The good news: the question of “how much does a data breach cost?” came down in 2025 for the first time in five years. This according to IBM’s Cost of a Data Breach Report 2025. The global average dropped to $4.44 million, a 9% decline from the year prior, driven largely by faster detection powered by AI security tools.
The bad news: if you are in the United States, costs hit a record $10.22 million; the highest ever recorded for any country in the study’s history. Healthcare averaged $7.42 million; financial services $5.56 million. The global average is a useful headline. It is not your number.
And none of those averages account for how much a data breach costs when litigation follows; when regulators investigate; when your cyber insurance carrier decides your controls were inadequate. When revenue forecasts are missed. When reputation damage turns from “soft cost” to bottom line impact that can persist for years. The final number is not a statistic. It is a line item on a legal settlement.
What the Headline Number Actually Includes
The IBM figure is a composite. It includes detection and escalation costs, notification costs, post-breach response, and lost business. Most organizations focus on the first three and underestimate the rest.
Lost business is where the compounding starts. Customers who leave. Contracts that do not renew. Partners who quietly distance themselves while the investigation is still open. These costs do not show up on an incident response invoice; they start to show up in the next four quarters of revenue. The 2025 IBM report found that 76% of organizations took more than 100 days to fully recover from a breach. That is not an IT timeline. That is a business disruption timeline.
Shadow AI is now an explicit cost factor. IBM found that breaches involving unauthorized AI tools used by employees added an average $670,000 to breach costs; and those incidents had longer lifecycles and higher rates of customer PII exposure. If your organization has employees using unapproved AI tools (and most do) that risk is already inside your perimeter.
Then there is the regulatory layer. GDPR penalties alone reached €1.2 billion in 2024. HIPAA fines scale by violation tier and can reach up to $2.1 million per category annually. State attorneys general are increasingly active. The regulatory cost of a breach is not theoretical; it is the next invoice that arrives after the first one is paid.
And then the lawyers arrive.
The Liability Layer Most Leaders Are Not Modeling
Class action litigation following a data breach is no longer a low-probability outcome. Conduent’s breach of 10.5 million records generated nine federal class action lawsuits and state regulatory investigations across multiple jurisdictions; all stemming from a single architectural gap: data that had to decrypt during processing. The full analysis is in The Conduent Breach: How Did ‘Industry Standard’ Security Fail 10.5M People?
The emerging legal standard is no longer whether you had encryption. It is whether you had encryption that covered data during active use. Courts are beginning to distinguish between organizations that encrypted data at rest and in transit (the current industry standard) and those that maintained encryption while data was being processed. That distinction is becoming a liability question.
Your legal counsel should be asking this question now; not after a breach notice goes out.
What Happens After a Data Breach: The Timeline No One Wants
The average breach takes 241 days to identify and contain according to the 2025 IBM report; a nine-year low, and a genuine improvement. But 241 days is still eight months during which your organization is simultaneously managing an active incident, notifying affected parties, responding to regulators, and fielding plaintiff counsel.
The first 72 hours are notification obligations. Most jurisdictions require breach notification within three days of confirmed discovery; GDPR requires 72 hours from awareness, regardless of whether the investigation is complete. Notifying before you fully understand the scope creates its own legal risk. Notifying late creates a different one.
The next 30 days are forensic investigation, customer support infrastructure (credit monitoring services, call centers, identity protection enrollment), and the beginning of regulatory correspondence. These costs alone routinely exceed $1 million before any litigation is filed.
The months that follow are where the compounding happens. Insurance claims. Discovery requests. Board-level scrutiny. Executive testimony. The breach that felt contained at day 30 is still generating costs at month 18.
How to Reduce Cyber Insurance Premiums: What Underwriters Are Asking
Cyber insurance premiums have increased as carriers have repriced breach risk based on actual claims data. What underwriters are asking now is more specific than it was three years ago.
The standard questions around MFA, patch management, and endpoint protection are table stakes; necessary but no longer differentiating. The questions that are beginning to shift premium calculations are about data-in-use protection: whether sensitive data is encrypted not just at rest and in transit, but while applications are actively processing it.
