The cost of a data breach for an SME, without the per-record myth

There is a number that gets quoted in every data-breach article and most of them get it wrong.

You have seen it: "data breaches cost X dollars per record." People take their database size, multiply, and arrive at a terrifying figure. A firm with two million customer rows convinces itself a breach is a multi-million-dollar extinction event. It is almost always wrong, and it is wrong in a way that matters, because it sends you spending against the wrong risk.

Why per-record is the wrong mental model

The per-record averages come from datasets dominated by large breaches at large organizations, where fixed response costs get spread across enormous record counts. Divide a big total by a big denominator and you get a tidy per-record figure that feels precise. It does not survive contact with a small business.

NetDiligence's cyber claims study, which is about as close as you get to real insurer loss experience rather than survey self-reporting, finds something that should reframe the whole conversation: total incident cost is essentially uncorrelated with the number of records exposed. It tracks revenue instead. SME incidents average roughly 264,000 USD total at around 94M average revenue, which is on the order of a fraction of a percent of revenue, and that ratio stays fairly stable across the range.

So in our model record count is a minor add-on, not the driver. We use about 12 USD per record and then taper it hard: the marginal cost of the millionth record is a tiny fraction of the first thousand, because notification and monitoring have real economies of scale and a lot of breach cost is fixed regardless of size. A US breach carries a higher per-record multiple than an EU one, mostly because of the notification and litigation environment, but the dominant costs are still the fixed ones.

What the bill is actually made of

Strip out the per-record fantasy and a breach for an SME is mostly four things.

Forensics and incident response. You have to figure out what happened, what was taken, when, and whether the attacker is still inside. This is specialist work, it bills accordingly, and you cannot skip it because your legal and regulatory obligations depend on knowing the facts.

Legal counsel. Breach response is a legal process as much as a technical one. Which regulators you must notify, on what timeline, what you are obligated to tell affected individuals, how you limit liability. Good breach counsel pays for itself by keeping you out of the much larger costs.

Notification and the customer-facing aftermath. Telling people, standing up a response line, sometimes credit monitoring, and the PR work of not looking negligent. This is where per-record cost does live, but tapered, and it is rarely the largest line.

Regulatory exposure. The one everyone fixates on and most overestimate.

GDPR fines: the gap between the ceiling and reality

GDPR allows fines up to 4% of global annual turnover or 20 million euros, whichever is higher. That number gets quoted as if it is the expected outcome. It is the statutory maximum, reserved for the worst conduct at the largest companies, and an SME that has a breach, reports it properly, and can show it had reasonable controls is in a completely different bracket.

In our model we treat regulatory cost as an expected value: a revenue-linked exposure multiplied by the probability that a breach actually results in a material fine, which we put around 15% in the EU and 12% in the UK. Most reportable breaches do not end in a meaningful penalty. They end in a notification, some remediation, and a regulator who is far more interested in whether you took it seriously than in bankrupting you. The US is messier because there is no single federal cap and you get state attorneys general and class actions instead, so we model a higher enforcement likelihood there.

The thing that genuinely raises your regulatory cost is not the breach. It is failing to report it, or reporting late, or being unable to show you had basic controls. Cover-ups are what turn a manageable incident into a real fine.

So what should you actually do

The takeaway is not "breaches are cheap." Plenty of SMEs have been seriously hurt by one. It is that the cost is driven by your revenue, your sector, your ability to respond competently and your regulatory regime, not by the raw size of your database.

That changes where you spend. The high-leverage controls are the ones that stop the breach being severe or unreported: encryption so stolen data is useless, logging so you can actually reconstruct what happened, an incident-response plan so you are not improvising the legal timeline during the worst week of the year. IBM's data has an incident-response team and plan as one of the largest cost-reducing factors in a breach, and it is cheap relative to the saving.

Model your own breach exposure by sector, size and region, and read the methodology for the source behind every figure. Just stop multiplying your record count by a number you found in a headline.