Monday morning, 6:14 AM. Production won't start. The OEM customer is waiting.
An automotive supplier with 1,400 employees, three plants, and annual revenue of €380 million. A just-in-time supplier for two Tier-1 customers, who in turn supply directly to two German car manufacturers. The supply chain is tightly synchronised: an 18-hour buffer, then the OEM's line runs empty.
A ransomware attack — initiated three weeks earlier when a service technician had performed maintenance with a prepared laptop and silently left behind a backdoor. Monday morning, 6:14 AM: all Windows systems encrypted. ERP offline. MES offline. The CNC machines are running, but without production orders. Nobody knows what to manufacture.
At 7:30 AM, the Tier-1 customer's procurement manager calls. At 9:00 AM, the delivery failure is officially reported. By 11:00 AM, the Tier-1 customer has already begun contacting alternative suppliers. Not out of bad faith — their line runs empty at 2:00 PM and they have no choice.
The real damage from a breach does not occur at the moment of the attack. It accumulates in the hours and days that follow — in every production stoppage, every departing customer, every regulatory fine, every forensics day rate. The bill always arrives. The only questions are when and how large.
What a breach actually costs: the complete bill
The most common mistake in post-incident analyses: organisations count what they can see — ransom, IT forensics, overtime. What they miss: opportunity costs, reputational damage, regulatory consequences, and silent customer attrition that only shows up in the P&L months later. A complete damage picture has four time phases.
- IR retainer / emergency team activation €15–80k
- Forensics provider (day rate) €3–8k/day
- Legal counsel (data protection, criminal) €5–25k
- Production downtime per shift €50–500k
- Emergency hardware (laptops, servers) €20–150k
- Overtime / internal crisis team €10–40k
- Infrastructure rebuild (servers, AD) €80–400k
- Data migration / validation €20–100k
- Licences, backup systems, cloud €15–60k
- Catching up on production backlog variable
- Ransom payment (if paid) €50k–5M
- External IT consultants / MSP €30–200k
- GDPR fine (up to 4% global revenue) up to M€
- NIS2 sanctions (from 2025) up to €10M
- Damages claims from clients/partners variable
- Cyber insurance premium increase +30–200%
- Increased security investment €100–500k
- Reputational damage / PR costs €50–300k
Ransom is in most cases not the largest cost factor — it is the most visible one. Production downtime, customer attrition, and regulatory consequences regularly exceed the ransom payment by a factor of two to five.
The automotive supplier: 7 days that change everything
Back to our supplier — not as a unique case, but as a calculation model. The figures are calibrated using real benchmarks from the manufacturing sector for a company with ~€400M annual revenue. No single incident will match this profile exactly — but the order of magnitude is representative of the German mid-market.
And that is the conservative scenario — no ransom, no product liability claim, no lasting reputational damage that manifests in declining new-customer rates over years. IBM puts the global average across all industries at $4.88 million (2024). For manufacturing companies with just-in-time supply chains, the figure is significantly higher.
The invisible damage: customer attrition through loss of trust
The hardest cost factor to quantify is not a line item — it is a behaviour. Customers who quietly reduce their business after a security incident. Partners who prefer a different supplier at the next tender. Decision-makers who communicate internally: "They had that outage last year."
In automotive supplier logic, this is particularly brutal: an OEM customer who has experienced one delivery failure will apply especially critical scrutiny in their risk assessment the next time. Dependence on a single-source supplier that has failed once is recorded internally as a risk — and weighted differently at the next contract award.
A one-week delivery failure does not cost one week of revenue. It potentially costs years of follow-on contracts — because the customer has learned that this supplier is a risk. That cost does not appear on the balance sheet. It appears in procurement decisions over the next three years.
Regulatory costs: what NIS2 and GDPR make of an incident
Since NIS2 (December 2025) and the KRITIS-Dachgesetz (January 2026), the regulatory risk landscape has shifted substantially. For affected organisations:
| Regulation | Reporting obligation | Maximum penalty | Personal liability |
|---|---|---|---|
| GDPR | 72 hours to supervisory authority | 4% of global annual revenue | No (corporate liability) |
| NIS2 | 24h initial report, 72h full report | €10M or 2% of annual revenue | Yes — management personally |
| KRITIS-Dachgesetz | Immediate notification to BSI | Up to €20M | Yes — explicitly regulated |
| Cyber Resilience Act | From 2027 for product manufacturers | €15M or 2.5% of revenue | Product liability possible |
What is new about NIS2 and the KRITIS-Dachgesetz is not the penalty level — it is the personal liability of senior management. A CISO or CEO who demonstrably failed to implement adequate protective measures is personally liable. That fundamentally changes the risk equation: a breach is no longer just a corporate risk. It is a personal one.
