One of the big questions businesses and organisations around the globe are grappling with right now involves quantifying the cost of a breach. In PCI DSS terms this most often relates to what we consider an ‘Account Data Compromise’ (ADC).
An ADC Event is defined by MasterCard as “an occurrence that results, directly or indirectly in the unauthorised access to or disclosure of … account data”. Account data includes both cardholder data (CHD) and sensitive authentication data (SAD). This sort of situation is obviously the last place anybody wants to find themselves and plays a big part in justifying the need for security investment to senior management and boards. In this article we’ll uncover some of the costs associated with an Account Data Compromise, hopefully providing even further justification as to the benefits of implementing proactive, ongoing security controls across any organisation.
The headline figure for a topic like this comes from in the form of IBM’s cost of a data breach report 2022 which found that on average, the cost of a breach (not necessarily an ADC which can have additional costs) totalled $4.35 million (USD)1. This is up 2.6% on last year, and 12.7% on 2020 affirming the clear trend that these events are becoming increasingly costly to organisations that encounter them. In terms of geographic spread, the United States continues to leads the way with their average cost amounting to $9.44 million (USD).
But drilling into this figure further, particularly with a PCI specific lens, what exactly makes up the total cost? We’ve done some thinking of our own on this and highlighted just some of the key areas below:
1. Card Scheme Penalties
Following an account data compromise, the card schemes have clearly defined penalties to be used at their discretion. These fines not only account for the one-off cost of the compromise, but also ongoing costs of an organisation remaining in a state of non-compliance against PCI. An example here would be Visa, who note a penalty of up to $25,0002 (USD) for the compromise, with an additional $25,000 (USD) per month the targeted organisation remains non-compliant. And Mastercard fines can be even worse with a fine of up to $100,000 (USD) per non-compliant requirement, with $25,000 (USD) per day of non-compliance!
2. Regulatory Penalties
Different jurisdictions have a variety of laws and penalties covering the event of an account data compromise. Here in Quasar HQ’s home country, the New Zealand Privacy Act (2020) includes the option of a $10,000 (NZD) penalty which in reality is a miniscule amount in comparison the rest of the world. Australia (Privacy Act), Europe (GDPR), Korea (PIPA) and North America (e.g. CCPA, VCDPA, ColoPA) have more sizeable penalties when it comes to a data compromise which are usually either a percentage of the organisation’s global turnover or a set amount, with the final fine being whichever of the two is higher. The highest GDPR fine to date as of 2022 was 746 Euros.3
3. Internal Costs
Invariably, in the event of a breach organisations are going to devote a considerable amount of time and resource to addressing vulnerabilities and putting changes in place to plug compliance gaps. This may involve new technology, additional staff, or having to pull them away from what was up until recently a critical business priority or project.
4. Forensic Investigation
In many cases, after an ADC the schemes mandate the use of a Payment Card Industry Forensic Investigator (PFI) whose job it is to do an in-depth investigation of the event and how it took place. These are very specialised investigators who certainly don’t come cheap, with estimates of this cost totalling over $100K (USD).4
5. Insurance Premiums
This one is an area of growing importance in recent years with cyber insurance becoming a critical part of any organisations risk strategy. A data compromise would substantially add to this cost, in an industry that is already seeing premiums on the rise across the board.5
6. The Intangibles
The hardest to quantify, although in many ways the most important aspect of the overall cost is what we refer to as ‘the intangibles’. Here we’re talking about damage to an organisations brand, reputation and overall trust from customers who become the innocent victims of such an event. If you’re a bank, how may customer will cancel their cards and close their accounts? If you’re a retailer, how many would-be lifetime customers won’t enter your store or purchase another product from your website again? Not to mention the blowback from unwanted media attention as you appear on the front page of every newspaper and online news site for all the wrong reasons. We’re seeing a number of organisations move towards adopting industry standards and frameworks in order to quantify this impact with a notable example being the Factor Analysis of Information Risk Model (FAIR) developed by the FAIR Institute. It’s through the use of these types of models that organisations are able to report through to key stakeholders ‘in their language’ and in a from that helps with making key decisions going forward.
There is hope!
After all the doom and gloom of these costs, it is also positive to note the clear benefit we’re seeing in organisations that deploy proactive security measures. The same 2022 IBM report noted that organisations with fully deployed security AI and automation reduced their average breach cost by 62% on those that didn’t, and companies with a resourced, and regularly tested incident response plan saved an average 63%6. These are just two examples of the type of controls that can be put in place to effectively minimise both the risk of the breach occurring, and overall cost if it were to do so.
Talk to us today about how using Quasar Scan can help lay the foundation for effective data management and sustainable compliance for your organisation.