Tech & Sourcing @ Morgan Lewis


In our June 2021 blog post, Study Analyzes Costs of a Data Breach, we discussed the Ponemon Institute’s report setting forth a vast dataset that analyzed data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. With the calendar turning to 2023, this blog looks at the increased costs of data breaches in 2022 to anticipate how negotiations for liability caps of such breaches may evolve in the new year.

The key finding of the report include:

  • Reaching an all-time high, the average cost of a data breach globally was $4.35 million in 2022, representing a 2.6% increase from 2021, when the average cost was $4.24 million.
  • For the 12th year in a row, the United States led all counties and regions globally with an average cost per data breach of $9.44 million in 2022, representing a 4.3% increase from 2021 when the average cost of a breach in the United States was $9.05 million.
  • The other top five countries and regions globally experiencing the highest average costs of a data breach are as follows: the Middle East at $7.46 million, Canada at $5.64 million, the United Kingdom at $5.05 million and Germany at $4.85 million.
  • The industry with the highest average cost of a data breach continued to be healthcare, which saw costs skyrocket to an average of $10.10 million, nearly $1 million above 2021. By contrast, the financial industry came in second place with an average cost of $5.97 million per breach.
  • The use of stolen or compromised credentials remained the most common cause of a data breach, as such means were used to accomplish the breach in 19% of all cases. Breaches caused by stolen or compromised credentials had an average cost of $4.50 million. In addition, such breaches had the longest lifecycle, with 243 days to identify the breach and another 84 days to contain the breach.
  • Ransomware attacks had a growth rate of over 41% from 2021, but the average cost of a ransomware attack decreased slightly from $4.62 in 2021 to $4.54 in 2022.
  • As remote work continued to be a reality for many organizations in 2022, it also created a greater risk exposure as the average cost of data breach increased by almost $1 million when remote work was a factor in the breach.
  • In 2022, it took an average of 207 days to identify a data breach and an additional 70 days to contain such breach, which was a decrease of 10 days from 2021. Data breaches with lifecycles of less than 200 days cost on average $3.74 million, while data breaches with lifecycles of over 200 days cost on average $4.86 million.

As concerns about the costs associated with data breaches continue to be a focus of many services agreements in 2023, reports such as the Ponemon Institute’s can help to provide the information necessary to negotiate liability caps that appropriately reflect the risks associated with the data being exchanged.

Read the full report.