Businesses underestimate the cost of a cyber attack

01 August 2017

Businesses and public sector organisations are underestimating the long-term cost of a cyber attack, including reputational damage and legal and regulatory actions, according to a study published by Lloyd’s.

The immediate impact of a data breach can be significant, but may only be the “tip of the iceberg” when it comes to dealing with the legal and regulatory consequences, according to the report Closing the gap – insuring your business against evolving cyber threats.

Organisations tend to take a “short sighted” view of cyber risk and fail to factor in the long-term cost implications of a data breach. When added to the immediate costs, ‘slow-burn’ costs can dramatically increase the final bill, according to Lloyd’s.

They include the long-term business impact and costs incurred by reimbursing victims. Regulatory investigations can take more than a year to conclude while litigation can take even longer. In one UK data protection case, it took three years before the litigation was finally settled.

Real examples

Lloyd’s demonstrates the importance of long-term costs through two real data breach examples: Target and TalkTalk.

In the case of the 2013 malware attack against US retailer Target, the immediate costs were USD 60 million while the long-term costs were more than USD 219 million. The slow-bur n costs included a USD 100 million system upgrade to install chip-and-pin readers at its stores, USD 5 million in customer education and awareness activities and the costs of fighting more than 140 legal actions (Target has so far settled litigation worth USD 96 million).

The 2015 TalkTalk data breach resulted in immediate costs of USD 52 million (30% of the company’s annual profits) while the slow-burn costs amounted to USD 44 million. TalkTalk suffered a 10% fall in its share price and increased customer churn following the data breach, losing 90,000 broadband customers. It also incurred a regulatory fine of USD 496,000, the highest penalty levied by the UK’s Information Commissioner at that time.

Plan ahead

Lloyd’s concludes that organisations need to be aware of the full costs of a cyber-attack, in particular, the potential slow-burn costs, such as the loss of competitive advantage and customer churn.

It also urges businesses to plan ahead. Evidence shows that a swift reaction to mitigate the impacts of a data breach will minimise the immediate costs, and potentially reduce the exposure to subsequent slow-burn costs, including reputational damage and loss of competitive edge.

Download Cyber Decoder 

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter