Data Sources & Citations — CyberPoint Advisory Tools

1

Breach Cost Data

18 data points

Primary source: IBM Security & Ponemon Institute, "Cost of a Data Breach Report 2024", published July 2024. Based on analysis of 604 organizations across 17 countries and 16 industries between March 2023 and February 2024.

Data Point	Value	Source	Publication	Year	URL / Reference
Global average cost of a data breach	$4.88M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
U.S. average cost of a data breach	$9.36M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Healthcare industry average breach cost Highest industry cost, 14th consecutive year	$9.77M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Financial services industry average breach cost	$6.08M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Industrial / Manufacturing average breach cost	$5.56M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Technology industry average breach cost	$5.45M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Energy industry average breach cost	$4.72M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Professional services average breach cost	$4.70M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Pharmaceuticals industry average breach cost	$4.62M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Retail industry average breach cost	$3.91M	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Average cost per breached record (global)	$169	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Average cost per breached healthcare record	$408	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Mean time to identify a breach (MTTI)	194 days	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Mean time to contain a breach (MTTC)	64 days	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Breach lifecycle with security AI & automation vs. 292 days without AI/automation	214 days	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Cost savings from having an incident response plan	$1.49M savings per breach	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Cost savings from security AI & automation	$1.76M savings per breach	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Probability of experiencing a breach ~14.7% annualized probability	27.7% over 2 years	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach

2

Regulatory Penalty Data

15 data points

HIPAA penalty tiers are adjusted annually for inflation per the Federal Civil Penalties Inflation Adjustment Act. Values below reflect the 2024 inflation-adjusted amounts published in the Federal Register by HHS Office for Civil Rights (OCR).

HIPAA Civil Monetary Penalties (2024 Inflation-Adjusted)

Penalty Tier	Description	Min Per Violation	Max Per Violation	Annual Cap Per Category	Source	Reference
Tier 1	Did not know (and would not have known)	$141	$35,581	$35,581	HHS OCR	Federal Register annual adjustment; 45 CFR 160.404
Tier 2	Reasonable cause (not willful neglect)	$1,424	$71,162	$71,162	HHS OCR	Federal Register annual adjustment; 45 CFR 160.404
Tier 3	Willful neglect, corrected within 30 days	$14,232	$355,808	$355,808	HHS OCR	Federal Register annual adjustment; 45 CFR 160.404
Tier 4	Willful neglect, not corrected	$71,162	$2,134,831	$2,134,831	HHS OCR	Federal Register annual adjustment; 45 CFR 160.404

Other Regulatory Penalties

Regulation / Standard	Penalty	Source	Reference
Texas HB 300 Health privacy; applies beyond HIPAA-covered entities	Up to $250,000 per violation	TX Legislature	TX Health & Safety Code, Chapter 181
Texas SB 2610 Effective September 1, 2025	Eliminates punitive (exemplary) damages if compliant Affirmative defense for organizations demonstrating compliance with recognized cybersecurity framework	TX Legislature	TX Business & Commerce Code, Chapter 542
TX Breach Notification Notification timelines	60 days to individuals; 30 days to AG if 250+ TX residents	TX Legislature	TX Business & Commerce Code, Section 521.053
PCI DSS non-compliance fines Monthly fines assessed by acquiring bank	$5,000 – $100,000/month	PCI Security Standards Council	pcisecuritystandards.org
PCI card brand fines Per-incident penalty from card brands (Visa, Mastercard, etc.)	Up to $500,000 per incident	PCI Security Standards Council	pcisecuritystandards.org
NERC CIP violations Critical Infrastructure Protection standards for electric utilities	Up to $1,000,000 per violation per day	FERC	FERC enforcement; 16 USC 824o
TSA Pipeline Security Directives SD-01, SD-02 series for pipeline operators	Up to $85,000 per day per violation	TSA	TSA enforcement; 49 USC 114
CMMC non-compliance Cybersecurity Maturity Model Certification	Loss of DoD contracts Contract value varies; False Claims Act liability	DoD	DFARS 252.204-7012; 32 CFR Part 170
OSHA willful violation 2024 inflation-adjusted maximum	Up to $161,323 per violation	OSHA	osha.gov/penalties

3

Compliance Program Cost Benchmarks

14 programs

Cost estimates based on CyberPoint Advisory market analysis of Texas MSP/MSSP pricing and 50+ client engagements, 2024–2025. Ranges reflect SMB variability based on organization size, complexity, and existing maturity. These should be validated for your specific situation.

