Operations
3/10/2016
08:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

New report shines light on what cyber insurance can and can't do for enterprises that suffer data breaches.

A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.

Most data breaches are small -- consisting of fewer than 500 records lost -- and the median data breach is only 100 records, the report says. But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000. 

Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.

“There’s a lot of misconceptions around cyber security insurance -- what it does, what it could do,” says John Pescatore, director of emerging security trends at SANS. It's it’s not for every day occurrences, he says.

Take auto insurance, for example: your insurance provider isn’t going to pay to fix your flat tire, nor is cyber insurance going to cover smaller breaches, he says.  It doesn’t make economic sense. “The survey brought out a lot of the reality of [cyber insurance’s] limited role,” Pescatore says. 

Advisen’s product manager Aloysius Tan concurs that there is a gap in coverage, “in that a lot of these smaller breaches are not exactly covered by insurance companies." So it would be wise to have a contingency to cover the cost of small breaches, Tan says.

Of the 203 risk professionals participating in the survey, the majority classified themselves as chief risk manager/head of risk management department (41%), representing businesses of all sizes and across all regions of the US. 

The study also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.

Jeremy Henley, director of breach services at ID Experts, believes that more groups from the organization need to get involved in the incident response process. “At a minimum, you’re going to want IT, legal, privacy and compliance, and risk management [involved],” says Henley. “When your breach starts getting larger, operations, marketing/communications/PR need to get involved."

Include HR as well, he says, because the breach could be caused by an employee training or discipline issue and you’ll need to be able to prove that you handled the response appropriately. 

While the cyber insurance industry is still very much in its nascent stages, it has more than doubled in value from 2012, from $1 billion to $2 billion in 2015, and according to Moody’s, and could triple by 2020. A report released by Marsh last year says the massive growth can be attributed to the broader scope of hacktivists in the growing landscape of cyber threats.   

Despite the fact that cyber insurance doesn’t currently cover small breaches, both Henley and Tan see an opportunity for insurance carriers to offer assistance to organizations that need advice from external data breach response groups. “There is a pretty big gap where insurance companies can fill in terms of their business strategy,” Tan says.

ID Experts' Henley says carriers could offer more tools for preparing and responding to smaller incidents -- such as connections for legal counsel, data breach response vendors, and public relations agencies. 

Insurance carriers basically need to get more involved in incidents, he says. But he acknowledges that not everyone wants to disclose every little incident to their insurance company for fear of seeing increased premiums.

If you can establish a comfort level with the insurance company, Henley says, they can offer you advice and services to potentially minimize the costs of these smaller breaches such as data breach issues involving W2 forms, something Henley is seeing a lot of as tax season approaches. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DaveS6929
50%
50%
DaveS6929,
User Rank: Apprentice
3/22/2016 | 10:18:47 AM
Re: Will cyber insurance premiums ever decrease?
If premiums under $600 are what you're looking for, all you need to do is look a bit harder.  Excellent coveragee suites from substantial Insurance Carriers with deductibles as low as $1,000 are readily available for SME.

For SME, ANY breach could be catastrophic.  They need a Cyber SWAT Team that they can call and have everything handled.  That is one of the best features of the insurance policies currently available and affordable.

We certainly buy insurance to protect against serious & catastrophic circumstances.  For SME, a 100-500 PII Breach is just that.  60% of them go out of business within 6 months of a cyber crime.  The insurance industry has indeed responded to the needs of SME to transfer this risk effectively and inexpensively.

 

 
DaveS6929
50%
50%
DaveS6929,
User Rank: Apprentice
3/22/2016 | 10:06:49 AM
Security Pros Missing The Mark
According to the Survey cited, the lack of insurance coverage for the average breach is solely attributable to the size of deductibles in the respondant's insurance policy.  Establishinging an average deductible of $10,000 indicates that the overwhelming number of respondants are not Small-MidSized Enterprises. 

The current Marketplace for Cyber Insurance is repleat with deductibles as low as $1,000 for the SME segment, the very firms who would be crippled or bankrupted by a 100-500 PII breach.

Is cybersecurity the panacea for these firms (or any for that matter)?  Obviously not, as the headlines would illustrate.  No, Breach Response is the critical factor and SME needs assistance and guidance the most.

To imply that Cyber Insurance isn't worth buying is fundamentally irresponsible.
KeithB787
50%
50%
KeithB787,
User Rank: Apprentice
3/11/2016 | 5:39:04 PM
Will cyber insurance premiums ever decrease?
This is definitely a case of where size matters. As the article mentions, it's very similar to car insurance. While you have insurance to cover a serious accident or catastrophic damage, you still have to pay your deductible for the accident. And so businesses will need to cover a portion off every security breach. A more interesting aspect might be that the article noted that cyber insurance coverage is increasing in the market. This will bring more competition and hopefully lower premiums for businesses. Unfortunately, with the huge amount of breaches that continue to happen annually, it remains to be seen if premiums can be reduced.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.