What a Data Breach Costs: The Verified 2026 Numbers

The average data breach costs $4.44 million globally and a record $10.22 million in the United States, per IBM’s Cost of a Data Breach Report 2025 — the latest edition as of July 2026. Verizon’s DBIR 2026 puts ransomware in 48% of breaches with a median ransom payment of $139,875, the FBI logged $20.9 billion in reported cybercrime losses for 2025, and for small businesses the sharpest verified finding is that in extreme cases a breach costs more than 7% of annual revenue.

The headline numbers, edition-labelled

Breach-cost statistics get misquoted constantly — many sites cite "2026" figures that are actually recycled from older editions. Every number below names its exact source edition. The IBM Cost of a Data Breach Report 2025 is the most recent IBM edition available as of July 2026.

MetricFigureSource edition
Global average cost of a data breach$4.44 million (first decline in five years, down 9%)IBM Cost of a Data Breach 2025
United States average$10.22 million — an all-time regional high, driven partly by higher regulatory finesIBM Cost of a Data Breach 2025
Most expensive industryHealthcare, $7.42 million (highest for the 14th straight year)IBM Cost of a Data Breach 2025
Mean time to identify and contain241 days — a nine-year lowIBM Cost of a Data Breach 2025
Breaches involving the human element62%Verizon DBIR 2026
Breaches involving ransomware48%Verizon DBIR 2026
Reported US cybercrime losses, 2025$20.9 billion across 1,008,597 complaints (both records)FBI IC3 2025 Annual Report
US data compromises, 20253,322 — an all-time recordITRC 2025 Annual Data Breach Report

Sources: IBM Cost of a Data Breach Report 2025 (ibm.com/reports/data-breach); Verizon Data Breach Investigations Report 2026 (verizon.com/dbir); FBI Internet Crime Complaint Center 2025 Annual Report (ic3.gov); Identity Theft Resource Center 2025 Annual Data Breach Report (idtheftcenter.org). Verified July 4, 2026.

What it costs a small business

There is no credible single "average breach cost for a small business" — most numbers offered for that phrase are unsourced. What the primary data does show:

  • Verizon’s DBIR 2026 confirmed 7,152 breaches at small and mid-size organizations in one year — essentially all financially motivated, with vulnerability exploitation (26%), stolen credentials (13%) and phishing (9%) as the top entry points, and a third party involved in 55% of them.
  • Verizon’s companion 2026 Breach Impact Study, built on roughly 70,000 cyber-insurance claims, found that in extreme cases (the worst 2.5%), a breach cost a small business more than 7% of its annual revenue.
  • The FBI’s 2025 average reported loss per cybercrime complaint was $20,699; business email compromise alone cost US organizations $3.05 billion across 24,768 complaints.
  • Verizon’s own framing: ransomware disproportionately targets small businesses, which face the same threats with fewer resources to counter them.

The ransomware numbers

Per Verizon DBIR 2026: ransomware appeared in 48% of all breaches (up from 44%), the median ransom payment was $139,875, and 69% of victims paid nothing at all. IBM’s 2025 report similarly found 63% of ransomware victims refused to pay.

Sophos’s State of Ransomware 2025 survey (a vendor survey of 3,400 organizations that were hit — treat as directional, not census data) put the average ransom payment at $1.0 million and average recovery costs excluding any ransom at $1.53 million, both roughly half the prior year’s figures.

Where compliance shows up in the cost

IBM’s 2025 report analyzes factors that raise or lower breach costs in isolation: noncompliance with regulations was a cost-amplifying factor adding $173,692 to the average breach, while extensive use of security AI and automation was associated with costs $1.9 million lower and a breach lifecycle 80 days shorter. The report also names higher regulatory fines as one driver of the record US average.

The honest read for a small organization: a documented, operated security program does not prevent every breach, but the enforcement math compounds — a breach at an organization that never did its risk assessment or documented its controls invites the regulatory penalties on top of the incident costs. The documentation layer (risk registers, security policies, incident-response and breach-notification procedures) is the cheapest part of that program to get right, and it is exactly what regulators and auditors ask to see first.

Frequently asked questions

What is the average cost of a data breach in 2026?
The most recent verified figure is $4.44 million globally, from IBM’s Cost of a Data Breach Report 2025 — the latest edition as of July 2026 (the 2026 edition had not yet been published). The US average is $10.22 million, an all-time regional high. Figures quoted online as "2026 IBM numbers" are usually recycled from the 2024 edition.
How much does a data breach cost a small business?
No credible single average exists for small businesses specifically. The best verified data points: Verizon’s 2026 Breach Impact Study (~70,000 insurance claims) found extreme cases cost a small business more than 7% of annual revenue, and the FBI’s 2025 average reported loss per cybercrime complaint was $20,699. Verizon confirmed 7,152 small-business breaches in a single year.
What is the average ransomware payment?
The median ransom payment was $139,875 per Verizon’s DBIR 2026, and 69% of victims refused to pay entirely. Sophos’s 2025 vendor survey put the average payment at $1.0 million with average recovery costs of $1.53 million excluding the ransom — averages skew far above the median because of a small number of very large payments.
How long does it take to detect a data breach?
An average of 241 days to identify and contain, per IBM’s Cost of a Data Breach Report 2025 — 181 days to identify plus 60 to contain. That is a nine-year low, and organizations making extensive use of security AI and automation shortened the lifecycle by a further 80 days on average.
Does compliance reduce the cost of a breach?
IBM’s 2025 report found noncompliance with regulations added $173,692 to the average breach cost as an isolated factor, and cited higher regulatory fines as a driver of the record $10.22 million US average. Compliance does not prevent breaches, but documented, operated controls reduce both the incident cost and the regulatory exposure that follows it.

Related guides: ISO/IEC 27001 · SOC 2 · NIST CSF 2.0

Toolkits that help

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off · auto-appliedView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off · auto-appliedView toolkit
NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off · auto-appliedView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off · auto-appliedView toolkit

Related articles

← All articles

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.