For many firms, pinpointing cybersecurity costs to a specific client can be challenging, while ethical obligations may prevent them from including cybersecurity line items in a client invoice.