Organizations that can demonstrate continuous encryption; meaning data that remains encrypted during active use, not just storage and transmission; are presenting a materially different risk profile. Stolen data that cannot be decrypted is not a breach in the meaningful sense. There is nothing to ransom, nothing to sell, nothing to expose.
The cost calculus is straightforward. As Red Hat’s $100M Cyber Breach Problem Is Likely Yours Too makes clear, the cost of a significant breach is not a risk to model in a spreadsheet; it is an existential event for most organizations. The investment in prevention is not an IT budget line. It is balance sheet protection.
What Actually Reduces the Cost of a Data Breach
IBM’s 2025 data is consistent with prior years on this point: organizations that deploy AI and automation extensively in security operations saved an average of $1.9 million per breach and reduced their breach lifecycle by 80 days compared to those that did not. Detection speed matters; every day of breach lifecycle is a day of compounding cost.
But detection speed addresses what happens after an attacker is already inside. The more fundamental question is what they find when they get there.
Continuous encryption changes the breach economics at the source. If data remains encrypted during active processing, an attacker who successfully breaches the perimeter; and breaches will happen; extracts nothing usable. No ransom demand has leverage. No notification is legally required. No class action plaintiff has damages to allege. As we covered in Perimeter Security Is Not Enough, the perimeter is not the last line of defense. The data layer is.
The architecture that changes those economics exists today. Donoma Seshat is a continuous encryption platform built to solve these challenges. It operates at the data layer, keeps data encrypted during active processing, and integrates at the application level without requiring changes to your existing infrastructure.
The technology is ready. The business case is clear. The time for action is now.
If you want to understand what the breach cost picture looks like for your specific organization and industry; and what architecture actually moves the risk profile; book a solution briefing with the Donoma team.
Frequently Asked Questions
How much does a data breach cost on average?
The global average cost fell to $4.44 million in 2025; the first decline in five years, down 9% from $4.88 million in 2024, according to IBM and the Ponemon Institute. That improvement is real; it is driven by faster AI-powered detection. However, U.S. organizations averaged a record $10.22 million; the highest figure ever recorded for any country in the study’s history. Healthcare averaged $7.42 million; financial services $5.56 million.
What are the biggest cost drivers in a data breach?
Lost business is consistently the largest single category; customer attrition, contract losses, and reputational damage that plays out over multiple quarters. Post-breach response costs (notification, credit monitoring, call centers) are significant but finite. Litigation and regulatory fines are the most unpredictable; a single class action settlement can exceed all other breach costs combined.
What is data breach liability and how is it determined?
Data breach liability is the legal exposure an organization faces when a breach results in harm to individuals or other organizations. Courts evaluate whether the organization implemented reasonable security measures. That standard is evolving; “industry standard” encryption that only protects data at rest and in transit is increasingly insufficient as a defense when breaches occur during active data processing.
How to reduce cyber insurance premiums after a breach or at renewal?
Underwriters are increasingly asking about data-in-use protection; not just encryption at rest and in transit. Organizations that can demonstrate continuous encryption during active processing present a materially lower risk profile. Detection and response capabilities, incident response planning, and MFA remain baseline requirements. The differentiating factor at renewal is increasingly the data layer.
What happens after a data breach notification goes out?
Notification triggers a parallel set of obligations: regulatory correspondence, customer support infrastructure, forensic investigation, and often litigation. Most jurisdictions require notification within 72 hours of confirmed discovery. The costs that follow notification; credit monitoring, identity protection services, legal fees; routinely exceed $1 million in the first 30 days before any litigation is filed.
Does cyber insurance cover all data breach costs?
Cyber insurance covers defined categories of breach-related expenses; forensic investigation, notification, credit monitoring, legal defense, and sometimes ransom payments. It typically does not cover the full cost of lost business, reputational damage, or regulatory fines in all jurisdictions. Coverage gaps are common; organizations that have not reviewed their policy against current breach cost structures often discover the gaps at the worst possible time.
