By Mark Greisiger, President, NetDiligence®
Our objective in performing the NetDiligence® Cyber Liability & Data Breach Insurance Claims Study was to present some empirical data on what’s actually being paid in the world of cyber risk as well as provide some information on what the industry is seeing in frequency and severity.
I’ve noticed that my clients want to know some real numbers on this. As in, when a big breach happens, what is it actually going to cost them and what do certain insurance markets pay out?
And the truth is—and what we discovered—is that it’s all over the place. There’s some miniscule claims in the thousands of dollars and there’s really big ones in the millions.
Knowing that a lot of insurance professionals don’t have a lot of time to pull all of the information I’d ultimately love to have, we performed this study by creating a list of 10 survey questions to ask our clients. These dealt with things like the size and sector of claims and what was paid out in various sectors such as forensics, credit monitoring, legal defense, etc.
What we immediately found was that breaches involving personal identifiable information were the most prevalent at 37 percent. The second most prevalent—at 21 percent—were breaches involving protected health information. Knowing that the healthcare sector is the current largest purchaser of cyber insurance, it was no surprise that it presented the majority of the claims that the underwriters reported.
Causes Of Loss
We found that hackers were the most frequent cause of loss. This finding conflicts with other studies showing equal numbers between hackers and insiders. Breaches by rogue employees and insiders represented 19 percent of the claims paid out.
The average cost we found per breach was $2.4 million. The average cost per record ranged between $1.36 to $5; however, we found some examples where the per record cost for the client was pennies on the record as well as a few cases with a $3,000 per record cost.
The average cost of legal claims being paid out was $500,000 and the average cost of a settlement was $1 million. Crisis cost services, which included things such as computer forensics, notice and credit cost monitoring, averaged about $800,000 per event, we found.
In all, I felt that the results of our survey were somewhat unique—if not surprising at times—when compared to other recent published surveys. In all, I felt the survey as a whole provided some valuable insight into this rapidly evolving industry.
Mark Greisiger leads NetDiligence®, a Cybersecurity Risk Management company. For the past 9+ years NetDiligence has been offering unique cyber risk assessment services to organizations of all sectors. Their due diligence services support the unique risk management & compliance needs for many businesses. Mark has helped create services to allow NetDiligence to support the loss control needs of the various US and UK insurers that offer network liability coverage (aka ‘privacy insurance’). Most of the markets use and often require a NetDiligence review to verify the network security safeguard controls, privacy practices and client vigilance. Mark is also a frequently published contributor for various insurance & risk management publications on similar topics.