Why data breaches are particularly costly for Canadian financial firms

The average cost of a data breach in the Canadian “financial” industry is US$6.4 million – $2-million higher than the average cost for all other businesses, according to a new report from IBM Security and Ponemon Institute.

The average cost of a breach for all Canadian businesses, US$4.4 million, is about $500,000 higher than the global average of US$3.92 million, said the Cost of a Data Breach 2019 report, released earlier this week. Although it’s not clear why, this overall Canadian cost decreased slightly from US$4.74 million in 2018, while the global average has risen 12% over the past five years.

Canada is the fourth-costliest region for a breach, after the United States, Middle East and Germany. Canada is the third-highest average cost per record at US$187 per record, compared to US$242 for the U.S. and US$193 for Germany.

However, compared to the global average size of a data breach – 25,575 records – Canada has less average total breaches at 23,071 records. The time for a Canadian company to identify and contain a breach, at 241 days, is also less than the global average of 279 days. Global companies in the study that were able to detect and contain a breach in less than 200 days spent US$1.2 million less on the total cost of a breach.

So why the high cost for data breaches in the financial segment?

Finance is one industry that experiences a much-higher-than-average rate of “abnormal customer turnover” following a breach. Overall, lost business has been the biggest contributor to data breach costs globally for the past five years. The average cost of lost business for organizations in the 2019 study was US$1.42 million, 36% of the total average cost.

Once a breach occurs, the costs don’t end immediately – the “long-tail” costs can be felt for years after the incident. In a longitudinal study of 86 companies, about one-third of costs occurred more than one year after a data breach occurred.

An average of 67% of breach costs came in the first year, 22% accrue in the second year after a breach, and 11% occur more than two years after. “The long-tail costs of a breach were higher in the second and third years for organizations in highly regulated environments, such as the healthcare and finance industries,” the report said.

Data breaches originating from malicious cyberattacks were not only the most common root cause of a breach (51%), but also the most expensive. Inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of breaches.

Some of the factors that mitigate the per record cost of a breach include insurance protection, employee training and use of security analytics. “Automation technologies, including artificial intelligence and automation in incident response orchestration, are also major factors that reduce the total cost.”

The annual study was conducted in 16 countries or regions this year and 17 industries, including financial, which involves banking, insurance and investment companies.