How much does a data breach cost? One independent study estimated that, on average, the cost to an organization of a data breach in the U.S. was $7.35 million in 2017. But recent financial disclosures from Equifax Inc. show how those numbers can spiral when a worst-case scenario comes to pass.
In its recently-filed 10-Q, Equifax disclosed that in 2017 it spent $163.1 million related to the data breach that exposed the personal data, including social security numbers and birthdates, of more than 145 million U.S. consumers. That figure includes the legal and remediation costs Equifax has already incurred, as well as $50.7 million to offer free credit and identity theft monitoring to U.S. consumers. Equifax has $125 million in cybersecurity insurance coverage, and collected $50 million of that amount to cover a portion of its 2017 costs. Not surprisingly, the company also disclosed (in its most recent 10-K) that it expects insurance coverage to be inadequate to cover the full cost of the massive breach.
And that $113 million in data breach costs had a significant effect on Equifax’s net income. In the three-month period ending March 31, 2017, before the breach occurred, net income for Equifax was $153.3 million. For the same period in 2018, it was $90.9 million. One of the primary causes of that 40% difference is “costs related to the cybersecurity incident.”
As the securities filing makes clear, though, the 2017 breach-related spend is only the tip of the proverbial iceberg: Equifax expects to incur “significant” costs in the future, including legal and professional costs, increased investments in IT and security, and “increased costs for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.” The company expressly acknowledged that the cybersecurity incident would negatively impact revenue going forward.
Buried in the financial statements are hints of the many ways the data breach is costing Equifax. First, there is the massive cost of defending against lawsuits and government investigations—and that’s even before the possibility of judgments or fines against Equifax, which the company states are “reasonably possible.” It notes that the “ultimate amount” paid out on claims and investigations “could be material to the Company’s consolidated financial conditions, results of operations, or cash flows in future periods.”
What’s more, the cost of providing Equifax’s services increased by $42 million—nearly 15%—for the first quarter of 2018 compared to the same period last year (from $300.8 million to $342.8 million). That increase is partly attributable to costs related to the cybersecurity incident. Selling, general and administrative expenses increased too, from $241.5 million in Q1 2017 to $300.5 million in Q1 2018. And there are other costs as well. Because of the breach, Equifax stopped advertising to consumers beginning in 2017, and will not advertise its products in the first half of 2018, either. That led to a decrease in direct revenue in 2017 that will continue to 2018.
Equifax’s breach costs are already shaping up to exceed those of other public companies hit by hackers. Target Corporation, for example, suffered a data breach toward the end of 2013 that exposed 40 million customers’ payment information to intruders, and names, addresses, and phone numbers for up to 70 million customers. In the following year, Target incurred $191 million of related expenses, and expected $46 million in insurance proceeds, for a net cost of $145 million. In 2015, Target recorded another $39 million in net expenses related to the data breach. Not until 2016—more than two years after the breach—did Target's costs finally drop below the level requiring disclosure to investors.
Not every company treats its cybersecurity costs as a negative. Following a 2014 cyberattack at JPMorgan Chase that compromised the data of 76 million households and 7 million small businesses, JPMorgan listed its $250 million spend on cyber protection as a “highlight and accomplishment” in its annual report.