What is the average cost of a financial services data breach in 2025?

IBM 2025 puts the financial services sector at $5.56M average per breach, down 4% from the 2024 figure. Per-record cost is $228, second only to healthcare ($408). The sector has held rank #2 for 12 consecutive years.

Why are financial services breaches more expensive than retail breaches?

Two compounding reasons. First, per-record value is higher because financial records trigger immediate fraud-loss reserves and card reissuance, both of which carry material direct cost. Second, the regulator stack is denser: OCC, CFPB, FTC, SEC for public companies, plus state AGs, with the 36-hour banking notification window forcing parallel forensic and counsel engagement. The combination keeps financial services 25% above the global average and three times retail.

How much does card reissuance cost after a breach?

$5 to $15 per card at the issuer side, depending on card type, embossing complexity, mailing class, and contact-center support for activation. For a card-issuer breach affecting 10M cards, baseline reissuance runs $50M to $150M before fraud-loss reserves. Merchant-side PCI DSS assessments add $5,000 to $100,000 per month per merchant ID plus per-card forensic reimbursement clauses.

What was the most expensive financial-services data breach?

Equifax in 2017 at $1.4B+ total cost as of 2025 reporting, with consumer claims still processing. The breach exposed SSNs, dates of birth, addresses, and driver-licence numbers for 147M consumers through an unpatched Apache Struts vulnerability. Equifax paid a $700M FTC settlement, $175M to states, $125M to consumers, and continues accruing remediation costs.

How quickly must a bank notify regulators of a breach?

US national banks operate under the 36-hour notification rule jointly issued by OCC, Federal Reserve, and FDIC effective May 2022. The clock runs from the bank's determination that a notification incident has occurred. State banks face state-specific timelines that frequently mirror the federal 36-hour standard. The compressed timeline drives detection-escalation cost up because forensic and legal counsel must engage in parallel rather than sequentially.

Does the SEC require breach disclosure for financial-services firms?

Yes for public companies. SEC Item 1.05 of Form 8-K requires disclosure within four business days of a material cybersecurity incident, with separate disclosure of the nature, scope, and impact. For broker-dealers and registered investment advisers, Regulation S-P requires notification to affected individuals of unauthorized access to customer information. The 2023 final rule on cybersecurity disclosure has produced about 60 Item 1.05 filings as of mid-2026, with stock-price moves of 2% to 7% typical in the 24 hours after filing.

What proportion of breach cost is fraud-loss reserve versus operational cost?

Across financial-services breach settlements where the line items are disclosed, fraud-loss reserves typically account for 20% to 35% of total cost, operational response (forensics, counsel, notification, credit monitoring) 30% to 45%, and regulatory settlements plus class-action 25% to 40%. The composition varies widely by breach type: card-data breaches lean toward fraud-loss reserves, identity-data breaches lean toward credit-monitoring and settlement costs.

Sector File 03.FS / Financial ServicesPCI DSS / GLBA / SOX12 consecutive years at rank #2

Sector profile

Financial services breaches cost $5.56M on average. Per record, $228.

IBM's 2025 financial services figure of $5.56M is 25% above the global average and 4% lower than the 2024 figure. Per-record cost of $228 sits second only to healthcare. The sector holds rank #2 for the twelfth consecutive year, with regulator pile-on and card-reissuance economics keeping it durably above the global mean.

Avg total cost

$5.56M

IBM CODB 2025

Per record

$228

Second only to healthcare

YoY change

-4%

Slight cooling from 2024

Years at #2

Durable structural position

Section FS.1

The card reissuance line item nobody plans for

Card reissuance is the line item that catches first-time breach victims unprepared. When a financial institution has to reissue debit or credit cards after a breach, the per-card cost runs $5 to $15 depending on card type, embossing complexity, mailing class, and contact-center burden for activation. For a card-issuer breach affecting 10 million cards, the baseline reissuance cost is $50M to $150M before fraud-loss reserves are touched.

Beyond the issuer, the merchant that suffered the breach typically pays card-brand assessments under the PCI DSS regime. The Visa and Mastercard penalty schedules are confidential, but public-record breach settlements indicate a typical structure of $5,000 to $100,000 per month per merchant ID for compliance failures, plus per-card forensic-investigation and reissuance reimbursement clauses that scale with the affected count. PCI Security Standards Council publishes the standard text, but the enforcement architecture flows through Visa, Mastercard, Amex, and Discover acquiring relationships rather than through PCI SSC directly.

The compounding effect is unique to financial services. A retailer pays reissuance through PCI assessments. A card-issuing bank pays reissuance directly. A processor pays both, as both an issuer and a merchant counterparty. The single breach can trigger five-figure-per-day fines on multiple sides of the transaction relationship before the regulator action even begins.

Section FS.2

The four-regulator stack: OCC, CFPB, FTC, state AGs

Financial services breach response runs across an unusually crowded regulator field. National banks answer to the Office of the Comptroller of the Currency, with consent orders that typically include both monetary penalties and multi-year remediation programmes. The Consumer Financial Protection Bureau pursues consumer-harm-based enforcement under the Consumer Financial Protection Act. The Federal Trade Commission pursues unfair-or-deceptive-practice theories under Section 5, with the Equifax 2019 settlement still the largest single FTC action on record. State attorneys general pursue parallel actions under state consumer protection statutes, with California, New York, and Massachusetts setting the pace.

