New claims costs data reveal a wide discrepancy on costs associated with cyber losses.
More than $75.5 million has been spent on cyber claims losses as reported in the latest cyber claims study published by NetDiligence, a cyber risk assessment and data breach services company.
This is the fifth year for the annual study, which examines actual losses for data breach events covered by various cyber liability insurance carriers for claims with incident dates between 2012 and 2014. This year’s report summarizes findings for a sampling of 160 cyber liability insurance claims, 155 of which involved the exposure of sensitive data. The study examines the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. The study also considers claims due to third-party breaches and claims due to insider involvement, both accidental and malicious.
According to the report, the claims sampled – which included both first party and third party losses – represent only about five percent of the overall number of cyber claims handled by all markets within that timeframe.
The primary focus of the study is the costs incurred by insurers due to cyber claim events, including crisis services (forensics, notification, credit/ID monitoring and legal counsel), legal (class action lawsuit defense and settlement), regulatory (defense and settlement) and payment card information (PCI) fines.
This year’s study finds that of the total cyber claims costs of $75.5 million, 78 percent spent was spent on crisis services, eight percent on legal defense, nine percent spent on legal settlements, one percent each on regulatory defense and regulatory fines and three percent spent on PCI fines. The claims analyzed in the study remain open so amounts noted within the study should be considered payments to date.
The average total claim for a breach was $673,767 – an eight percent reduction from last year’s figures. However, the average claim for a large company was $4.8 million, while the average claim in the healthcare sector was $1.3 million.
The average payout for crisis services was $499,710. Only 16 percent of the claims submitted included legal damage costs. The average cost for legal defense was $434,354, with the average cost for legal settlement at $880,839. The study found a broad cost range for this area, with legal defense payouts ranging from $6,881 to $2.5 million and legal settlements ranging from $1,968 to $5.9 million.
The study examined the data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. Two additional data points analyzed included whether there was insider involvement and if a third-party vendor bore responsibility for the incident.
Many insurers are using legal counsel early in the claims process to reduce mistakes that an affected organization could make. The study authors indicate this approach likely reduces follow-up regulatory fines as well as legal defense and settlements costs. Insurers are also creating preferred vendor panels with already-negotiated rates for crisis services, which likely reduces insureds’ breach response costs.
The study authors estimate data breach response costs for an uninsured organization may be up to 30 percent higher than for an insured organization.
The study’s key findings:
- Personally identifiable information was the most frequently exposed data at 94 percent followed by payment card information at 27 percent and private health information at 14 percent
- Hackers were responsible for a majority of the losses at 31 percent, followed by malware or virus at 14 percent. Employee mistakes and/or rogue employees tied for the third leading cause at 11 percent. Insider involvement was found in 32 percent of the claims, though two thirds were found to be due to mistakes.
- Healthcare organizations were the most frequently breached at 21 percent, followed by financial services at 17 percent but the biggest breaches occurred in retail, followed by healthcare. Both sectors were reportedly the most likely to suffer from insider threats.
- The average number of records affected was 3.2 million.
- Nano organizations (less than $50 million in revenue) suffered the most losses at 29 percent, followed by small organizations (revenue ranging from $300 million to $2 billion) at 25 percent.
The total costs per claim varied from $540 to $15 million. The study found the median claim payment for the payment card information breaches were higher than other data types with the exception of the first loss ever reported related to a trade secrets claim. “The payout for loss of trade secrets was more than four times the median cost of a PCI-related claim,” the study stated.
The median number of records exposed for the latest study was 2,300 and the results indicate that more claims are being submitted for breaches with a small number of exposed records.
Per record costs were deemed to be problematic since the cost per record seemed to vary significantly. The study found that “there is an indirect correlation for some costs (regulatory fines) and no discernible correlation for other costs (forensics). For this reason, high per-record costs are possible regardless of breach size.”
Though hackers and malware/viruses combined accounted for 45 percent of the claims, 99 percent of records were exposed. The study found that claims caused by malicious activity resulted in increased costs, a likely correlation to the large number of records exposed.
Because the healthcare and retail sectors experienced larger breaches, each sector reported higher average costs than all other sectors combined.
The study looked at the size of organizations affected based on revenue and found that smaller organizations sustained the most incidents, but that this was likely due to the fact that there are more small organizations than large ones. Additional contributing factors could be the result of smaller organizations being less aware of their exposure and the lack of resources to provide data protection or security awareness training to their employees. The study found a correlation between size and records exposed – small organizations reported 38 percent of records exposed while mid to large revenue ($2 to $100 billion in revenue) organizations reported 60 percent of records exposed. Breach claims for large revenue organizations were found to be substantially higher, 10 times the average claim of a small revenue organization. Despite this, some of the largest claims came from small revenue organizations, the study found. The commonality, according to the study findings, was that the incidents were hacking or malware/virus-related that resulted in costly forensic analysis.
Occurring in every business sector, third party vendor breaches were reported in 25 percent of the claims analyzed, though nearly a third occurred in the financial sector. Hackers accounted for half of all third party vendor breaches. The study noted that significantly more records were exposed in third party vendor breaches than in breaches that occurred within an insured organization, but that payouts were a fraction of payouts made for in-house breaches (17 versus 26 percent).
Of the claims examined, only four included costs associated with regulatory actions. Costs related to regulatory defense were tallied anywhere from $67,500 to $327,000, while one regulatory fine came in at $750,000. The records exposed in these regulatory actions ranged from 41,000 to 6.5 million. According to the study, “the potential for regulatory action and its associated costs should be considered when evaluating any organization’s risk exposure, regardless of the size of the organization or the size of the breach.”
Only four percent of the claims analyzed reported costs associated with PCI fines, with amounts ranging from $21,229 to $600,000.