The average direct cost of a serious cybersecurity incident increased by 11% year-on-year to reach $1.7m in 2023, according to consulting firm S-RM.
The firm polled 600 C-suite and IT budget holders from US and UK organizations with revenues over $500m to produce its 2023 Cybersecurity Insights Report.
The most common incident types were fraud, third-party compromise and data exfiltration, although these varied by sector. The larger the organization, the greater the risk of data exfiltration and ransomware, the study found.
The top contributors to incident costs were increased insurance premiums (37%), operational downtime (36%) and recovery/response costs (32%).
Read more on data breach costs: Data Breach Costs Hit Record High but Fall For Some
The average of $1.7m also rose significantly to $2.7m per incident for organizations without cyber insurance, S-RM claimed.
“For many organizations, cyber insurance has far exceeded being just a ‘nice to have’, and our most recent data shows exactly why it is so essential to be properly insured against cyber-incidents and data breaches,” said S-RM’s head of cybersecurity in the Americas, Paul Caron.
“Premiums may be rising, but without adequate insurance the regulatory, reputational and downtime risks are far higher – businesses must take note.”
Worryingly, the top two cybersecurity challenges cited by respondents were hybrid working and a “lack of understanding around cyber trends and threats” (both 38%). In third place came “lack of internal training” on how to spot threats.
While incident costs are on the up, budgets for cybersecurity only rose by 3% to an average of $26.8m in 2023, according to the report.
Next year they’re predicted to rise by a more healthy 8%, although in prior years the actual increase has been significantly less than that predicted. Retail (28%), telecoms (27%) and pharmaceuticals (27%) firms allocated the largest share of IT budget to cyber in 2023.