more likely to have tooling, retained counsel, and tested playbooks. SMEs often spend the first 24–72 hours deciding who is in charge and who to call. That delay becomes a balance-sheet issue (IBM Cost of a Data Breach Report 2024).
What does the Latitude Financial case tell boards about real-world breach economics?
Latitude Financial, the Australian consumer lender, disclosed in its 2023 annual report that the March 2023 cyberattack resulted in AUD 68.3 million in cyberattack-related costs and provisions – approximately EUR 42 million and GBP 36 million at ECB reference rates from 18 March 2026. The same annual report recorded a statutory net loss of AUD 137.9 million for the year, or approximately EUR 85 million. The company also reported weeks of operational disruption and a decision not to pay a final dividend.
This case is useful because the numbers are not abstract. They show how a cyber event in a financial services company becomes a balance-sheet event: direct response costs, interrupted business activity, a wider earnings impact, and reduced investor confidence. Boards should stop asking whether they are big enough to matter to attackers and start asking whether they are resilient enough to keep a material incident inside an acceptable financial envelope.
What does cyber insurance cover and what does it not cover after a data breach?
Cyber insurance can help with forensic costs, legal support, public relations, notification, credit monitoring, business interruption, and in some cases ransom payment. It can also provide access to breach coaches and panel responders that would be harder to source under pressure.
Two caveats matter for boards. First, coverage is not comprehensive. Many policies include sub-limits, exclusions, waiting periods, coinsurance provisions, and conditions precedent. Nation-state and war-related exclusions remain particularly sensitive – Lloyd’s market rules on state-backed cyber exclusions changed from 31 March 2023. Second, underwriters continue to scrutinise MFA, backups, EDR, privileged access, and vendor exposure. A poor incident history can raise the future cost of cover even if an initial claim is partly paid (Marsh Global Insurance Market Index 2023–2025).
Strong controls improve the economics of a breach and strengthen insurability. Insurance improves liquidity and access to specialist response when a breach occurs. Neither works especially well alone.
How do you build a board-ready ROI case for cybersecurity investment?
Use expected annual loss. Multiply the annual probability of a material breach by the expected economic impact of that breach, then compare the current-state figure with the residual figure after proposed controls are implemented.
| Variable | Conservative assumption | Illustrative value | Board question |
|---|---|---|---|
| Annual probability of material breach (current) | 10% | 0.10 | How exposed are we given our sector, controls, and customer profile? |
| Expected cost per material breach (current) | EUR 1.64M | 1,640,000 | What would one realistic breach cost us — not just technically but commercially? |
| Expected annual loss (current) | Probability × cost | 164,000 | What is our current annualised financial exposure? |
| Annual security programme cost | Fixed annual spend | 280,000 | What are we proposing to invest? |
| Probability after uplift | 6% | 0.06 | Which controls reduce likelihood? |
| Expected cost per breach after uplift | EUR 1.05M | 1,050,000 | Which controls reduce impact and downtime? |
| Expected annual loss after uplift | Probability × cost | 63,000 | How much risk-adjusted loss remains? |
| Expected annual loss avoided | Difference | 101,000 | How much loss do we avoid each year? |
The board case becomes much stronger when you include commercial and insurance side-benefits: lower procurement friction, better audit outcomes, fewer emergency capital requests, and smoother enterprise sales. Learn more about ISO 27001 as a commercial investment and PCI DSS certification.
FAQ
What is the average cost of a data breach in 2026?
IBM’s Cost of a Data Breach Report 2024 put the global average at USD 4.88 million. That is an average across regions and industries – sector, geography, attack type, and breach duration all move the number significantly.
How much does a data breach cost a small or mid-sized company?
Many mid-market incidents land below USD 4.88 million in absolute terms but hit proportionally harder – often 3–8% of annual revenue once downtime, churn, legal support, and remediation are included. The key mistake is modelling only the technical invoice and ignoring the long tail.
What are the hidden costs of a data breach?
Hidden costs typically include lost business, slower sales cycles, customer churn, management distraction, premium increases, and unplanned remediation projects. IBM 2024 attributes much of the recent cost increase to lost business and post-breach response rather than to technical clean-up.
Does cyber insurance cover all data breach costs?
No. Cyber insurance can cover parts of the direct cost stack – forensics, legal support, notification, public relations, and some business interruption – but policies often include exclusions, sub-limits, waiting periods, and conditions. It does not restore reputation or eliminate churn.
Which industry has the highest data breach costs?
IBM’s 2024 report puts healthcare at the top with an average breach cost of USD 9.77 million, followed by financial services at USD 6.08 million. That matters even to suppliers selling into those sectors, because buyers impose higher control expectations on their vendors.
How do you calculate the ROI of a cybersecurity investment?
Use expected annual loss: multiply the annual probability of a material breach by the expected economic impact, then compare the current-state figure with the residual figure after proposed controls are implemented. Add commercial and insurance side-benefits to build a complete board case.
Data breach cost analysis – free board session
Patronusec helps boards build a defensible investment case: breach exposure, likely direct costs, likely long-tail costs, current control gaps, insurability constraints, and the annual loss avoided by closing the highest-value gaps first.
Book a no-commitment call with our team.
