In the Middle East, lost business remained the largest cost category in 2025, averaging SAR11.63 million per breach. This was followed by post-breach response costs at SAR7.50 million, detection and escalation at SAR6.55 million and notification costs at SAR1.32 million. While overall breach costs have declined this year, these figures underscore the continued financial strain organisations face across the entire breach lifecycle – from discovery to containment.

Certain sectors continued to face significantly high breach costs in 2025. This year, the financial sector recorded the highest total breach cost reaching SAR34.00 million, followed closely by energy and industrial at SAR32.00 million.

“ It is encouraging to see a meaningful decline in the cost of data breaches in the Middle East this year. It is no coincidence that a region with some of the world’ s boldest AI ambitions is also seeing less costly breaches. As organisations accelerate the adoption of AI-driven tools for security, they are improving their ability to detect and contain threats before they escalate. But as attackers grow more sophisticated, continued investment in AI-driven security tools, security talent and AI governance tools will be essential to sustaining this momentum,” said Saad Toma, General Manager of IBM Middle East and Africa. in place, the most common elements include strict approval processes for AI deployments( 45 %), adversarial testing( 44 %) and the use of AI governance technology( 43 %).

Factors that increase costs – Organisations with security system complexity incurred an average additional cost of SAR867,378. Breaches affecting IoT or OT environments added SAR839,750, while security staff shortages raised costs by SAR818,997 on average.

Top initial attack vectors – The most common initial causes of data breaches in 2025 were third-party vendor and supply chain compromise, which account for 17 % of incidents and carried an average cost of SAR29.60 million. Denial of service attacks and phishing each made up 14 % of breaches, with average costs of SAR27.20 million and SAR28.00 million respectively. Malicious insider threats, while slightly less frequent at 11 %, resulted in the highest average cost at SAR33.00 million.

The 2025 Cost of a Data Breach Report analysed real-world data breaches from over 600 organisations worldwide from March 2024 through February 2025, including organisations from Saudi Arabia and the United Arab Emirates. Conducted by Ponemon Institute and sponsored and analysed by IBM, the Cost of a Data Breach Report has investigated nearly 6,500 data breaches over the past 20 years. x

Other key findings in the 2025 IBM report for the Middle East include:

Mitigating risks of AI model attacks – To reduce the risk of attacks on AI models, organisations in the Middle East are most commonly implementing access controls on AI systems( 41 %). By contrast, just 3 % of breached organisations globally had such controls in place, highlighting the region’ s more proactive approach to securing and governing AI.

AI governance adoption – 38 % of surveyed organisations reported having formal AI governance policies in place, with an additional 24 % starting to develop them. For those with policies

30 www. intelligentcxo. com