Cyber Space: Global insights on cyber and data risk for insurers

International

Issue 2, May 2025. How does the cost of cyber incidents vary across the globe?  

A key pillar of CMS’ Cyber Space series is to compare and contrast the impact of cyber incidents in different international jurisdictions.

In this respect, with assistance from colleagues in Brazil and Singapore, CMS UK have collaborated with the CMS’ network of international offices and affiliate law firms to consider the comparative costs of cyber incidents. We did so by focussing on the following aspects - Legal fees (average hourly rate in USD or ease), notification costs (in USD), chance of regulatory fines and penalties and/or class actions, incident timeframes and IT forensic costs. We did this across almost 30 different jurisdictions.  

Whilst there is no exact science to the assessments, we anticipate that the lowest costs would be incurred in a jurisdiction with competitive rates (usually as a result of competition between providers with relevant expertise), a high threshold for enforcement action, a low litigation environment and where cyber incidents are resolved quickly. Conversely, costs will be higher where there is lack of options for vendors (so rates are higher), the “tail” of incidents is lengthy and there is a proactive enforcement environment and the barriers to entry for litigation (including available funding) are low.

Summary of findings

Our findings, based on incidents impacting insured entities, are summarised in the table below. We have colour coded each country in comparison with the UK, based on whether the overall average costs are likely to be higher (red), lower (green) or about the same as the UK (amber). The authors, however, caution that this is intended only as a guide as this is a nuanced exercise where the actual costs will vary depending on the nature and scope of a cyber incident.

In addition, although some jurisdictions have what appear to be higher base fees, some have lower costs in other respects. For example, while Bermuda generally attracts some of the highest legal hourly rates, we have been unable to identify any examples of the Bermudan regulator (PrivCom) having actually issued a fine, or where a group litigation/class action was brought against a business or organisation by data subjects. As such, the lower risk of follow on enforcement/litigation may offset the higher first party costs. By contrast, Denmark has comparatively lower hourly legal rates, but our analysis indicates class actions tend to be brought by affected data subjects in 20%-50% of cases, which has the potential to significantly increase third party related costs.

Some of the differences may also arise because reporting cyber incidents is a much newer concept in some jurisdictions than others. For example, in Saudi Arabia and the UAE cyber incidents are a relatively new risk and so it is difficult to determine how frequently regulatory fines or class actions will occur. In addition, because cyber incidents in these jurisdictions are a relatively new threat, there are fewer law firms that provide incident response services. Consequently, these law firms and other vendors that do provide such services may well charge higher fees than in other jurisdictions.

In respect of IT forensic costs, we were kindly supported by the Grant Thornton Cyber Defence Centre who compared each jurisdiction listed below to determine whether they considered average costs of forensic IT services are higher or lower than the UK.

From a CMS perspective, when responding to incidents in jurisdictions that are likely to be more expensive than the UK (certainly from a legal costs perspective), CMS would generally aim to co-ordinate the response from the most cost effective location to minimise the overall costs.

Cyber costs comparison table

CountryLegal fees/hr (example blended rates for partner and associates)Costs of 
notifying c.500 data
subjects
 
IT forensic costs generally higher, lower or same as UKFines or penalties?Class actions?Avg time for resolution
AustraliaUSD 235USD 16,000 - 32,000LowerRareRareLess than 3 months
BermudaUSD 800USD 5,000 - 7,000HigherNeverNeverLess than 3 months
BrazilUSD 295USD 2,000 - 10,000LowerRareRareLess than 3 months
CanadaUSD 450USD 10,000 – 20,000SameNeverRare6 months – 1 year
ColombiaUSD 420c. USD 5,000LowerRareRareLess than 3 months
DenmarkUSD 620USD 17,000-28,000SameRareSometimes3–6 months
FinlandUSD 515USD 5,500 – 11,000SameRareRareLess than 3 months
FranceUSD 510USD 4,500 – 5,500SameRareRareLess than 3 months
GermanyUSD 450USD 3,400SameRareRareLess than 3 months
GreeceUSD 335USD 5,500 - 16,500LowerSometimesRare3–6 months
GuernseyUSD 915No additional costsSameRareRare6 months - 1 year
IsraelUSD 200USD 5,000 – 10,000SameSometimesSometimesLess than 3 months
ItalyUSD 395USD 11,000LowerRareRare3-6 months
JapanUSD 375USD 5,000 - 10,000HigherRareRare3-6 months
Lux.USD 490USD 5,500 – 8,000HigherRareNever3-6 months
MaltaUSD 425USD 3,400 - 5,500LowerRareRare3-6 months
Ned.USD 510USD 3,400LowerRareSometimes3-6 months
NorwayUSD 480USD 6,800HigherRareRareLess than 3 months
PeruUSD 195USD 10,000LowerRareNeverLess than 3 months
KSAUSD 700USD 13,500SameRareNever6 months - 1 year
SloveniaUSD 465USD 2,800 - 3,750LowerRareRareLess than 3 months
South AfricaUSD 485USD 2,650 – 3,325LowerRareRareLess than 3 months
SpainUSD 510c. USD 11,500LowerSometimesRareLess than 3 months
SwedenUSD 475USD 5,500 – 11,500SameRareRareLess than 3 months
Switz.USD 580c. USD 3,000SameSometimesSometimesLess than 3 months
TurkeyUSD 470USD 11,500LowerRegularlyNever6 months - 1 year
UAEUSD 700USD 13,500SameRareRare6 months - 1 year
UKUSD 415USD 10,000N/ARarelyRare6 months - 1 year
USAUSD 475USD 3,000 - 4,000HigherRarelySometimes3-6 months

Key take-aways for cyber insurers

We consider the key things for cyber insurers to consider in respect of the table above are as follows:

There is significant global variability across legal and notification costs.

For instance, Guernsey has the highest average hourly rate, while Peru has the lowest. Further, in Australia the cost of notifying 500 data subjects ranges from USD 16,000 to USD 32,000, while in Slovenia it is much lower at between USD 2,800 to USD 3,750. The same variability can be seen in respect of IT forensic costs.

This variability can impact the overall cost of managing cyber incidents and will likely be a key consideration for insurers when assessing risk and pricing models.

The potential for regulatory fines and penalties will differ depending on the jurisdiction, especially outside of the EU. 

For example, Bermuda and Peru have never issued fines, whereas Turkey regularly imposes fines. This information is potentially crucial for insurers when considering the regulatory environment and potential financial exposure when writing cyber risks in different regions.

The CMS Enforcement Tracker monitors decisions published by regulators in the EU to help keep track of the latest trends.

Whilst class actions arising out of insured cyber incidents remains rare, this is a developing risk that insurers should consider.

Of the countries surveyed, the risk appears highest in Denmark, Netherlands, Israel, Switzerland and the US, which could significantly impact third-party costs.

Although the daily burn rate may be high, this may be alleviated by quicker resolution times.

The average time for resolving cyber incidents ranges from less than three months in countries like Australia and Brazil, to six months to a year in Canada and the UAE. Faster resolution times can reduce costs and mitigate damage, making this a key factor for insurers to consider.

Different approaches to enforcement and litigation can impact the overall costs.

Jurisdictions with a pro-enforcement and litigation environment, such as Turkey, can lead to higher costs due to regular fines and penalties. Cyber insurers should consider the legal environment when assessing risk and pricing policies.

Cyber Space – More to come…

This article is part of our Cyber Space series. These monthly articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions.  

*Click here to view the Cyber Space content hub.*

*Click here to sign up to CMS LAW-NOW to receive future articles directly to your inbox*

As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.