Cyber Liability and the Case for Defensive Diligence

Cyber risk doesn’t stop at the breach. Litigation, fines, and settlements define its true cost and how well risk was managed is under scrutiny.
Cybersecurity incidents are often framed as operational or technological failures, and many of them are. Increasingly, however, the most consequential dimension of cyber risk is liability and the downstream costs of litigation, regulatory enforcement actions, and class-action settlements. For boards and executives, the financial and governance implications of data breaches extend well beyond incident response and recovery, reaching into fiduciary duty, disclosure obligations, and long-term shareholder value.
Research in IBM’s Cost of a Data Breach Report 2025 underscores this shift: legal and regulatory exposure is becoming a primary driver of total loss, particularly in large-scale incidents involving personal data, even as organizations make progress in reducing certain operational costs of breaches.
The Rising Cost of Data Breach Liability
IBM’s research shows that the global average cost of a data breach in 2025 was $4.44 million, with U.S. organizations facing a much higher average of $10.22 million per breach. This difference is largely attributed to regulatory penalties, litigation risk, and higher settlement costs in the U.S. environment.
But average costs don’t tell the whole story. For large U.S. publicly traded firms, the cost of major incidents can be much higher, and a relatively small number of high-severity incidents account for a disproportionate share of total liability.
A review of recent high-profile cases illustrates how cyber incidents can escalate into multibillion-dollar events:
- Equifax (2017 breach): ≥$700 million settlement, with total costs exceeding $1.4 billion
- T-Mobile (2021 breach): $350 million class-action settlement + $150 million remediation commitment
- UnitedHealth Group (2024 breach): $3.1 billion total costs, including business interruption, system rebuild, and legal, regulatory, and notification costs
Class action litigation is becoming routine for larger-scale cyber incidents. According to the law firm Duane Morris, LLP, the number of breach-related lawsuits annually in the U.S. now numbers in the thousands. When costs are measured in hundreds of millions or billions of dollars, it impacts not only the current period’s P&L, but also impedes the investment required for future earnings. This affects longer-term shareholder value and stock prices. (For more information on share price impacts, see our recent study Discerning Cyber Risk: The Sustained Negative Impacts of Cyber Incidents on Shareholder Value.)
Taken together, these trends signal that cyber incidents are no longer episodic operational disruptions—they can be enterprise-threatening legal events.
Defensive Diligence: A Framework for Proactive Liability Management
Against this backdrop, the concept of defensive diligence shows why it’s necessary to reframe cyber risk strategy to prepare for the worst of the worst-case scenarios. We define defensive diligence as the proactive and sustained management of liability risk, enabling organizations to implement appropriate safeguards while positioning themselves to defend against claims of negligence in the event of a significant incident.
This approach is particularly powerful because it bridges the gap between operational cybersecurity (controls, detection, response), and legal defensibility (evidence of deliberate, reasonable care and oversight). It provides a means of avoiding the existential threat of the rare but real worst-case outcomes.
Building and maintaining a defensive diligence posture typically includes:
-
- Proactive Cyber Risk AssessmentQuantifying and contextualizing cyber risk in terms of the potential impacts to the company and its stakeholders (customers, employees, shareholders, and the wider public), enabling boards to understand exposure and determine an appropriate enterprise risk tolerance.
- Monitoring of Relative Risk, and Peer Benchmarking
Continuous assessment of security risk relative to peers helps boards and leadership teams demonstrate ongoing diligence, ensuring that controls remain aligned with “reasonable” standards – and that an appropriate standard of care that considers all potential stakeholder impacts was deliberately established and actively maintained. - Governance and Documentation
Establishing clear policies, oversight mechanisms and audit trails that demonstrate active and systematic board and management engagement, focused decision making, continuous improvement and/or maintenance of standards, and ongoing cyber risk oversight.
Crucially, defensive diligence is not about eliminating risk—an impossible task—but about managing risk in a way that is documented, demonstrably reasonable, statistically defensible, aligned with the established standard of care, and continuously maintained. And it’s about putting the firm in a position where it can show how this standard of care was established, monitored, and maintained.
Where Cyber Risk Ultimately Lands: Governance and Liability
Cyber incidents will continue to occur, regardless of investment in security technologies. Even the most well-managed firms with the largest security budgets can fall victim. The differentiator, particularly in large-scale breaches, is no longer whether an incident happens, but how the organization is perceived to have managed its risk before, during, and after the event. Preserving shareholder value – perhaps even preserving the company itself – depends on the organization’s ability to defend itself against debilitating fines and settlements.
The growing weight of fines, settlements, and litigation makes it clear that cyber risk is, at its core, a liability management challenge that is linked directly to a firm’s understanding of its risk position and its establishment and maintenance of a reasonable standard of care.
Adopting a defensive diligence posture offers a path forward: one that aligns cybersecurity with governance, legal defensibility, and long-term enterprise resilience. In an environment where billion-dollar costs are not unthinkable, this shift is not optional, but essential.
Cyber Liability and the Case for Defensive Diligence
Cyber Risk Benchmarking for SEC-Ready Oversight
How Defensive Diligence Leads to Better Cyber Risk Oversight
Corporates Bolster Their Defenses Amid Growing Cyber Risk
MGM Cyber Breach: Rethinking the Odds
SEC Cybersecurity Rules Set New Hurdles for Public Companies
How Metrics Can De-Mystify Third-Party Cyber Risk
N-ESRS Returns to the Agenda
Proxy Season 2026: Director Support & Board Independence
Greening Data Centres Through Sustainable Finance