Compliance Program	Scope / Size	Initial Implementation	Annual Ongoing	Notes
TX SB 2610 — Tier 1	< 20 employees	$5K – $25K	$3K – $10K	Policy-focused; limited technical controls
TX SB 2610 — Tier 2	20–99 employees	$25K – $100K	$15K – $50K	Policy + technical implementation
TX SB 2610 — Tier 3	100–249 employees	$75K – $300K	$40K – $150K	Full program with dedicated resources
NIST CSF 2.0	SMB	$50K – $200K	$25K – $75K	Framework adoption and gap assessment
CIS Controls IG1	Small business / essential hygiene	$15K – $60K	$10K – $30K	56 safeguards; foundational security
CIS Controls IG2	Mid-size organization	$50K – $150K	$30K – $75K	130 safeguards; enterprise-grade controls
ISO/IEC 27001:2022	SMB	$75K – $300K	$30K – $100K	Plus $30K–$80K annual certification audit
SOC 2 Type II	SMB / SaaS	$50K – $200K	$30K – $100K	Plus $30K–$80K annual audit
HIPAA	Small practice (< 10 providers)	$4K – $12K	$2K – $5K	Risk assessment, policies, training
HIPAA	Community hospital	$75K – $250K	$40K – $120K	Full HIPAA Security Rule program
CMMC Level 1	Self-assessment; 15 practices	$5K – $25K	$3K – $10K	Basic safeguarding of FCI
CMMC Level 2	Third-party assessment; 110 practices	$155K – $420K	$75K – $170K	Protecting CUI; maps to NIST SP 800-171
TSA SD-02D	Pipeline operator	$150K – $750K	$75K – $250K	OT security program; CIP plan
IEC 62443	Industrial automation / OT	$100K – $500K	$50K – $150K	Zone/conduit architecture; SL assessment

4

Industry Downtime Costs

8 industries

Industry estimates compiled from IBM, Ponemon Institute, Dragos OT incident reports, and CyberPoint Advisory client data. Actual costs vary significantly based on organization size, revenue, and operational characteristics.

Industry	Downtime Cost	Unit	Basis / Notes	Source
Healthcare (hospital)	$47,000	per hour	Includes revenue loss, care diversion, regulatory exposure	Ponemon Institute, "Cost of Healthcare Data Breach"
Manufacturing (discrete)	$2K – $50K	per hour	Revenue loss + idle labor; depends on line throughput	Industry estimates; CyberPoint Advisory
Manufacturing (process/pharma)	$15K – $150K	per hour	Batch loss, restart/re-validation costs, spoilage	Industry estimates; CyberPoint Advisory
Oil & Gas (upstream)	$15K – $150K	per hour	Deferred production at current commodity prices	Industry estimates; CyberPoint Advisory
Oil & Gas (midstream pipeline)	$50K – $500K	per hour	Throughput fees, take-or-pay penalties, shipper claims	Industry estimates; CyberPoint Advisory
Oil & Gas (downstream refinery)	$200K – $1.5M	per hour	Crack spread margin loss, unplanned turnaround costs	Industry estimates; CyberPoint Advisory
Construction	$5K – $50K	per day	Idle crew costs + liquidated damages on delayed projects	Industry estimates; CyberPoint Advisory
Retail	Revenue-dependent	—	Calculated as daily sales / operating hours; POS outage = direct revenue loss	Industry estimates

5

Cyber Insurance Data

8 data points

Cyber insurance market data drawn from broker reports and carrier filings. Premium ranges are indicative and vary by carrier, industry vertical, and security posture.

Premium Ranges by Organization Size

Organization Size	Revenue Range	Typical Annual Premium	Typical Coverage Limit	Source
Small business	< $10M revenue	$1,500 – $7,500	$1M – $2M	Coalition, 2024 Cyber Claims Report
Mid-market	$10M – $100M revenue	$7,500 – $25,000	$2M – $5M	Coalition, 2024 Cyber Claims Report
Upper mid-market	$100M – $500M revenue	$25,000 – $100,000	$5M – $10M	Marsh McLennan, U.S. Cyber Insurance Market Report 2024

Market Trends & Requirements

Data Point	Value	Source	Publication	Year	URL / Reference
Premium increase after a breach	30–50% increase for 3 years	Marsh McLennan	U.S. Cyber Insurance Market Report 2024	2024	marsh.com/en/services/cyber-risk
MFA requirement for coverage	Mandatory since 2022 for most carriers	Coalition	2024 Cyber Claims Report	2024	coalitioninc.com/research/cyber-claims-report
EDR/MDR requirement for coverage	Increasingly required since 2023	Coalition	2024 Cyber Claims Report	2024	coalitioninc.com/research/cyber-claims-report
Insurance premium reduction with compliance program	15–25% reduction	Marsh McLennan / Coalition	Market analysis, 2024	2024	Broker reports and carrier underwriting guidelines
Claims frequency trend (SMB)	Increasing year-over-year SMBs are disproportionately targeted relative to security investment	Coalition	2024 Cyber Claims Report	2024	coalitioninc.com/research/cyber-claims-report

6

Risk Reduction Data

6 data points

These data points quantify the measurable business impact of cybersecurity investments. They are used in ROI calculations, executive briefings, and cost-benefit analyses across the platform.

