The average cost of a data breach for the financial sector rose roughly 3% over the past year to $6.08 million, IBM concluded in a new survey of financial institutions and 16 other business sectors. The average cost across all business sectors was $4.88 million in 2024, a 10% spike since 2023. A rise in the cost of lost business helped drive the increase, as did the rising cost of post-breach responses, such as staffing customer service help desks and paying higher regulatory fines.
Forty-six percent of breaches across all sectors involved customer personal identifiable information, such as tax identification numbers, emails, phone numbers and home addresses, the report said. Breaches involving stolen or compromised credentials took the longest to identify and contain at 292 days. Malicious insider attacks resulted in the highest costs, averaging $4.99 million. Other expensive attack vectors included business email compromise, phishing, social engineering and stolen or compromised credentials.
In terms of the information stolen, the survey found that 40% of breached data was stored in public clouds, which when breached led to higher costs—on average, $5.2 million per breach. One-third of organizations reported that at least some of their breached information involved “shadow data” being stored without the security team’s knowledge either in the cloud or on-premises, sometimes as part of unsanctioned artificial intelligence models. (Separately, the Treasury Department earlier this year released two reports on the use of cloud services and AI-specific cybersecurity threats in the financial sector. Both were drafted with input from the American Bankers Association.)
IBM also found that ransomware incidents where the victims contacted law enforcement lowered the cost of the breach by an average of nearly $1 million, excluding the cost of any ransom paid. Involving law enforcement also helped shorten the time required to identify and contain breaches from 297 days to 281 days.
