Rethinking Incident Response: How Organizations Can Avoid Budget Overruns and Delays
Cyberattacks are more costly than ever. This year, the average price tag of a data breach skyrocketed to $4.88 million, a 10% jump from 2023 and the steepest increase since the pandemic. Recent headline-grabbing breaches suggest these figures will only climb higher. While the immediate fallout from a breach, such as addressing compromised systems and responding to ransom demands, often garners the most attention, a less visible but equally significant cost is the process of notifying affected parties. According to IBM’s 2024 Cost of a Data Breach Report, inefficient post-breach response — including notification efforts — is among the top drivers of rising breach costs. Victim organizations need more effective tools and strategies to streamline incident response and mitigate financial fallout.
Traditional Incident Response Methods Compound Costs
When a breach of sensitive data occurs, companies are legally obligated to inform affected individuals, businesses, regulatory agencies and the media within a certain time frame based on a patchwork of state and federal laws.
Quickly and accurately compiling notification lists, however, is no small task due to the growing complexity of a company’s data estate. Today, organizations are not only collecting more information but also more diverse types of data. Because of this complex undertaking, corporate legal teams and cybersecurity professionals, tasked with guiding companies through efficient breach notification, generally turn to data mining — to sort through all that complicated data and determine what was exposed and which individuals were affected.
Unfortunately, the data mining industry has been slow to meet the modern demands of incident response. Despite the clear need for advanced technology to perform accurate digital forensics and data extraction at scale, most data mining vendors still rely on manual review workflows ill-equipped to manage the volume and complexity of today’s caseloads. This approach often leads to extended timelines, ballooning costs, inaccuracy and, in some cases, incomplete projects.
Human error is the most apparent risk of manual review. Less obvious, however, is the widespread practice by most vendors of outsourcing these reviews to transient overseas review teams. These teams often lack the contextual knowledge required for accurate document review, resulting in compliance issues and inaccurate reports that require clean-up from costly legal teams. Additionally, cross-border data transfers exacerbate security and financial vulnerabilities by exposing sensitive information to hundreds of transient workers.
The ramifications of prolonged (and inaccurate) reviews are far-reaching. Delays in notifying breach victims leave individuals vulnerable to identity theft and fraud while sensitive data continues to circulate in illicit online markets. For organizations, these delays can lead to reputational harm, business disruptions and — now — regulatory fines that further compound the cost of the initial breach.
In the past, when data mining engagements failed, companies could simply issue broad notifications to all possibly affected individuals, claiming “best effort” compliance. But, today, those that fail to comply with breach notification laws are increasingly being held accountable, sometimes resulting in nine-digit fines. Non-compliance and associated penalties are widely recognized as top contributors to escalating breach expenses year after year. With the consequences of subpar notification efforts becoming more severe, companies need access to more advanced, cost-effective, tech-driven solutions.
Preventing Errors, Delays and Overbilling
In line with this trend, victim organizations, together with their counsel and cyber insurance carriers, are now seeking out AI-powered solutions to navigate incident response. Compared to manual review, automated solutions are far better equipped to accurately identify and extract compromised data from massive, intricate data sets. It’s estimated that AI-led solutions drive down breach response costs by as much as $2.2 million.
The cost difference is largely due to data mining solutions leveraging AI and machine learning (AI/ML) as the primary method for review so they can produce results much faster than traditional manual reviews. Unlike human teams, software doesn’t take sick days, weekends, holidays, or breaks — it operates continuously. While humans have difficulty reading more than one page of text per minute, on average, a computer can do so almost instantaneously. Even more consequential, manual review teams cannot efficiently scale to meet the fluctuating demands of data mining from ballooning data volume to data language and cultural context variety, or even data quality complexities that all require team expansion or training. For organizations facing tight breach notification deadlines, relying on manual labor can quickly escalate costs. Additionally, the longer a business experiences downtime while waiting for the incident to be addressed and resolved, the greater the losses it incurs.
Manual review strategies often struggle to accurately estimate timelines and meet deadlines due to operational dependencies. Limited visibility into the complexity of the exposed data at the beginning of a project, due to reliance on manual review, is critically detrimental. Additionally, case complexities such as file legibility, compressed files (ZIP or RAR) and language variety can create added operational challenges when expanding the team. What may seem like a small difference can drastically affect both cost and timeline. With looming breach notification deadlines, off-shore labor becomes an attractive option leaving little incentive for most to invest in advanced R&D for disrupting the process with automated review.
In contrast to manual review teams, AI-powered, automated data mining solutions can scan the entire data set to get an accurate picture of volume, responsive files and qualities of the data real estate. These automated forensic scans set a strong foundation for predicting key scope identifiers: responsive rate and review strategy. This puts review teams in a much better position to assess timelines, engineer a solution for the victim organization that meets their notice deadline, and accurately project costs.
AI-led data mining also delivers more accurate, customized reports suited to the needs of counsel and developed specifically for the notification process. As a result, legal teams spend less time double-checking, reformatting, or “slicing and dicing” to get to the next step of breach recovery — which means fewer feedback cycles and lower legal fees.
Finally, since automation dramatically reduces the need for manual review, the entire review process can be conducted on-shore — overseen by experts — and on-premises behind a victim organization’s firewall (or a vendor’s secure forensics lab). This approach is not only more secure but also drastically optimized for speed and accuracy. While on-shore, on-premises engagements powered by advanced technology may seem more expensive upfront, they can cut data mining costs by as much as 50% compared to offshore manual review.
Preparing for a More Complex Cyber Future With Cost-Efficient, Tech-First Incident Response
The stakes and costs of breach response are higher than ever, and the challenges are only intensifying. As we approach 2025, companies face a threat landscape with more frequent and sophisticated attacks, and within the constraints of shrinking breach notification windows. In this environment, efficient and precise incident response is no longer optional, it’s a critical component of organizational resilience and recovery.
Today’s breach response and notification demands more than outdated, traditional approaches; it requires a bold leap forward. The future needs a transformative shift toward advanced, tech-driven solutions that are onshore, secure and radically transparent. By embracing these innovations, victim organizations can not only meet regulatory obligations but also minimize damage, protect their reputations and better control costs in the critical moments following a breach.