With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a white paper from Business Insurance.

Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.

Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses.

The theft of personal information costs organizations an average of about $710,000 per incident. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to Protect Your Business in the Digital Age.”

Extra expenses can result from:

• Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.

• Hiring a security consultant to assist with remediation and hardening—or increasing security—of vulnerable systems and processes.

• Notifying and assisting victims. A mailer alone can cost $1 to $3 per person.

• Expert legal support to interpret federal privacy law, ascertain which state laws may have been triggered and help craft notice letters. Expanding call-center support and website FAQs in response to a breach.

• Credit monitoring. If identity theft or fraud is possible due to a breach, many organizations offer free credit monitoring for as long as three years.

• Dealing with U.S. agencies and state attorneys general with authority to mount investigations and seek enforcement of privacy laws.

• Defending class action lawsuits.

• Recovering from damage done to the organization's reputation and trust by customers or business partners, which is difficult to quantify.

The white paper argues that organizations should develop a layered approach to cyber risk management and includes practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses and system management changes, such as effective password-protection policies.

To purchase the white paper, visit www.businessinsurance.com/whitepapers.