The median breach costs $83,000
The industry sold fear by the gigabyte for twenty years. Verizon finally counted the receipts. The number that matters isn't the median — it's the shape of the tail, and the tail is the only thing exposure management was ever for.
The median breach costs $83,000
The cybersecurity industry sold fear by the gigabyte for twenty years. Verizon finally counted the receipts. The number that matters isn't the median — it's the shape of the tail, and the tail is the only thing exposure management was ever for.
For two decades the breach-cost conversation ran on a single recycled number: 60% of small businesses close within six months of being hacked. It has no traceable source. Adrian Sanabria spent roughly a decade building destroyedbybreach.com, a database of companies that actually ceased to exist as a direct result of a cyber incident, and found 25 to 32 of them. Not 60% of anything. A few dozen, over ten years, worldwide. And the ones that did die shared a pattern: the breach was the trigger, never the root cause. No incident-response plan, no usable backups, no operational resilience. The breach pushed; the absence of resilience is what let them fall.
So the honest headline is the uncomfortable one for a security vendor to print: breaches rarely kill companies, and the market knows it. Comparitech tracked 118 breached public companies from 2007 to 2023. Share prices bottomed at −1.4% about 41 trading days after disclosure and recovered to pre-breach levels by day 53. Two peer-reviewed studies Kelly Shortridge cites found no statistically significant stock reaction to breach announcements at all. Markets, as she puts it, DGAF.
We could stop here and you'd have every reason a CFO ever gave for underfunding security. But that would be reading the average and ignoring the distribution — which is exactly the mistake the industry made in the other direction.
What Verizon actually counted
The 2026 Verizon Breach Impact Study, built with the insurer consortium CyberAcuView, is the first breach-cost dataset that isn't a vendor survey. It is ~70,000 cyber-insurance claims, ~38,000 with paid losses, covering January 2019 through October 2025. Real claims, real payouts, real distribution. Here is the shape:
| Percentile | Insured loss |
|---|---|
| Median | $83,000 |
| Top 10% | > $920,000 |
| Top 2.5% | > $5,000,000 |
| Enterprise top 2.5% | ~$22,000,000 |
| Supply-chain top 2.5% | > $100,000,000 |
The median is small. A CFO is right that an $83,000 expected loss does not justify a seven-figure security program. But the median was never the point. This is a fat-tailed distribution, and fat tails are not managed by managing the average. The job of a security program is not to shave the median breach. It is to keep your organization out of the top 2.5% — the $5M, the $22M, the nine-figure supply-chain event. That is a tail-risk problem, and tail-risk problems are governed by which paths exist in your estate, not by how many alerts your SIEM fired last week.
There's a second reason the median understates the stakes. Verizon's figures are insured losses — floors, not ceilings. They exclude uninsured loss, reputational damage, and the long shadow Comparitech found underneath the 53-day "recovery": breached firms underperformed the NASDAQ by 3.2% at six months, 8.6% at one year, and 15.6% at three years. The stock chart recovers in absolute terms while quietly bleeding relative to the market for years. The insurance claim closes; the exposure does not.
And the floor itself is rising. Median impact grew 80% from 2019 to 2024 ($60k to $110k) against 23% CPI inflation. Roughly three times the rate of inflation. This is not a statistical artifact. It is the cost structure of the tail moving up.
The tail has a shape, and it's lateral movement
Here is the finding that should reorganize every security budget. Ransomware is 36% of claims but 73% of total insured cost, with a median impact of $303,547 — three and a half times the dataset median. The cost of breaches is not spread evenly across threat types. It is concentrated, overwhelmingly, in one failure mode.
And that failure mode has a known anatomy. Ransomware cost is not the initial phish. It is what happens after the first host falls — lateral movement to the systems that, if encrypted, stop the business. The expensive breach is the one where an attacker landed on a forgotten endpoint and walked, unobserved, to a domain controller, a backup server, an OT historian, a crown-jewel database. Every dollar in that 73% is a dollar that an attack path made possible.
Which is precisely what an exposure graph is built to see and a SIEM is built to miss. A single-event detection rule asks did something bad happen on this host. An exposure graph asks if this host falls, what is reachable, how many hops to something that matters, and is anything watching the route. In live tenants we routinely find crown-jewel identities with dozens of hosts able to reach them within three hops — and a large fraction of those hosts carrying no endpoint coverage at all, only a base agent. That is the 73% waiting to happen: a believable path to something that matters, with nothing watching the route. Finding it before the adversary does is not detection. It is keeping you off the tail.
The fastest-growing cost is the one your cloud tools can't see
The other number in the study that should move budgets: business interruption grew from 21% of known losses in 2023 to 32% in 2024 — a 51% jump in a single year. In supply-chain and third-party incidents, business interruption is 50% of total known losses. Manufacturing business-interruption losses run 158% above the cross-sector median.
Business interruption is not a data-confidentiality problem. It is an availability and operational-resilience problem — production lines, hospital systems, hotel operations, the OT and dependency layer that a cloud-native, agentless scanner structurally cannot see. This is the cost line growing fastest, concentrated in exactly the cross-domain, IT-meets-OT blast radius that asset-graph tools built for cloud posture were never designed to map. If your exposure picture stops at the cloud control plane, you are blind to the half of the loss distribution that is growing the fastest.
The proportion the industry keeps getting wrong
Two more facts close the loop, and they point at who is actually underserved. Small businesses face breach costs of up to 7% of annual revenue in the extreme; large enterprises rarely exceed 2%. The relative burden is inverted from the absolute one. The organizations that can least afford a tail event are the ones living closest to it — and the ones least able to buy the enterprise stack that maps it. The honest answer there is not a high-touch seven-figure platform. It is exposure management that deploys cheaply, runs on-prem or air-gapped where it has to, and is priced for the segment that lives at 7% of revenue.
So the framing the better part of this industry is now converging on — proportion, not dread — is the right one, and it is good for the firms that took the dread route honestly. The Verizon data does not say breaches don't matter. It says they matter in a specific, measurable, fat-tailed way:
- The average breach is survivable. Stop selling the apocalypse.
- The tail is where the money is, and the tail is shaped by reachable paths to things that matter.
- The fastest-growing slice — business interruption — lives in the OT and third-party dependency layer.
- The most exposed segment — SMB — is the least served.
Every one of those is an exposure-management statement, not a detection statement. The product that addresses them isn't the one that counts the most alerts. It is the one that tells you which paths into your crown jewels exist, which of them nothing is watching, where a decoy on a cut-vertex would trip the walk, and what the blast radius is when — not if — the first host falls.
The median breach costs $83,000. We are not in the business of that number. We are in the business of the other one — the $5 million you stay off of because somebody mapped the path first.
Sources: Verizon 2026 Breach Impact Study · Comparitech share-price analysis · destroyedbybreach.com · Chris Hughes, The Real Price Tag on Breaches.
Setu Research
Setu Security Research