When a board asks what a cyber attack would cost, the honest answer is that the ransom, if there even is one, is the smallest part. The real bill is built from forensics, downtime, regulatory exposure, and customers who quietly leave. This article puts numbers on each of those, using the most credible industry benchmarks, and gives you a calculator to estimate your own exposure.
A note on figures up front. There is no Indonesia-only breach-cost benchmark, so where a regional number is useful, the closest reliable figure is IBM's ASEAN average. The IBM 2025 report puts the global average breach at USD 4.44 million and the financial-services average at USD 5.56 million, while its 2024 ASEAN report put financial services in the region at SGD 7.48 million, the costliest sector locally. Those are the anchors behind the model here.
The visible costs
IBM divides the cost of a breach into four parts. The visible, invoiced ones are detection and escalation, the post-breach response such as legal and remediation, and customer notification. These are the costs your finance team can see coming.
Detection and escalation alone makes up close to a third of the total. For a bank, this is the forensic investigation, the crisis management, and the work to understand exactly what was taken, all of which runs on expensive specialist time under deadline pressure.
The hidden costs
The largest single component is the one that never appears on an invoice: lost business. This is the customer churn, the reputational damage, and the new business you do not win because of the headline. IBM consistently finds it to be the biggest share of breach cost.
For an Indonesian bank, the hidden cost has a regulatory dimension too. Under UU PDP, a serious data protection failure can draw an administrative fine of up to 2 percent of annual revenue, and a bank also faces OJK sanctions on top. That is a double regulatory exposure that a pure IBM-based model does not capture, which is why prevention pays back so quickly.
Estimate your exposure
The calculator below combines these benchmarks into a rough estimate. Set the number of customer records exposed, the hours of service downtime, and your bank's size, and it breaks the cost into the four components. The assumptions are illustrative and deliberately conservative, and they exclude the revenue-based UU PDP fine, which depends on your turnover.
Move the downtime slider and watch the total climb. Downtime is where bank breaches get expensive fast, because every hour a payment or mobile channel is offline carries a large business cost. Industry benchmarks put hourly outage costs for top sectors, including banking, in the millions of US dollars, which is why the downtime component dominates as the hours rise.
Why prevention is the cheaper line item
The same IBM research that prices breaches also prices the controls that reduce them, and the numbers make the business case on their own. Organisations with a tested incident response team and plan spent on average around USD 2.66 million less per breach. Those using security AI and automation extensively spent around USD 1.9 million less and contained breaches far faster.
Speed of containment is the lever that matters most. IBM found breaches contained in under 200 days cost dramatically less than those that ran longer. Every control that helps you detect and contain sooner, from monitoring to segmentation to rehearsed response, pulls money directly off the total.
Set against a breach that can run into the tens of billions of rupiah for a mid-sized bank, the annual cost of strong detection, response, and backup discipline is modest. The cheapest line item on the whole exercise is the one that stops the attack early.
At Alpha Code, we help Indonesian banks quantify their cyber exposure and invest where it measurably lowers the cost of a breach, from monitoring and incident response to resilience testing. If your board wants a number, modelling your own exposure is the place to start.