EMC, which owns RSA, spent US$66m 'between April and June' as a result of the Trojan/hack incident in March that compromised their SecureID product.
$66m may be Information Week's headline figure and that's a staggering amount of money for starters, but that's just it - it's for starters. We're told "It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks." so we know for sure it is an underestimate of the full breach costs. The wording of the disclosure also implies that it only covers the direct costs that are readily-attributed to the breach. Indirect costs such as the brand/reputation damage, customer defections, lost sales prospects, damaged employee morale and more are hard to even estimate, let alone with sufficient accuracy to satisfy the bean-counters and marketing people who typically drive these "earnings calls". Furthermore, the costs of the incident to RSA/s customers are totally out of the picture.
The ultimate grand total tally may be orders of magnitude greater than $66m, all thanks to an employee retrieving an email from the spam folder and unwisely opening the attachment. [Was that a Freudian slip? I originally typed "attackment" which is not far from the mark.]