Budgeting For A Data Breach

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

It has been said that there are two kinds of systems in this world: Those that have been breached, and those that are going to be breached. If this premise is true, doesn't it make sense for CIOs to budget for a serious data breach or similar contingency? So why aren't you doing it?

Certainly the odds of any individual company actually suffering a serious data breach in the coming year are low. But budgeting for a worst-case scenario has advantages even if you do not get breached. It could be that budgeting for a data breach will deliver benefits beyond the planning process itself, including reducing your company's overall risk and maybe even the probability of your suffering a devastating breach.

As part of PCI compliance, merchants prepare both a risk assessment (Requirement 12.1) and an incident response plan (12.9). Your incident response plan needs to specify things like assigning roles and responsibilities, communications strategy, business recovery procedures and how you will meet legal requirements such as notifying affected consumers. What PCI does not address, however, is any requirement that you actually budget money to pay for implementing the incident response plan.

Based on industry data, you can expect a data breach to cost on average about $6.6 million. This number is not precise and, as they say, "your mileage may vary." It is only an average. (Note: It helps to keep in mind that 92 percent of all IT statistics are made up.) Nevertheless, the $6.6 million is a reasonable benchmark.

When a breach is discovered, most companies end up pulling money from other areas or simply tossing out the budget and spending what it takes to address the situation. That can mean reducing travel, slashing advertising, forgoing salary increases, scrapping holiday celebrations and/or severely cutting other areas of spending. If nothing else, budgeting for a breach should identify where to find the millions of dollars you are going to need to pay for everything from a forensic investigation to system upgrades, card brand fines and legal costs.

For most retailers, adding $6.6 million to the CIO's budget will manage to raise the visibility of your company's risk across the board. Assigning a dollar figure also gives new meaning and, hopefully, visibility to your annual PCI risk assessment, which itself is a positive benefit.

Your plan should be to use your data breach budget to reduce your PCI scope and your overall risk exposure. When other department or division managers understand their operating budgets (or bonuses?) could get slashed to pay for a data breach, they may be more willing to find alternatives to storing all that cardholder data.

If you are successful, you might actually reduce both your risk and your PCI compliance costs. For example, you might stop storing some cardholder data, cut the number of locations where it is stored and/or limit the applications and people that access the data. If you can reduce your PCI scope, you may not need to budget the full $6.6 million. Maybe you could reduce your breach budget to half that amount or even less.

On top of that, you should see a very nice side benefit from your breach budgeting exercise: increased security awareness across the company. There can't be too many better ways to bring home your security message to the entire enterprise than to put a price tag on each department's risky processes and behavior.

What if you don't have a breach? Certainly this situation will arise more often than the alternative (we hope). Don't congratulate yourself too soon. Keep in mind the two kinds of systems described above, in addition to the fact that just because you were not breached this year does not mean you won't be a victim next year. You could roll the budget over into the next year or hold it in a contingency account of some kind. (Note: I'm a QSA, not an accountant.) Personally, I would love to see an incentive arrangement where a percent of the unused data breach budget goes back to IT to pay for enhanced security and compliance measures.

Let's say you are successful beyond your wildest dreams and you eliminate cardholder data entirely. That is, you fully comply with "PCI Requirement 0." You then would be in the enviable position of starting your next year's IT budget presentation with: "What I will do with the extra $6.6 million."

Do you do budget for IT contingencies or data breaches? What has been the reaction? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].