Data breaches are becoming increasingly costly for businesses, especially for financial institutions. In the past year, the expenses tied to cyberattacks have surged, leaving lenders grappling with significant financial impacts. However, some companies are finding ways to mitigate these costs through proactive measures and advanced technologies. Here’s a closer look at the financial toll of data breaches and what lenders are doing to protect themselves.

Soaring Costs: The Growing Price of Data Breaches

In the past year, financial companies have seen the cost of data breaches rise dramatically. According to IBM's latest Cost of a Data Breach Report, the average expense for financial firms has reached $6.08 million per incident, up from $5.9 million the previous year. This increase highlights the growing financial burden on businesses as they respond to cyberattacks.

The report, based on research from the Ponemon Institute, analyzed data from 604 impacted firms across various industries between March 2023 and February 2024. The findings offer a glimpse into the significant expenses that mortgage companies and other financial institutions face following data breaches that have affected millions of borrowers.

High-Profile Incidents: The Lenders Paying the Most

Some of the largest financial institutions have disclosed substantial costs related to recent data breaches. For instance, Loandepot, in a recent disclosure, revealed that it incurred $68.5 million in expenses during the first half of this year due to a massive hack in January. This figure includes a large sum earmarked for class action litigation. Fortunately, the lender was able to offset some of these costs with $15 million in cyber insurance reimbursements.

The financial impact of "mega breaches" is even more staggering. According to IBM, breaches affecting between 1 million to 10 million records cost firms an average of $42 million, while those impacting between 10 million and 20 million records can cost up to $173 million.

Mitigating Factors: How Companies Are Reducing Breach Costs

While the costs of data breaches are rising, some companies are finding ways to reduce their financial exposure. IBM’s report highlights several key factors that can help lower the costs of a breach.

• Artificial Intelligence (AI) in Security: Companies that utilize AI in their security functions spent, on average, $2.2 million less on breach response compared to those that did not use such technologies. AI has proven to be a double-edged sword—it enables criminals to launch more sophisticated attacks but also empowers security teams to identify and respond to threats more effectively.
• Security Staffing: Firms that did not report severe security staffing shortages saved an average of $1.76 million on breach response. However, the report notes that the security skills gap has widened, increasing by double digits from 2022 to 2023.
• Law Enforcement Collaboration: Businesses that contacted law enforcement during a breach saved an average of $1 million compared to those that did not. Additionally, 63% of firms that notified law enforcement during ransomware attacks ended up not paying the attackers.

Employee training, AI-driven insights, and collaboration with law enforcement are among the top strategies for reducing the financial impact of data breaches. However, the report also identifies factors that increase costs, such as complicated security systems, staffing shortages, and third-party incidents.

Lingering Expenses: The Long Road to Recovery

Recovering from a data breach is a lengthy and costly process. According to IBM, only 12% of organizations reported fully recovering from a cyberattack, with the process often taking more than 100 days. Full recovery involves restoring business operations, meeting compliance requirements, implementing new security controls, and rebuilding customer and employee confidence.

For example, Loandepot has yet to settle a pending data breach complaint but stated that the January hack, which affected nearly 17 million borrowers, is not expected to have a material impact on its full-year financial results. Similarly, Mr. Cooper, which suffered an attack last October that leaked the Social Security numbers of 14.7 million customers, has incurred at least $27 million in related expenses and continues to face litigation.

Legal Battles: Settling the Cost of Cyberattacks

As some companies continue to battle litigation, others have quietly resolved their cases. In June, a federal judge granted preliminary approval for a $6 million settlement between consumers and Overby-Seawell, a vendor for KeyBank and Fulton Bank that was hacked in 2022. Similarly, Planet Home Lending received preliminary approval in May for a $2.42 million settlement with consumers over a data breach that occurred late last year.

The Ongoing Challenge of Cybersecurity

The rising costs of data breaches underscore the critical need for robust cybersecurity measures. As financial institutions continue to face increasing threats, investing in advanced technologies, employee training, and collaboration with law enforcement can help mitigate the financial impact of cyberattacks. However, with the potential for significant expenses and prolonged recovery times, lenders must remain vigilant and proactive in their cybersecurity efforts.