Issue 2, May 2025. How does the cost of cyber incidents vary across the globe?
A key pillar of CMS’ Cyber Space series is to compare and contrast the impact of cyber incidents in different international jurisdictions.
In this respect, with assistance from colleagues in Brazil and Singapore, CMS UK have collaborated with the CMS’ network of international offices and affiliate law firms to consider the comparative costs of cyber incidents. We did so by focussing on the following aspects - Legal fees (average hourly rate in USD or ease), notification costs (in USD), chance of regulatory fines and penalties and/or class actions, incident timeframes and IT forensic costs. We did this across almost 30 different jurisdictions.
Whilst there is no exact science to the assessments, we anticipate that the lowest costs would be incurred in a jurisdiction with competitive rates (usually as a result of competition between providers with relevant expertise), a high threshold for enforcement action, a low litigation environment and where cyber incidents are resolved quickly. Conversely, costs will be higher where there is lack of options for vendors (so rates are higher), the “tail” of incidents is lengthy and there is a proactive enforcement environment and the barriers to entry for litigation (including available funding) are low.
Summary of findings
Our findings, based on incidents impacting insured entities, are summarised in the table below. We have colour coded each country in comparison with the UK, based on whether the overall average costs are likely to be higher (red), lower (green) or about the same as the UK (amber). The authors, however, caution that this is intended only as a guide as this is a nuanced exercise where the actual costs will vary depending on the nature and scope of a cyber incident.
In addition, although some jurisdictions have what appear to be higher base fees, some have lower costs in other respects. For example, while Bermuda generally attracts some of the highest legal hourly rates, we have been unable to identify any examples of the Bermudan regulator (PrivCom) having actually issued a fine, or where a group litigation/class action was brought against a business or organisation by data subjects. As such, the lower risk of follow on enforcement/litigation may offset the higher first party costs. By contrast, Denmark has comparatively lower hourly legal rates, but our analysis indicates class actions tend to be brought by affected data subjects in 20%-50% of cases, which has the potential to significantly increase third party related costs.
Some of the differences may also arise because reporting cyber incidents is a much newer concept in some jurisdictions than others. For example, in Saudi Arabia and the UAE cyber incidents are a relatively new risk and so it is difficult to determine how frequently regulatory fines or class actions will occur. In addition, because cyber incidents in these jurisdictions are a relatively new threat, there are fewer law firms that provide incident response services. Consequently, these law firms and other vendors that do provide such services may well charge higher fees than in other jurisdictions.
In respect of IT forensic costs, we were kindly supported by the Grant Thornton Cyber Defence Centre who compared each jurisdiction listed below to determine whether they considered average costs of forensic IT services are higher or lower than the UK.
From a CMS perspective, when responding to incidents in jurisdictions that are likely to be more expensive than the UK (certainly from a legal costs perspective), CMS would generally aim to co-ordinate the response from the most cost effective location to minimise the overall costs.
Cyber costs comparison table
| Country | Legal fees/hr (example blended rates for partner and associates) | Costs of
notifying c.500 data
subjects
| IT forensic costs generally higher, lower or same as UK | Fines or penalties? | Class actions? | Avg time for resolution |
|---|
| Australia | USD 235 | USD 16,000 - 32,000 | Lower | Rare | Rare | Less than 3 months |
| Bermuda | USD 800 | USD 5,000 - 7,000 | Higher | Never | Never | Less than 3 months |
| Brazil | USD 295 | USD 2,000 - 10,000 | Lower | Rare | Rare | Less than 3 months |
| Canada | USD 450 | USD 10,000 – 20,000 | Same | Never | Rare | 6 months – 1 year |
| Colombia | USD 420 | c. USD 5,000 | Lower | Rare | Rare | Less than 3 months |
