This is how much data breaches cost lenders this year

Businesses spent even more money on data breaches in the past year than they had previously, but some victims found sizable savings through responsible measures.

Financial companies spent $6.08 million on average to respond to incidents, compared to $5.9 million last year, according to IBM's Cost of a Data Breach Report published this week. The detailed publication analyzed research by the Ponemon Institute for 604 impacted firms across the economy between March 2023 and this past February. 

The analysis sheds light on what expenses impacted mortgage companies could be paying following attacks that have recently affected millions of borrowers. Most lenders are tight-lipped about the hacks they suffered, let alone how much they've cost, although some publicly traded players revealed major hits.

Loandepot in a recent disclosure revealed $68.5 million in expenses in the first half of this year related to its massive January hack. That amount includes a large payment earmarked for class action litigation. The lender and servicer said that number was offset by $15 million this year in cyber insurance reimbursements.

IBM found expenses for "mega breaches" affecting between 1 million to 10 million records costing on average $42 million, while hacks impacting between 10 million and 20 million records cost firms on average $173 million. 

The price tags for data breaches are lofty. The average cost of a cyberattack at a U.S.-based firm was $9.36 million in the past year, while for all affected organizations globally expenses averaged $4.88 million, a 10% annual increase.

Among affected businesses surveyed, 63% said they're passing data breach costs onto consumers, more than the 57% that said they did last year.

"Having customers absorb these costs can be problematic in a competitive market already facing pricing pressures from inflation," the IBM report read.

Mitigating factors
Across all hacks, the price of sensitive data is up; employee and consumer personal identifying information cost $189 and $179 per record this past year, respectively. Overall average expenses rose because of greater lost business costs, such as operational downtime and lost consumers, and costlier post-breach responses such as increased staffing and regulatory fines, IBM said. 

Impacted companies using artificial intelligence in security functions spent on average $2.2 million less than their peers who didn't use such technologies. AI has made it easier for criminals to create and launch attacks at scale, IBM said, but it also has empowered security staff with new tools for identifying and responding to threats. 

Companies who didn't report "severe security staffing shortages" meanwhile saved on average $1.76 million on breach response. That security skills gap increased by double digits from 2022 to 2023, IBM said. 

Businesses which contacted law enforcement regarding hacks also saved $1 million on average compared to organizations which did not. Just over half of companies hit by ransomware attacks told IBM they notified law enforcement, and 63% of those firms ended up not paying cybercriminals.

The report ranks employee training, and AI and machine learning-driven insights as the top factors reducing average data breach costs. A complicated security system was the top factor which increased expenses, the report said, followed by security staffing shortages and third-party incidents. 

Lingering expenses
Just 12% or organizations said they've fully recovered from cyberattacks, a process IBM said usually takes longer than 100 days. A full recovery is defined as business operations back to normal in affected areas; a firm meeting compliance requirements; putting new controls in place; and restoring customer and employee confidence.

Loandepot has yet to formally settle a pending data breach complaint but said in its recent earnings filings the hack affecting nearly 17 million borrowers won't have a material impact on its full year financial results. 

Mr. Cooper, which suffered an attack leaking the Social Security numbers of 14.7 million customers last October, has incurred at least $27 million related to the incident, it said this year. It's still facing a consolidated class action complaint from impacted customers in a Texas federal court.

While some companies fight prolonged litigation, others have quietly put such cases behind them. 

A federal judge in June granted preliminary approval for a $6 million settlement between consumers and Overby-Seawell, a vendor for KeyBank and Fulton Bank, which was hacked in 2022. Planet Home Lending in May also received preliminary approval for a $2.42 million settlement with consumers over a data breach which occurred late last year.