How many companies really shut down after a data breach?

October 28, 2025

Business recovery after a data breach is easier to talk about if you start with the facts.

(Credits: ArtMediaWorx/Shutterstock)

This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.

The cybersecurity world loves a scary statistic, and few are more chilling than this oft-repeated claim: “60% of small businesses close within six months of a data breach.” It’s the kind of figure that makes executives break out in cold sweats and sends IT budgets soaring. There’s just one problem—it’s complete nonsense.

The National Cyber Security Alliance (NCSA) has officially debunked this statisticOpens a new window , calling it an unverified claim from a 2011 third-party source that lacks empirical backing. Yet this zombie stat refuses to die, shambling through boardroom presentations and vendor pitches like some kind of digital undead.

So what’s the real story? The truth, as usual, is more nuanced than the fear-mongering headlines suggest.

The numbers that matter

Recent research from credible sources paints a very different picture of business survival after cyber incidents. The VikingCloud 2025 SMB Threat Landscape ReportOpens a new window found that approximately 20% of small and medium-sized businesses would be forced to permanently close due to a successful cyberattack. That’s concerning, certainly, but it’s three times lower than the debunked statistic that continues to circulate.

The picture becomes even more complex when you dig into the details. According to Philip Harris at IDCOpens a new window , research indicates the closure rate varies dramatically based on the severity and duration of the incident. Companies experiencing catastrophic data loss—the kind that lasts more than 10 days—face a grim 93% bankruptcy rate within one year, based on data from the National Archives & Records AdministrationOpens a new window . But here’s the crucial point: these are extreme cases, not your typical data breach.

For less severe incidents, the University of Texas study shows that 51% of companies suffering significant data loss close within two yearsOpens a new window , while 43% never reopen at all. Again, these figures apply to catastrophic scenarios, not the garden-variety breaches that make up the majority of incidents.

Size matters more than you think

The harsh reality is that company size dramatically affects survival odds. Small businesses face a perfect storm of vulnerability: they’re disproportionately targeted (handling 43% of all breaches despite their size), chronically underinsured (75% lack adequate cyber coverage), and resource-constrained when it comes to recovery.

Meanwhile, large enterprises rarely shut down solely due to a data breach. Take Equifax, which survived exposing 147 million consumer records in 2017Opens a new window . The credit reporting giant faced massive lawsuits, regulatory scrutiny, and reputational damage, but it remained operational because it had the resources to weather the storm.

The same pattern holds across industries. According to IBM’s 2025 Cost of a Data Breach ReportOpens a new window , the global average breach cost reached $4.44 million, while U.S. companies faced an average of $10.22 million in 2025Opens a new window – an all-time high. These are significant sums, but they’re survivable for well-capitalized organizations with proper insurance and incident response plans.

The persistence problem

So why does the “60% closure” myth persist? Because it serves multiple agendas. Cybersecurity vendors use it to create urgency around their solutions. Consultants deploy it to justify expensive engagements. Insurance companies leverage it to sell policies. And frankly, it makes for compelling copy in a world where boring statistics don’t generate clicks.

But the myth also creates real harm. It can lead to panic-driven decision-making, where businesses either over-invest in security theater or become paralyzed by the perceived inevitability of failure. The Hiscox Cyber Readiness Report 2024Opens a new window found that 20% of businesses reported a cyberattack nearly rendered them insolvent—a serious concern, but far from the apocalyptic scenario the myth suggests.

Context is everything

It’s not to say that data breaches aren’t harmless—they are. The US average cost continues to climb, with IBM reporting a 9% year-over-year increase in 2025. Healthcare organizations face particularly steep costs, averaging $9.8 million per incident.

But context matters enormously. A breach’s impact depends on factors like company size, industry, incident response time, insurance coverage, and the specific nature of the attack. Companies that detect and contain breaches quickly can reduce costs by up to 50%Opens a new window , according to VikingCloud research.

According to IDC Research Director Philip Harris, the actual closure rate for all companies is likely under 10% within two years when you account for comprehensive data rather than cherry-picked horror stories. This provides crucial perspective that’s often missing from vendor-driven fear campaigns.

Real-world reality check

Consider National Public DataOpens a new window , the background check firm that filed for bankruptcy after its 2023 breach exposed 2.9 billion records. This case is often cited as proof that breaches are business killers, but it’s actually the exception that proves the rule. NPD was a relatively small, specialized firm that lost its entire value proposition—trust—in a business built on handling sensitive data.

Contrast that with the countless small businesses that experience ransomware attacks or payment card breaches and continue operating. They may face temporary disruption, regulatory fines, and customer churn, but they don’t automatically fold.

The insurance factor

One crucial element often overlooked in doom-and-gloom scenarios is cyber insurance. While 75% of small businesses remain underinsured for cyber events, those with proper coverage have significantly better survival odds. Insurance doesn’t just provide financial compensation—it often includes incident response services, legal support, and recovery assistance that can mean the difference between closure and continuity.

Companies that can respond faster to incidents also see dramatically better outcomes. Organizations that contain breaches in under 200 days can reduce costs by approximately 50% compared to those with longer response times. This isn’t just about having the right technology—it’s about having practiced incident response plans and clear communication protocols.

Moving beyond the myths

The cybersecurity industry needs to retire the “60% closure” statistic once and for all. Fear-based messaging may grab attention, but it doesn’t create lasting behavior change or smart investment decisions.

Instead, businesses need realistic assessments of their actual risk based on factors like company size, industry, data sensitivity, and existing security posture. A small medical practice faces different risks than a manufacturing company, which faces different risks than a financial services firm.

The goal shouldn’t be achieving perfect security—that’s impossible. It should be building appropriate resilience for your specific situation. That means understanding your actual vulnerabilities, implementing proportionate controls, maintaining good backups, having an incident response plan, and yes, carrying adequate insurance.

The ransomware reality

Current data shows that ransomware and data exposure incidents are driving approximately 70% of insolvency risks in 2024-2025. This represents a shift from traditional data breaches to more operationally disruptive attacks that can shut down business operations entirely. But even in these more severe scenarios, preparation and rapid response can make the difference between temporary disruption and permanent closure.

The enterprise advantage

Large enterprises continue to demonstrate remarkable resilience in the face of major breaches. While they may see 5-9% drops in market value or reputational capital, they rarely cease operations solely due to cyber incidents. They have deeper resources, better insurance coverage, and more sophisticated recovery capabilities than their smaller counterparts.

This doesn’t mean large companies are immune—they face their own challenges, including regulatory scrutiny, class-action lawsuits, and complex recovery scenarios. But their survival rates remain significantly higher than the scary statistics suggest.

Data breaches are serious business risks that require serious attention. But they’re not automatic death sentences, despite what the scary statistics suggest. By focusing on facts rather than fiction, businesses can make smarter decisions about cybersecurity investments and incident preparedness.

The myth of inevitable doom serves nobody except those selling expensive solutions to imaginary problems. The reality is more nuanced, more manageable, and ultimately more actionable. Let’s start acting like it.

Denis Tom

Denis Tom is a coach, futurist and strategic advisor with over 30 years of technology leadership. He enjoys working with organizations and individuals to lead with authentic purpose, yielding optimal performance and creativity. He has led award winning organizations in tech, publishing, entertainment, financial, nonprofit and service industries. Currently, Denis is a committee member for training and development of cybersecurity professionals at the New York Metro Chapter of ISACA.