United States

The real cost of a data breach

Insights on the latest cyber risks and associated damages


Download the full report

For businesses to successfully navigate today's cyber-threats and effectively respond to data security events, understanding the costs associated with a data breach is critical. Incidents at Fortune 500 organizations get significant media coverage, but the reputational and financial impact to small and middle market companies can be even more damaging.

RSM US LLP is a proud sponsor of the eighth annual 2018 NetDiligence® Cyber Claims Study, which provides greater insight into data breaches and associated damages.

The survey details that small companies are more vulnerable to breaches, with nanorevenue companies (less than $50 million) experiencing the majority of incidents (49 percent). That sector was followed by microrevenue companies ($50 million to $300 million) (22 percent) and midmarket and small-revenue companies ($50 million to $2 billion) (14 percent).

Professional services and health care organizations had the most claims, with 22 percent and 15 percent respectively. Retail and financial services were also highly affected, each with 11 percent of claims. However, of the previously mentioned sectors, financial organizations had the highest average total breach cost at $854,000.

“Organizational stakeholders need to understand the potential financial impact of a breach when deciding how much they want to invest in security,” said RSM principal Daimon Geopfert. “With claims impacting organizations with revenue sizes of less than $50M and more than $100B, this study shows that no company is immune to cyber criminals. It is time that organizations accept how valuable their data is to attackers and why it is so important they spend the time and effort necessary to protect that data.”

The 2018 study summarizes NetDiligence's findings from a sampling of 298 cyber claims, of which 92 percent fall into the criminal activity category which includes hacking, ransomware, malware/virus, phishing/business email compromise/social engineering, DDoS attacks, stolen devices, theft of money via wire transfer and banking/ACH fraud. Non-criminal events included things such as staff mistakes, mishandling of records, system glitches or lost laptops. 

In addition, the 2018 study compares findings against the 2017 survey, and also provides aggregate data from the last four years. This information provides a deeper understanding of data breach trends and how organizations can better identify and remediate specific issues.

Additional key study findings include:

  • The number of claims involving breaches from ransomware has increased dramatically (9000 percent) since the study's inception.
  • Critical files were the most frequently exposed data type (23 percent) followed by personally identifiable information (PII) (21 percent), non-card financial (14 percent) and protected health information (PHI) (11 percent).
  • There has been a steady increase in the number of W-2 fraud claims since 2013, most of which can be attributed to business email compromise and phishing.
  • The top four causes of loss with the highest average breach cost were malware/virus, hackers, rogue employees and ransomware. This does exclude a very large breach causes by a system glitch.
  • Smaller organizations (less than $2B in revenue) had an average breach cost of $226,000, while larger organizations (greater than $2B in revenue) had an average cost of $5.2M.

For more information on the survey, download the study and the infographic. To gain insights into protecting your organization against breaches and review the 5 steps to managing cyberrisks.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




Active shooter preparedness: Response and recovery planning

  • October 24, 2019


2019 PCI North America Community Meeting

  • September 17, 2019