| Denmark | USD 620 | USD 17,000-28,000 | Same | Rare | Sometimes | 3–6 months |
| Finland | USD 515 | USD 5,500 – 11,000 | Same | Rare | Rare | Less than 3 months |
| France | USD 510 | USD 4,500 – 5,500 | Same | Rare | Rare | Less than 3 months |
| Germany | USD 450 | USD 3,400 | Same | Rare | Rare | Less than 3 months |
| Greece | USD 335 | USD 5,500 - 16,500 | Lower | Sometimes | Rare | 3–6 months |
| Guernsey | USD 915 | No additional costs | Same | Rare | Rare | 6 months - 1 year |
| Israel | USD 200 | USD 5,000 – 10,000 | Same | Sometimes | Sometimes | Less than 3 months |
| Italy | USD 395 | USD 11,000 | Lower | Rare | Rare | 3-6 months |
| Japan | USD 375 | USD 5,000 - 10,000 | Higher | Rare | Rare | 3-6 months |
| Lux. | USD 490 | USD 5,500 – 8,000 | Higher | Rare | Never | 3-6 months |
| Malta | USD 425 | USD 3,400 - 5,500 | Lower | Rare | Rare | 3-6 months |
| Ned. | USD 510 | USD 3,400 | Lower | Rare | Sometimes | 3-6 months |
| Norway | USD 480 | USD 6,800 | Higher | Rare | Rare | Less than 3 months |
| Peru | USD 195 | USD 10,000 | Lower | Rare | Never | Less than 3 months |
| KSA | USD 700 | USD 13,500 | Same | Rare | Never | 6 months - 1 year |
| Slovenia | USD 465 | USD 2,800 - 3,750 | Lower | Rare | Rare | Less than 3 months |
| South Africa | USD 485 | USD 2,650 – 3,325 | Lower | Rare | Rare | Less than 3 months |
| Spain | USD 510 | c. USD 11,500 | Lower | Sometimes | Rare | Less than 3 months |
| Sweden | USD 475 | USD 5,500 – 11,500 | Same | Rare | Rare | Less than 3 months |
| Switz. | USD 580 | c. USD 3,000 | Same | Sometimes | Sometimes | Less than 3 months |
| Turkey | USD 470 | USD 11,500 | Lower | Regularly | Never | 6 months - 1 year |
| UAE | USD 700 | USD 13,500 | Same | Rare | Rare | 6 months - 1 year |
| UK | USD 415 | USD 10,000 | N/A | Rarely | Rare | 6 months - 1 year |
| USA | USD 475 | USD 3,000 - 4,000 | Higher | Rarely | Sometimes | 3-6 months |
Key take-aways for cyber insurers
We consider the key things for cyber insurers to consider in respect of the table above are as follows:
There is significant global variability across legal and notification costs.
For instance, Guernsey has the highest average hourly rate, while Peru has the lowest. Further, in Australia the cost of notifying 500 data subjects ranges from USD 16,000 to USD 32,000, while in Slovenia it is much lower at between USD 2,800 to USD 3,750. The same variability can be seen in respect of IT forensic costs.
This variability can impact the overall cost of managing cyber incidents and will likely be a key consideration for insurers when assessing risk and pricing models.
The potential for regulatory fines and penalties will differ depending on the jurisdiction, especially outside of the EU.
For example, Bermuda and Peru have never issued fines, whereas Turkey regularly imposes fines. This information is potentially crucial for insurers when considering the regulatory environment and potential financial exposure when writing cyber risks in different regions.
The CMS Enforcement Tracker monitors decisions published by regulators in the EU to help keep track of the latest trends.
Whilst class actions arising out of insured cyber incidents remains rare, this is a developing risk that insurers should consider.
Of the countries surveyed, the risk appears highest in Denmark, Netherlands, Israel, Switzerland and the US, which could significantly impact third-party costs.
Although the daily burn rate may be high, this may be alleviated by quicker resolution times.
The average time for resolving cyber incidents ranges from less than three months in countries like Australia and Brazil, to six months to a year in Canada and the UAE. Faster resolution times can reduce costs and mitigate damage, making this a key factor for insurers to consider.
Different approaches to enforcement and litigation can impact the overall costs.
Jurisdictions with a pro-enforcement and litigation environment, such as Turkey, can lead to higher costs due to regular fines and penalties. Cyber insurers should consider the legal environment when assessing risk and pricing policies.
Cyber Space – More to come…
This article is part of our Cyber Space series. These monthly articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions.
*Click here to view the Cyber Space content hub.*
*Click here to sign up to CMS LAW-NOW to receive future articles directly to your inbox*
As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.