Industry and Number of Records Can Lead to Costlier Breaches, Per New RiskLens Study

October 19, 2021  RiskLens Staff

Healthcare, information, and financial industries are hardest hit, according to research to help organizations better control cyber event risk costs

RESTON, Va. and SPOKANE, Wash., Oct. 19, 2021 (GLOBE NEWSWIRE) -- When estimating the costs of a data breach, several factors can be independently quantified, including an organization's industry, the source and origin of the threat actor, and the number of records, according to findings in the study, "Estimating Financial Losses From a Data Breach," authored by RiskLens, the leading provider of cyber risk quantification (CRQ) and cyber risk management software and services. These factors can mean higher cyber event risk costs.

RiskLens data scientists found that, in simulated environments, as the number of records in data breaches increase by 10 percent, businesses can expect primary response costs to rise 5.3 percent. The research also found that data breaches caused by external actors are 2.4 times more expensive than those caused by internal actors. The healthcare, information and financial industries are more likely to experience a higher degree of costs to their businesses than other industries.

Study highlights will be shared in a case study session, "Accelerating FAIR Analyses by 10x with Industry Data," Wednesday, Oct. 20, at 1:15 p.m. ET, led by Justin Theriot, senior data scientist, RiskLens, at the virtual FAIR Institute Conference (FAIRCON21).

In 2020, the cost of a data breach was estimated to be $3.86M, while the global cost of cyber crime is expected to reach $10.5T by 2025. RiskLens works closely with its customers to help them quantify and manage risk, while limiting exposure from external and internal sources. The study findings are incorporated with proprietary data gathered from RiskLens client engagements and other sources to conduct a risk analysis using the FAIR™ standard.

“In the last decade, researchers have focused on developing a model to estimate the financial losses a firm will incur after a data breach. Our research asks whether we can better estimate financial losses incurred after a data breach by aggregating losses into separate categories and modeling them independently,” said Bryan Smith, Head of Data Science, RiskLens. “We have a multi-faceted model enabling the cyber community to better understand the what, where, and why of financial losses incurred after a data breach.”

For this study, the RiskLens team used a data set by insurance data provider Advisen to estimate losses in three categories and to model on independent variables: record count, country, threat access, threat type, data type, and industry.

  • Primary Response Costs (PRC): These are costs associated with managing the data breach by deploying an incident response team, computer security incident response team or other related teams. They are costs that accrue after a data breach.
  • Fines and Judgments (F&J): These costs are fines incurred from a regulatory body, judgments in civil cases, or fees paid based on contractual stipulations.
  • Secondary Response Costs (SRC): This includes a variety of costs related to activities and expenses incurred in dealing with secondary stakeholders, depending on the nature of the data breach.

As an example, as the number of records increases by 10 percent, RiskLens research found, the PRC can be expected to increase by 5.3 percent. The healthcare, Information, and finance industry are 1.5, 2, and 2.5 times, respectively, more likely to experience SRC compared to other industries. F&J costs attached to finance and information industries are 1.9 times higher versus other industries.

The study also found that malicious events incur 1.4 times higher F&J costs than events caused by errors. Data breaches caused by external actors are 2.4 times more expensive than those caused by internal actors.

U.S.-based organizations will see legal fines and judgments that are five times higher than non-U.S.-based businesses. But, foreign companies are twice as likely to realize F&J than their U.S. counterparts.

A summary of the study findings can be found here.

The FAIR Institute, a non-profit professional organization dedicated to advancing the discipline of measuring and managing risk, is holding its virtual 2021 FAIR Conference (FAIRCON21), which brings together thought leaders in cyber and operational risk management to explore best FAIR™ (Factor Analysis of Information Risk) practices that produce greater value and alignment with business goals. The premiere global risk management conference, sponsored by RiskLens, is being held Oct. 19-20, and provides groundbreaking keynote addresses, engaging C-suite panels, and expert case study sessions.

Membership to the FAIR Institute is free, and members are eligible for discounted tickets to FAIRCON21. To register for the event, visit:

About RiskLens
RiskLens helps organizations make better cybersecurity and technology investment decisions with software solutions that quantify cyber risk in financial terms. We are the creators of Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, and the Technical Advisor to the FAIR Institute. The RiskLens platform is the only enterprise-scale software-as-a-service (SaaS) application for FAIR analysis. The RiskLens FAIR Enterprise Model (RFEM) creates flexibility to adopt FAIR and build programs, supporting companies at various maturity levels and with different business needs. With capabilities across the risk management process, and a large client base of Fortune 500 businesses, RiskLens is the only company with the expertise to help organizations navigate their most complex and challenging cybersecurity decisions. Visit us at

Media Contact:

Cathy Morley Foster
Eskenzi PR 
(925) 708-7893 (cell)