Data Point	Value	Source	Publication	Year	URL / Reference
Compliance reduces breach risk	60–80% reduction	Forrester Research	Total Economic Impact of Compliance Automation	2024	forrester.com
Cost savings from tested incident response plan	$1.49M per breach	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Cost savings from security AI & automation	$1.76M per breach	IBM Security	Cost of a Data Breach Report 2024	2024	ibm.com/reports/data-breach
Enterprises requiring vendor compliance certifications	89% of enterprises	Gartner	Market Guide for IT GRC Platforms	2024	gartner.com
Sales conversion improvement from compliance certifications	10–25% improvement	Forrester Research	Total Economic Impact of Compliance Automation	2024	forrester.com
Insurance premium reduction with compliance program	15–25% reduction	Marsh McLennan / Coalition	U.S. Cyber Insurance Market Report 2024; 2024 Cyber Claims Report	2024	marsh.com/en/services/cyber-risk

7

Framework Reference Data

11 frameworks

Authoritative framework metadata used for tool mappings, control counts, and cross-referencing across the platform. Version numbers and control counts reflect the latest published editions as of April 2026.

Framework	Publisher	Current Version	Safeguard / Control Count	URL / Reference
NIST Cybersecurity Framework (CSF) 2.0	NIST	Feb 2024	6 Functions, 23 Categories, 106 Subcategories	nist.gov/cyberframework
CIS Controls v8.1	Center for Internet Security	2024	IG1: 56 safeguards, IG2: 130 safeguards, IG3: 153 safeguards	cisecurity.org/controls
ISO/IEC 27001:2022	ISO / IEC	2022	93 Annex A controls (4 themes: organizational, people, physical, technological)	iso.org/standard/27001
NIST SP 800-171 Rev 2	NIST	Feb 2020	110 security requirements (14 families)	csrc.nist.gov
NIST SP 800-53 Rev 5	NIST	Sep 2020	1,000+ controls (20 families)	csrc.nist.gov
NIST SP 800-61 Rev 2	NIST	Aug 2012	Computer security incident handling guide	csrc.nist.gov
NIST SP 800-82 Rev 3	NIST	Sep 2023	Guide to Operational Technology (OT) security	csrc.nist.gov
PCI DSS v4.0.1	PCI Security Standards Council	Jun 2024	12 requirements, ~250 sub-requirements	pcisecuritystandards.org
HIPAA Security Rule	HHS	45 CFR Part 164	18 standards (administrative, physical, technical safeguards)	hhs.gov/hipaa
IEC 62443	ISA / IEC	2018–2024	Multi-part series: general, policies, system, component security levels	isa.org/standards
CMMC 2.0	U.S. Department of Defense	32 CFR Part 170	Level 1: 15 practices, Level 2: 110 practices, Level 3: 110+ practices	dodcio.defense.gov/CMMC

8

Texas-Specific Legal References

5 statutes

Texas statutes and regulatory bodies directly relevant to cybersecurity compliance for Texas-based organizations. CyberPoint Advisory tools reference these in the SB 2610 suite and compliance calculators.

Statute / Authority	Citation	Key Provisions	Effective Date	Reference
Texas SB 2610 Cybersecurity Safe Harbor	TX Business & Commerce Code, Chapter 542	Creates affirmative defense against punitive (exemplary) damages in data breach lawsuits Requires adoption of recognized cybersecurity framework (NIST CSF, CIS Controls, ISO 27001, etc.) Framework must be "reasonably aligned" to business size and complexity Defense available only if program was in place at time of breach Does not eliminate compensatory damages or regulatory penalties	Sep 1, 2025	capitol.texas.gov
Texas HB 300 Health Privacy	TX Health & Safety Code, Chapter 181	Extends health data privacy protections beyond HIPAA-covered entities Applies to any entity that handles protected health information in Texas Penalties up to $250,000 per violation Requires employee training on health data privacy AG enforcement with audit authority	Sep 1, 2012	statutes.capitol.texas.gov
TX Breach Notification Act Identity Theft Enforcement and Protection Act	TX Business & Commerce Code, Chapter 521, Section 521.053	60-day notification window to affected individuals 30-day notification to TX Attorney General if breach affects 250+ TX residents Applies to any person who conducts business in Texas and owns/licenses computerized data with sensitive personal information AG enforcement; potential civil penalties	As amended 2023	statutes.capitol.texas.gov
Texas Railroad Commission (RRC) Oil & Gas regulatory authority	TX Natural Resources Code; 16 TAC Chapters 1–20	Regulates oil and gas exploration, production, and pipeline operations in Texas Incident reporting requirements for pipeline operators Increasingly concerned with cybersecurity of OT systems in pipeline SCADA Coordinates with PHMSA / TSA on pipeline security directives	—	rrc.texas.gov
TCEQ Texas Commission on Environmental Quality	TX Water Code; TX Health & Safety Code; 30 TAC	Environmental reporting obligations for industrial facilities Emissions and discharge reporting may be disrupted by cyber incidents affecting OT/SCADA Water/wastewater utilities subject to CISA/EPA cybersecurity guidance Potential state enforcement for missed environmental reporting due to cyber events	—	tceq.texas.gov