IBM’s 20th annual Cost of a Data Breach Report, based on research independently compiled by the Ponemon Institute and released in 2025, found the global average cost of a data breach fell to $4.44 million, down 9% from $4.88 million the year before, the first decline in five years. The United States moved in the opposite direction entirely: the average breach cost for US organizations rose to a record $10.22 million, up 9% year-over-year and the highest figure ever recorded for any country or region in the report’s history.
This is not a minor statistical wobble. A US breach now costs, on average, roughly 2.3 times the global average. This article explains what is driving that specific divergence, which other countries are bucking the global decline alongside the US, and what the report’s broader findings reveal about where breach costs actually come from.
What Is Actually Driving the US-Specific Increase
IBM’s own analysis attributes the US increase specifically to higher regulatory fines combined with higher detection and escalation costs. Troy Bettencourt, global partner and head of IBM X-Force, stated that this widening gap helps explain why US organizations continue to face the highest breach costs globally, further compounded by more organizations in the US reporting steeper regulatory fines.
Structural factors that compound this, beyond the headline regulatory fine figure, commonly cited in analysis of the report’s findings:
- Fragmented notification law landscape: the US has data breach notification requirements that vary by state, meaning a breach affecting customers across multiple states can trigger separate compliance and notification obligations under each state’s specific law, rather than a single unified national framework.
- Higher litigation exposure: class action lawsuits following data breaches are comparatively more common and more costly to resolve in the US legal environment than in most other countries covered by the report.
- A more developed cyber insurance market with higher coverage limits: this can work in either direction, sometimes accelerating remediation spending precisely because higher coverage limits make more extensive (and expensive) response efforts financially viable.
- Higher incident response labor costs: US-based incident response, forensics, and legal teams generally command higher rates than equivalent teams in most other markets covered by the report.
Slower detection in the US specifically is the other half of IBM’s stated driver. Globally, the mean time to identify and contain a breach fell to 241 days in 2025, the lowest in nine years, driven substantially by AI-assisted detection and response. The US figure moving against this global improvement suggests the detection speed gains driving the global average down were not evenly distributed, and may have been offset in the US specifically by the added complexity of multi-jurisdictional regulatory response running in parallel with technical containment.
This Is a Pattern, Not Just a US Story
The US was not alone in bucking the global decline. The report specifically names Canada and India as also showing rising breach costs in 2025, even as the global average fell. Conversely, Germany, Italy, and South Korea are specifically named as countries that saw costs fall significantly.
Beyond country-specific figures, regional averages from the same report show Middle East organizations averaging $7.29 million per breach and Benelux organizations averaging $6.24 million, both well above the global average but below the US figure, illustrating that elevated breach costs are not a uniquely American phenomenon even though the US sits at the extreme end of the distribution.
The countries seeing cost increases (US, Canada, India) do not share an obvious single common factor like geography or economic development level. What they may share, though the available reporting does not establish this definitively, is some combination of complex multi-jurisdictional regulatory environments, growing data protection enforcement activity, and litigation exposure, three factors IBM’s own analysis points to specifically for the US case. Without country-specific driver breakdowns for Canada and India in the available reporting, this remains a pattern worth flagging rather than a fully explained causal claim.
Industry Breakdown: Healthcare Still Highest, But Falling
| Industry | 2025 average breach cost | Notable detail |
| Healthcare | $7.42 million | Highest of any industry for the 14th consecutive year, despite a 24% year-over-year decrease from $9.77 million; longest average detection and containment time at 279 days |
| Financial services | $5.56 million | Second-highest industry cost |
| Industrial | $5.00 million | Third-highest |
| Energy | $4.83 million | Fourth-highest |
| Technology | $4.79 million | Fifth-highest |
| Pharmaceuticals | $4.61 million | Below the global all-industry average of $4.44M when rounded, but close to it |
Several industries bucked the broader global cost decline specifically: entertainment, media, hospitality, education, research, retail, and the public sector all reported year-over-year cost increases in 2025 even as most industries overall saw costs fall.
The AI Dual-Impact Finding
One of the report’s most distinctive 2025 findings is that AI is simultaneously helping defenders and helping attackers, and the report quantifies both sides. Organizations using AI tools extensively in their security operations cut their breach lifecycle by 80 days and saved nearly $1.9 million on average compared to organizations not using AI extensively, which is the primary driver behind the global cost decline and the nine-year-low 241-day average detection and containment time.
