Budgeting For A Data Breach
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
It has been said that there are two kinds of systems in this world: Those that have been breached, and those that are going to be breached. If this premise is true, doesn’t it make sense for CIOs to budget for a serious data breach or similar contingency? So why aren’t you doing it?
Certainly the odds of any individual company actually suffering a serious data breach in the coming year are low. But budgeting for a worst-case scenario has advantages even if you do not get breached. It could be that budgeting for a data breach will deliver benefits beyond the planning process itself, including reducing your company’s overall risk and maybe even the probability of your suffering a devastating breach.
As part of PCI compliance, merchants prepare both a risk assessment (Requirement 12.1) and an incident response plan (12.9). Your incident response plan needs to specify things like assigning roles and responsibilities, communications strategy, business recovery procedures and how you will meet legal requirements such as notifying affected consumers. What PCI does not address, however, is any requirement that you actually budget money to pay for implementing the incident response plan.
Based on industry data, you can expect a data breach to cost on average about $6.6 million. This number is not precise and, as they say, “your mileage may vary.” It is only an average. (Note: It helps to keep in mind that 92 percent of all IT statistics are made up.) Nevertheless, the $6.6 million is a reasonable benchmark.
When a breach is discovered, most companies end up pulling money from other areas or simply tossing out the budget and spending what it takes to address the situation. That can mean reducing travel, slashing advertising, forgoing salary increases, scrapping holiday celebrations and/or severely cutting other areas of spending. If nothing else, budgeting for a breach should identify where to find the millions of dollars you are going to need to pay for everything from a forensic investigation to system upgrades, card brand fines and legal costs.
For most retailers, adding $6.6 million to the CIO’s budget will manage to raise the visibility of your company’s risk across the board. Assigning a dollar figure also gives new meaning and, hopefully, visibility to your annual PCI risk assessment, which itself is a positive benefit.
Your plan should be to use your data breach budget to reduce your PCI scope and your overall risk exposure. When other department or division managers understand their operating budgets (or bonuses?) could get slashed to pay for a data breach, they may be more willing to find alternatives to storing all that cardholder data.
If you are successful, you might actually reduce both your risk and your PCI compliance costs. For example, you might stop storing some cardholder data, cut the number of locations where it is stored and/or limit the applications and people that access the data. If you can reduce your PCI scope, you may not need to budget the full $6.6 million. Maybe you could reduce your breach budget to half that amount or even less.
On top of that, you should see a very nice side benefit from your breach budgeting exercise: increased security awareness across the company. There can’t be too many better ways to bring home your security message to the entire enterprise than to put a price tag on each department’s risky processes and behavior.
What if you don’t have a breach? Certainly this situation will arise more often than the alternative (we hope). Don’t congratulate yourself too soon. Keep in mind the two kinds of systems described above, in addition to the fact that just because you were not breached this year does not mean you won’t be a victim next year. You could roll the budget over into the next year or hold it in a contingency account of some kind. (Note: I’m a QSA, not an accountant.) Personally, I would love to see an incentive arrangement where a percent of the unused data breach budget goes back to IT to pay for enhanced security and compliance measures.
Let’s say you are successful beyond your wildest dreams and you eliminate cardholder data entirely. That is, you fully comply with “PCI Requirement 0.” You then would be in the enviable position of starting your next year’s IT budget presentation with: “What I will do with the extra $6.6 million.”
Do you do budget for IT contingencies or data breaches? What has been the reaction? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
April 1st, 2010 at 1:35 pm
Budgets are operational exercises. Breach plans are contingencies. So do you budget for a breach? Not unless you’re forecasting one during the fiscal period. And the whole purpose of having an information security program is to plan to NOT have one (at least that’s how WE do it – your mileage may vary).
Do you PLAN for handling a breach and it’s aftermath, absolutely. Do you vet your plan with simulations an tabletops? Yep. Do you calculate potential costs? Certainly. There are numerous data points on compromise available from credible sources. QSAs however are not one of them. Not even if they’re QFIs.
