Where the money actually goes
Detection is only 29%. Here is the other 71%.
IBM's 2025 four-category model: lost business (38%), detection & escalation (29%), post-breach response (27%), notification (6%). Plus the 5-year cost tail, the hidden costs most companies miss, and a deep dive on legal exposure.
Lost business
38%
Largest category
Detection
29%
Forensics & investigation
Post-breach
27%
Legal, monitoring, help desk
Notification
6%
Letters, filings, call centre
Section 10.1 / IBM's four cost categories
The standard breakdown
At the $4.44M global average, each percentage point represents roughly $44,400. The 38% lost business category alone accounts for ~$1.69M in customer churn, revenue loss during downtime, and reputation damage.
Lost Business
38%Customer churn, revenue loss, reputation damage, system downtime
Detection & Escalation
29%Forensic investigation, assessment, audit services, crisis management
Post-Breach Response
27%Help desk, credit monitoring, identity protection, legal, regulatory
Notification
6%Letters, emails, regulatory filings, call centre setup
Primary source:IBM Cost of a Data Breach Report 2025.
Section 10.2 / The 5-year cost tail
Only 53% of cost is in year one
Nearly half of breach costs emerge in years 2-5, driven by litigation, regulatory proceedings, customer churn, and the compounding effects of reputation damage. Annual security budgets and insurance policies must account for ongoing costs, not just the immediate incident.
Immediate response, forensics, notification
Ongoing litigation, continued customer churn
Class action settlements, long-term brand damage
Case study / Equifax 2017 - 2025
Equifax's 2017 breach is the clearest illustration of the multi-year cost tail. The initial breach exposed 147 million records through an unpatched Apache Struts vulnerability. Year-one costs included forensic investigation, system remediation, and initial notification (over $200M). Year two brought the $700M FTC settlement plus the start of class-action litigation. Years 3-5 saw continued litigation costs, mandatory security investments imposed by regulators, ongoing credit monitoring for affected individuals, and compliance remediation. By 2025, eight years after the breach, Equifax had spent over $1.4 billion and was still accruing costs from regulatory compliance requirements. The breach also triggered CISO and CIO resignations, a 35% stock-price decline, and permanent reputational impact that affected new-customer acquisition for years.
Primary source:Equifax 10-K SEC filings 2017-2024; FTC consent order, 2019.
Section 10.3 / Hidden costs
What IBM's four categories miss
IBM captures direct, measurable expenses. Many significant costs fall outside the four categories or are difficult to quantify. These hidden costs often represent the difference between a manageable incident and an existential threat, yet they are rarely included in breach-cost calculators or insurance policies.
Executive turnover
40% of CISOs replaced within 12 monthsMajor breaches trigger executive accountability. Equifax, Target, 23andMe, and Optus all saw C-suite departures. Replacing a CISO costs $500K-$1M in recruitment, plus the institutional-knowledge loss is incalculable. CIO and CEO positions are increasingly at risk: Target's CEO was forced out, 23andMe's entire board resigned. The career-risk effect drives security-team morale and retention across the organization.
Insurance premium increases
50-200% increase after a breachCyber-insurance premiums typically increase 50-200% at the next renewal following a breach, with some carriers declining to renew entirely. Increased cost persists 3-5 years and adds hundreds of thousands to millions in annual expense. Many organizations discover their coverage was inadequate only after a breach: sub-limits, exclusions for nation-state attacks, and ransomware-specific carve-outs leave gaps.
Audit & compliance overhead
3-5 years of elevated scrutinyPost-breach, organizations face increased audit requirements from regulators, payment card networks (PCI DSS Level 1 mandate), and business partners. SOC 2 audits become more rigorous, regulatory examinations become more frequent, business partners may require additional security attestations. Persists 3-5 years and adds $200K-$500K annually to compliance budgets.
Opportunity cost
Security team diverted 6-12 monthsWhen a breach occurs, the security team (and much of IT) pivots to incident response, forensics, remediation, and regulatory compliance. This diverts resources from planned security improvements, product development, and business initiatives. A 6-12 month diversion of a 10-person security team represents $1M-$2M in redirected labour, plus the cost of delayed projects.