At the same time, attackers used AI in 16% of breaches, primarily to power more convincing phishing campaigns and generate deepfakes for social engineering. Separately, shadow AI, meaning unauthorized AI tools running inside organizations without formal security oversight or governance, played a role in 20% of breaches. Among organizations that experienced an AI-related security incident, 97% lacked proper AI access controls, and 63% had no formal AI governance policy in place at all.
Phishing overtook stolen credentials as the most common initial attack vector in the 2025 report, responsible for 16% of breaches, at an average cost of $4.8 million per phishing-initiated breach. Supply chain compromise, while less frequent, was both expensive ($4.91 million average) and the slowest to resolve, taking 267 days on average, longer than any other attack vector category in the report.
What Gets Stolen and What It’s Worth
Customer personally identifiable information was the most frequently compromised data type, involved in 53% of breaches, by far the most common category. Intellectual property, while stolen far less often than customer PII, was the single most expensive data type to lose on a per-record basis, at $178 per record, reflecting the comparatively unbounded and strategic value attackers and victim organizations alike place on proprietary or trade-secret information compared to standardized personal data fields.
Where This Connects to Certificate and Encryption Security Specifically
It is worth being precise about what this report does and does not measure. IBM’s Cost of a Data Breach Report covers the full financial impact of a breach response: detection, containment, notification, regulatory fines, legal costs, customer churn, and remediation, across breaches caused by any root cause, not specifically certificate or encryption failures. Most of the cost drivers detailed in this report (regulatory fines, litigation, multi-state notification compliance) are downstream consequences that apply regardless of whether the initial technical cause was a phishing attack, a misconfigured cloud bucket, an unpatched vulnerability, or a certificate-related lapse.
That said, certificate and encryption-related failures are one specific, well-documented category of root cause that intersects directly with this report’s broader themes, particularly detection time. An expired or improperly monitored SSL certificate on an internal monitoring device contributed to extending detection time during unauthorized access in at least one widely documented historical breach, and any organization with gaps in certificate inventory or monitoring carries a structural detection-time risk comparable in kind, if smaller in typical scale, to the broader detection and containment delays this report identifies as a major cost driver across all breach types.
Organizations evaluating where to invest limited security budget in light of this report’s findings should weigh detection speed improvements heavily: the report’s own data shows extensive AI-assisted detection tooling cut the breach lifecycle by 80 days and saved nearly $1.9 million on average, the single largest quantified lever in the entire report. Certificate lifecycle monitoring, which directly affects whether security teams have visibility into one specific category of infrastructure failure, is a comparatively low-cost piece of that broader detection-speed investment.
Frequently Asked Questions
Does the $10.22 million US figure represent the cost of any single breach, or an average?
It is an average across the US organizations included in the Ponemon Institute’s research sample for the 2025 report, not the cost of any single specific incident. Individual breach costs within the sample vary enormously depending on organization size, industry, data type compromised, and response speed; the $10.22 million figure is the statistical mean across the US portion of the studied population, calculated using the same consistent methodology IBM and Ponemon have applied across multiple years of the report, which is part of why the year-over-year trend comparisons (the 9% US increase, the 9% global decrease) are considered meaningful rather than artifacts of changing measurement approach.
Why did healthcare costs fall 24% while remaining the most expensive industry overall?
The report attributes the broader 2025 cost decline primarily to faster detection and containment driven by AI and automation adoption, a trend that applied across industries including healthcare. Healthcare’s absolute cost figure remains highest because the sector’s structural cost drivers (extensive sensitive PII and PHI data, strict healthcare-specific regulatory regimes, and the longest detection and containment time of any industry at 279 days) persist even as detection technology improves industry-wide. Falling 24% while still ranking highest for a 14th consecutive year indicates the improvement was real but insufficient to close the structural gap between healthcare and other industries.
Is this report specifically about SSL certificate or encryption-related breaches?
No. The IBM Cost of a Data Breach Report covers breach response costs across all root causes broadly, including phishing, stolen credentials, supply chain compromise, cloud misconfiguration, insider threats, and AI-related incidents, among others. It is not a certificate-specific or encryption-specific cost study. The connection to certificate security discussed in this article is that detection speed, the single largest cost lever identified in the report, is directly affected by infrastructure monitoring gaps of any kind, certificate-related or otherwise, rather than the report focusing specifically on certificate failures as a distinct category.