What a pentest costs vs. what a breach costs
The question every CISO must answer to their board: why are we investing in security testing? The answer is not philosophical — it is arithmetic.
The ratio is not 1:1 — it is 1:20 to 1:200. No CFO would decline an insurance policy whose premium is 0.5% of the potential loss. A pentest is exactly that: a premium that does not pay the insurer — but closes the vulnerability before it is exploited.
The only number a board needs for this decision: what does a seven-day outage cost us? If the answer exceeds the cost of a pentest, the decision has been made.
What cyber insurers say
Cyber insurance premiums have increased by an average of 40–80% over the past three years — while exclusion criteria have tightened simultaneously. An increasing number of policies exclude damages attributable to demonstrably known and unresolved vulnerabilities. A pentest report documenting a vulnerability that was identified three months before a breach and not remediated is not protection — it is a liability argument for the insurer.
At the same time, several major cyber insurers (including Munich Re, Allianz, and AXA XL) now offer premium reductions for organisations that can demonstrate regular penetration testing. The test pays off twice: as risk prevention and as an insurance argument.
Which measures demonstrably reduce breach costs
IBM's annual Cost of a Data Breach Report analyses not just damage totals but also factors that significantly reduce costs. For decision-makers, these are the most relevant figures — because they show which investments deliver the largest measurable return.
- IR plan with regular exercises: Organisations with a tested incident response plan pay on average €1.5M less per breach. A plan that has never been rehearsed is not a plan — it is a document.
- Network segmentation: Dramatically reduces the propagation speed of ransomware. One encrypted segment is an incident. An encrypted network is a catastrophe. Segmentation halves average containment time.
- Employee awareness training: 74% of all breaches have a human component (Verizon DBIR 2024). Phishing simulations and security awareness programmes demonstrably reduce phishing click rates by 60–80%.
- MFA for all privileged access: The fastest and cheapest individual protection against credential-based attacks. Cost: near zero. Protection: eliminates the majority of all account-based initial access vectors.
- Regular penetration tests (physical + IT): Find vulnerabilities before attackers do. Every critical vulnerability found in a pentest and remediated is a potential breach cause that has been eliminated. The value is not in the report — it is in what does not happen afterwards.
- Backup strategy with air gap: Ransomware attacks are transformed from a catastrophe into a manageable incident by functional, isolated backups. The 3-2-1-1 rule (3 copies, 2 media types, 1 offsite, 1 offline) is no longer best practice — it is the minimum.
- Physical access control for IT infrastructure: A service technician with physical access to a network cabinet is more dangerous than most remote exploits. Physical security is the first layer — not the last. Visitor management, access control, and rogue device protection belong in the same risk assessment as firewalls and EDR.
Conclusion: the most expensive security investment is the one you make after the breach
A breach is not a natural disaster. It is the result of a chain of decisions — usually non-decisions: no pentest commissioned, no IR plan rehearsed, no backup isolated, no service technician access controlled. Each of those non-decisions has a price. It just is not invoiced in advance.
For the automotive supplier, one week of production downtime meant more than four million euros — directly and indirectly, visibly and silently. For a logistics company, a hospital, an energy supplier, the numbers look different — but the structure is the same. Production downtime, customer attrition, forensics, regulatory consequences, reputation.
The decision for preventive security investment is not a technical one. It is a business decision. And like any business decision, it can be justified with numbers. The numbers are above.
Further reading: how an attacker gains physical access is covered in the series on visitor management, remote recon, and rogue devices. Why an ISO certificate does not guarantee protection is explained in the post on ISO 27001 vs. physical pentest.
What does a seven-day outage cost your organisation?
We help you calculate that number — and then close the vulnerabilities before they become the cause. Free initial consultation, no commitment.
Request a Risk Assessment →