The direct and indirect costs of a cyber attack

The direct and indirect costs of a cyber attack

According to a study published by Hiscox, the costs of a cyber attack range from 15,000 euros (for the smallest companies) to more than 4 million euros (for the largest structures). Following a cyber attack, these costs can be divided into two categories: direct costs (tip of the iceberg) and indirect costs (submerged part of the iceberg).

Direct and indirect costs of a cyber attack

If the direct costs associated with cyber attacks can be varied, they are, most of the time, related to :


  • Technical investigations

This is generally the first direct cost following a cyber attack. Indeed, it will be advisable to call upon a cybersecurity service provider in order to quickly and precisely establish the list of leaked data and the reasons why you have been targeted: is it related to gaps in the initial protection of your data?

  • To public relations

This is not a direct financial cost, but as a result of the attack, your organization’s image may be affected. After a cyber attack, transparent communication about the cyber attack that your organization has just suffered is strongly advised. This can sometimes result in indirect financial costs afterwards, such as marketing costs to restore the trust of your customers and investors.

➥ This direct cost, although non-financial, is directly related to the indirect cost “loss of brand value”.

  • Upon notification of the breach

According to the EU’s General Data Protection Regulation (GDPR), if information and data “likely to result in a high risk to the rights and freedoms of natural persons” has been leaked and compromised, then your organization will find itself under an obligation to notify its customers. Notifying your customers of the intrusion may incur an initial cost, may add to the cost of setting up a dedicated phone line to handle questions and complaints.

➥ Notification of the breach, like the cost incurred in public relations, can also have a strong impact on indirect costs related to “loss of customer confidence” and potentially even “loss of customers”, which can translate into “loss of revenue”.

  • To legal and attorney’s fees

After the attack, you or your company will certainly want to file a complaint so that a thorough investigation can be carried out. In this case, it is likely that you will need to hire an attorney, especially if the proceedings lead to arrests and a trial. Depending on the length of the proceedings and the involvement of your attorney, substantial fees will be incurred.

  • To improving protection

A cybersecurity agency such as UBCOM can be particularly helpful in advising you on how to improve your data protection. Various solutions will be proposed to you, the costs vary according to the effectiveness of the desired protection. At the very least, you will surely wish to proceed with an encryption of your data, a stricter control of access to all or part of your data and a training of your staff.

  • Securing healthy data

In order to secure healthy data, it will be necessary to carry out more or less complex manipulations, ranging from changing all passwords and storing new backups, to formatting workstations and restoring data. These steps are essential to ensure that data that was not affected by the cyber attack is not in a vulnerable position should a second attack occur.

The direct costs associated with a cyberattack can therefore be considerable – however, they are not the only costs to consider, being only the tip of the iceberg of the total costs associated with a cyberattack. The largest part of the costs are indeed indirect; more complicated to estimate, these costs are mainly related to the loss of customers due to the overall decrease of trust in your company. To avoid this, transparent communication about both the cyber attack and the implementation of new cyber security protocols will help you mitigate the total costs.

As mentioned above, some indirect costs are highly dependent on direct costs (this is especially the case for “loss of customer confidence” or even “loss of customers”, which is strongly linked to “public relations” costs).

Here is the list of the different indirect costs. These are mainly linked to :


  • Tax liabilities

If your company has financing from financial backers, it is very likely that you will see an increase in the cost of debt following the cyber attack. In addition, investors will be more concerned about lending you money in the future, especially if no cybersecurity and cyber-resilience provisions have been made.

  • To the consequences of business interruption

Depending on the intensity of the attack you were under, your IT systems may be affected to a greater or lesser extent. This can range from simple disruptions, to a halt in activities and the replacement of all equipment. On average, it is possible that your business will be impacted (either not functioning normally or not functioning at all), for 3 to 7 consecutive weeks. This can have a more or less significant influence on your turnover. In order to limit the damage, tools to increase the resilience of your company are to be considered.

  • Decline in customer confidence and loss of customers 

The drop in trust and the loss of customers is particularly related to the direct cost of “public relations”. After an attack, your customers will worry about the security of their data within your company. Depending on the leaked data (medical, banking, addresses, etc.), a more or less significant loss of confidence of your customers is to be expected, which may even lead to contract cancellations. Here again, transparent communication will allow you to reassure your customers and investors and limit the loss of turnover.

  • To the loss of brand value 

Depending on the intensity of the cyber attack, your company’s image will be more or less impacted. If no action is taken afterwards, it will reinforce the idea that your company is not concerned about the security of its digital systems. When selling your business, if it has been the target of repeated cyber attacks, its value will be greatly impacted.

  • To loss of revenue

The “loss of customer confidence” and “loss of customers”, the “loss of brand value” or the “interruption of business” are all elements that will negatively impact your turnover. Faced with this, a downward spiral can quickly set in, which is why it is advisable to communicate with great transparency and to implement all means to avoid a second attack.

  • To the increase in insurance

Following the cyber attack, you will undoubtedly want to take all the necessary steps in the following weeks to ensure that you do not suffer any further attacks. While your original insurance will most likely have already increased its premiums, you may want to consider purchasing new cyber insurance. This will incur an additional indirect cost, but will protect you in the event of another attack.

These are the total costs to consider following a cyber attack. But why wait until you are the target of a cyber attack? It is never too early to take all the necessary measures to reinforce the security of its information systems and guarantee its customers an optimal protection of their data. Our cybersecurity consulting agency is able to offer you various solutions to meet your needs.

Discover the solutions of our cyber experts as well as our cyber offers.