AI can save millions of dollars, time in data breach response: IBM

Companies using artificial intelligence in cybersecurity respond to data breaches faster and save over $1 million in incident responses compared to firms that don't use AI, IBM reports.

Hacks cost financial firms on average $5.9 million in 2023, according to the tech giant's new Cost of a Data Breach Report. The average global cost of a data breach was $4.45 million, an all-time high and slight increase from last year's $4.35 million mark. 

The research, conducted by the Ponemon Institute and analyzed by IBM, polled 553 organizations worldwide which suffered cyber attacks between March 2022 and March 2023. It's unclear if any of the 67 U.S. companies surveyed were real estate organizations. The industry however was hammered with attacks over the same period. 

Cybersecurity utilizing AI saved firms on average $1.76 million in incident responses compared to businesses that didn't, the report found. The tech-savvy firms also contained breaches 108 days sooner than their non-AI counterparts.

"Examples include the use of AI, machine learning, automation and orchestration to augment or replace human intervention in detection and investigation of threats as well as the response and containment process," the report said. 

Only 28% of firms surveyed said they extensively use AI and automation security tools in cybersecurity, while 40% rely solely on manual inputs. Although the mortgage industry has slowly embraced tech solutions, an Arizent survey last year found lenders lagging behind their financial services peers in deploying AI and machine learning in cybersecurity. 

Lenders, servicers and other real estate players have suffered attacks impacting as little as a few hundred customers to millions of consumers in the past two years. While some firms have yet to acknowledge widely-reported attacks, others are facing class-action lawsuits from borrowers whose personally identifiable information was compromised. 

Mortgage firms have been quick to identify hacks, discovering them typically within days, according to public disclosures. In a more severe lapse, a servicer in late 2021 didn't identify a breach for 41 days before investigating. Those known response times are far quicker than IBM's reported average of 204 days for companies to identify a breach and 73 days to contain it. 

Among the average damages for firms worldwide were lost business costs, which respondents put at an average of $1.3 million per firm in 2023. Those expenses include lost customers and revenue, and the cost of acquiring new clients. Audits, investigations and crisis management totalled on average $1.58 million. 

Notification costs to consumers, regulators and other third parties averaged $370,000, according to the report. The 37% of businesses surveyed that didn't notify law enforcement of attacks paid on average $470,000 more than those who did. 

The overall costs don't include ransoms paid. The FBI warns victims not to pay hackers to further enable them.

Ransomware accounted for nearly 25% of all attacks, followed by phishing at 16% and compromised access credentials at 15%, the report found. Only a third of breaches were identified by a firm's own security team or tools, a lapse that could add an additional $1 million to a data breach. 

The report highlights the benefits of firms which use a managed security service provider, a vendor that provides around-the-clock monitoring. Companies using a security partner cut breach lifecycles by 21%. 

Mortgage companies in the past year have also been forced to reconcile soaring cybersecurity and cyber insurance costs with fading revenues. In the past three months alone, lenders have grappled with a ransomware gang, suffered wide-ranging cyber attacks and paid a seven-figure settlement to resolve the fallout of a data breach.