The Computer-Security Incident Notification Rule (12 CFR Part 225 et seq.) jointly issued by the OCC, Federal Reserve, and FDIC in November 2021 requires banks to notify their primary federal regulator within 36 hours of any incident that materially disrupts banking operations. The compressed timeline forces forensic and legal counsel to engage in parallel rather than sequentially, increasing both detection-escalation costs and the rate of premature disclosure errors that produce class-action exposure later.

For broker-dealers and registered investment advisers, the SEC enforces an additional disclosure obligation under Item 1.05 of Form 8-K for public companies and Regulation S-P for protection of customer information. The SEC's 2023 final rule on cybersecurity disclosure has produced approximately 60 Item 1.05 filings as of mid-2026, with each filing typically followed by stock-price moves of 2% to 7% in the 24 hours after disclosure.

Section FS.3

Notable financial-services breaches

Equifax, 2017

147M records / Apache Struts exploit (CVE-2017-5638) / Unpatched 11 weeks

$1.4B+

The single costliest breach on record. Equifax disclosed in September 2017 that attackers exploited an unpatched Apache Struts vulnerability that had been public for 11 weeks. The breach exposed SSNs, dates of birth, addresses, and driver-licence numbers for 147M consumers. Equifax agreed to a $700M FTC settlement in July 2019, the largest in FTC history at the time. Total disclosed cost across class-action, regulator, and remediation lines has exceeded $1.4B as of 2025, with consumer claims still processing.

Primary source: FTC consent order 22 July 2019; Equifax SEC 10-K 2017-2024; House Oversight report December 2018.

Capital One, 2019

106M records / SSRF on misconfigured WAF / Former AWS employee

$300M+

A former AWS engineer exploited a server-side request forgery vulnerability in Capital One's WAF configuration to extract IAM credentials, then enumerated S3 buckets containing 106M credit applications. Capital One paid an $80M OCC penalty in August 2020 for risk-management failures and a $190M class-action settlement in 2021. Total disclosed cost crossed $300M including internal remediation. The case set the precedent that cloud-infrastructure misconfiguration is the bank's liability even when the underlying cloud provider is technically the data custodian.

Primary source: OCC consent order 5 August 2020; Capital One SEC 10-K 2019-2022; class-action settlement order Eastern District of Virginia, 2021.

JPMorgan Chase, 2014

83M households / SQL injection via unpatched server / Securities fraud ring

$1B+ programme

JPMorgan disclosed in October 2014 that contact information for 76M households and 7M small businesses had been exfiltrated. The intrusion was traced to a server that had not been upgraded to enforce two-factor authentication. JPMorgan committed to doubling its annual cybersecurity budget to $500M as a direct response. The DOJ subsequently indicted three individuals in connection with a broader hack-and-pump securities-fraud ring that used the stolen contact lists for pump-and-dump targeting. Total programme cost across remediation, settlements, and the doubled security budget exceeded $1B over five years.

Primary source: DOJ press release 10 November 2015; JPMorgan SEC 10-K 2014-2018; Senate Banking Committee testimony May 2015.

Section FS.4

The cost components that dominate in financial services

The four IBM cost categories distribute differently in financial services than the global average. Detection and escalation runs about 29% globally but closer to 34% in financial services due to the compressed regulator-notification timeline forcing extensive forensic engagement in the first 72 hours. Notification is 6% globally but 8% in financial services because per-customer letter and call-centre obligations are higher and regulator-reporting obligations multiply. Post-breach response is 27% globally but 24% in financial services because credit monitoring is largely covered through existing relationships with the three bureaux. Lost business is 38% globally but 34% in financial services because customer switching costs are sticky in retail banking (typical 90-day onboarding for a new bank relationship suppresses churn).

The implication for budget planning: financial services CFOs should reserve a larger proportion of breach contingency for the 72-hour forensic and counsel response and a smaller proportion for ongoing customer-relationship investment. The reverse is true for healthcare and retail, where lost business dominates and ongoing relationship investment is the larger budget item.

Cross-references

Case / Equifax 2017

→

$1.4B+ total cost, the costliest breach on record.

Case / Capital One 2019

→

$300M+ cost from a single cloud misconfiguration.

Regulation / PCI DSS

→

Card-brand fines, reissuance economics, forensic mandates.

Regulation / SEC Item 1.05

→

4-business-day disclosure trigger, material-impact tests, stock impact.

Cost / Per record

→

$228 for financial services vs $408 healthcare, full sector table.

Index / All industries

→

All 10 IBM sectors ranked.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Financial services sector cost figures from IBM Cost of a Data Breach Report 2025. Regulator data from OCC, CFPB, FTC, and SEC public records. Notable breach totals from SEC 10-K filings, FTC consent orders, OCC consent orders, and class-action settlement records.