So do you seriously put forward $6.6 million as a number? Perhaps. If you’ve always secretly wanted your peers to refer to you as Chicken Little. If you’re looking for some way for leadership to perceive you as more hysterical. If credibility is burden with which you’ve never been comfortable. Or If you’re leaving for another job, dislike your employer, and never want to use them for a reference. In that case, $6.6 million is the number for you.
If you like your job, value your career, or have just plain worked hard to esablish your credibility as an Info Sec profesional – try this. Research services can give you a range of approximate per-record costs, which you can use to create worst-, best-, and mid-case scenarios. Your acquirer may be able to supply yhem as wel. Your acquirer can also help you out with the differences between card-present breaches and card-not-present breaches, prohibited data fines, PCI DSS non-compliance fines, and the like. Compromise costs are unique to the company, the industry, and the breach. In the end, if you put a little bit of effort into the exercise using credible sources, you can put together an estimate tailored to your organization using a defensible methodology. Good luck!
April 2nd, 2010 at 12:22 pm
Thanks for your comment, Dave. I think we agree on the importance of having a realistic, practiced incident response plan in place. My point was that a plan without resources is going to be difficult/impractical to implement. Whether the resources are budgeted or specifically identified is less important than the fact that there is some allocation.
As for the $6.6 million number, I noted it is “not precise.” Maybe you missed my following tongue-in-cheek note immediately following that “It helps to keep in mind that 92 percent of all IT statistics are made up.” Perhaps I should have added “…including this one”?
April 2nd, 2010 at 3:33 pm
The PCI Glossary defines a risk analysis as:
“Process that systematically identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. ”
In that context, unless you have your own personal breach data, quantifying your loss exposure is probably best done with industry standard research data. Whether you use the Forrester numbers, Ponemon numbers, Verizon numbers, or some other formal research data, you should assign a dollar value to your assets and loss exposure. (call it loss potential or loss expectancy or cost of occurrence, whatever you wish)
Your number for catastrophic breach may be $1,000, $1M, $6.6M, or it may be $1B. The point is to define it and use it as input to your risk analysis.
If you’re spending a dollar to protect a dime, you might want to rethink. If you’re spending a dollar to protect a million, you can probably count on losing your million.
Your risk analysis may identify some risks that pose a high likelihood of occurrence or exploit. Without a dollar value on your assets, how do you know what is appropriate to spend on mitigation? Without a proper (and properly budgeted) mitigation strategy to lower the likelihood, budgeting for that breach might, sadly, be appropriate. Grain of salt not included.
April 6th, 2010 at 12:43 pm
Dave’s examples of the InfoSec guy being the butt of jokes and likely being ostracized as a result of budgeting six figures for a breach that may or may not happen is valid, but what about the InfoSec guy at the company that actually got breached? Budgeting or not, if your job is managing security and that security is compromised, I submit that that person should probably start shotgunning resumes ASAP to as many people as possible.
Walt’s point about this budgeting exercise driving more security awareness is excellent. PCI is a proactive exercise, budgeting for a disaster scenario should be a key piece of that planning.
April 28th, 2010 at 11:47 am
Don’t forget the ability to transfer risk via insurance. You can get $5M of coverage for as little as $25,000.
(Editor’s Note: This is a good point, but this commenter happens to work for an insurance broker. It doesn’t make the point any less valid, but wanted to make sure readers have enough information.)
April 29th, 2010 at 1:05 pm
I’ve been around this block. The first commenter (Dave) is correct that budgets are operational exercises. More to the point, budgets are for the purpose of holding managers accountable and limiting their spending authority. Budgets work well for planned spending, but not so well for contingencies.
Dave #2 is also correct that whole reason for insurance is to fund contingencies. You can budget for the insurance premium, as opposed to having to estimate the value of the contingency.
Ultimately, however, the real question is, do you have access to the CASH needed to cover the cost of the breach? Whether budgeted or not, you will need sufficient cash… this is where your treasurer comes in. You can plan to get contingency cash from retained earnings (i.e. you have the money in the bank), a line of credit, an insurance policy, additional investor capital, or whatever other method is available to your firm. The point is, unless you have a plan for where that CASH is going to come from, and some idea of how much you might need, you have not completed your contingency planning.
And yes, I do work in corporate risk management.