Board & investor confidence
Average 7.5% stock drop within 3 monthsBeyond the measurable stock-price impact, breaches erode board and investor confidence in management. Governance changes follow: increased board oversight, mandatory security committees, pressure for management changes. For private companies, breaches reduce valuation in funding rounds or M&A: Yahoo's acquisition price was reduced by $350M.
Recruitment difficulty
20-30% salary premium for talentSecurity professionals are in high demand. Organizations that have experienced high-profile breaches report increased difficulty recruiting security talent and often need to offer 20-30% salary premiums. Recruitment challenge persists 2-3 years post-breach and compounds the organization's ability to improve security posture.
Contract / vendor relationship damage
Enterprise clients may terminate after breachEnterprise customers increasingly include security-breach clauses in contracts allowing termination following a vendor breach. Losing a few enterprise clients can represent millions in annual recurring revenue. Existing clients may demand enhanced security audits, penetration-testing results, and contractual security warranties, adding ongoing compliance costs to every business relationship.
Section 10.4 / Stock-price impact
Average 7.5% drop within 3 months
Public companies experience an average 7.5% stock-price decline within three months of a major breach disclosure. The impact varies enormously based on breach severity, response-communication quality, and existing market position. Companies that respond transparently and demonstrate clear remediation plans recover faster than those that minimize the incident.
| Company | Stock drop | Recovery | Total cost | Primary source |
|---|---|---|---|---|
| Equifax (2017) | -35% | 18 months to pre-breach levels | $1.4B+ | Equifax 10-K SEC filings 2017-2018; market data Bloomberg. |
| Target (2013) | -10% | 6 months | $292M | Target 10-K SEC filing FY2013-2014; market data S&P Capital IQ. |
| SolarWinds (2020) | -25% | 12 months | $100M+ | SolarWinds 10-K SEC filings 2020-2021; SEC enforcement complaint. |
| Capital One (2019) | -7% | 4 months | $300M+ | Capital One 10-Q SEC filings; OCC consent order. |
| Marriott (2018) | -6% | 3 months | $350M+ | Marriott 10-K SEC filing 2018-2019; ICO Penalty Notice. |
Section 10.5 / Legal cost deep dive
From $50K to $700M+
Legal costs are the most unpredictable component of breach cost. Class-action settlements, regulatory defence, government investigations, and ongoing compliance obligations accumulate over years. Understanding these components helps organizations evaluate insurance-coverage adequacy and set appropriate legal reserves.
Class-action settlements. Nearly every breach affecting more than 100,000 individuals in the US triggers class action lawsuits. Average settlements for mega-breaches range from $30 million to $150 million, with outliers like T-Mobile ($350M) and Equifax ($700M FTC settlement plus additional litigation). Class-action defence costs $2-$10M in legal fees even before settlement, and cases typically take 2-4 years to resolve. The emergence of statutory-damages provisions in CCPA ($100-$750 per consumer per incident) and BIPA ($1,000-$5,000 per violation) creates even larger exposure.
Attorney fees. Breach-response attorneys specialising in cybersecurity law charge $300-$1,000 per hour. A typical breach-response engagement requires 500-2,000 attorney hours over 6-18 months, covering incident assessment, regulatory-notification strategy, regulatory defence, litigation management, and insurance-claims coordination. Total legal fees for a mid-market breach typically range from $150K-$2M; mega-breaches generate $10M+ in legal fees before any settlements or judgments.
Settlement vs trial economics. The vast majority of breach lawsuits settle rather than go to trial because both sides face uncertainty and trial costs. Defendants prefer settlement to avoid unpredictable jury verdicts and to control timing and publicity. Plaintiffs prefer settlement for the certainty of recovery. Settlement negotiations typically begin 6-18 months after the breach and may take an additional 6-12 months to finalise.
Primary source:SEC 10-K and 10-Q filings; FTC consent orders; ICO Penalty Notices; AG settlements; court filings. Last verified April 2026.
Index / Companion schedules
01 Calculator
→See your specific exposure split into the four IBM categories.
02 Statistics
→Global context and methodology.
04 Biggest breaches
→See these cost categories in real cases.
05 Prevention ROI
→How to avoid each cost category.
09 Notification laws
→Deep dive into the 6% notification category.
08 By country
→Why the cost split varies by region.
Schedule F / Reference Q&A