Risk // Compliance
12/3/2014
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Real Cost of Cyber Incidents, According To Insurers

Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.

In August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.

NetDiligence surveyed cyber insurance providers only about claims they paid out; the data does not include submitted claims that the insurers did not cover. The data is from 117 claims: 111 cases of personal information exposure, three denials of service, and three thefts of trade secrets. Though the number of claims is small, NetDiligence estimates that it accounts for 5-10% of all paid cyberclaims.

The total payout of the 117 claims was $62.3 million. The size of the checks varied widely -- from $1,000 to $13.7 million. This year's average of $733,109 was 23% lower than last year's.

When calculating payouts, respondents include "self-insured restrictions" -- the amount a policy holder must pay out of pocket before getting a dime from the insurer. The policies mostly do not cover things like lost customers and opportunity costs, but those might be covered by other insurance policies held by an organization.

Type of costs
Overall, 48% of that $62.3 million went to "crisis services," which include forensic investigation, breach notification, and legal "guidance" (lawyers' advice, not representation). Individually, those costs vary widely. For example, though some claims did not spend a dollar on notification, another claim spent $6.15 million on it.

Fifteen percent of the total went to legal defense, 10% to legal settlements, 10% to regulatory defense, 11% to PCI fines, and 6% to other regulatory fines. Very few claimants had to pay for regulatory defense or regulatory settlement, but those who did paid dearly. Defense cost as much as $5 million, and settlement as much as $2.5 million.

Yet those high price tags don't necessarily have anything to do with the number of records exposed. The median per-record cost for all breaches was only $19.84, but the maximum was a whopping $33,000 per record. From the NetDiligence report:

    Whatever factors generate regulatory scrutiny for a given claim event, it appears that the number of records exposed is not necessarily a primary consideration....
    For example, in one incident in this years dataset, only 80
    [records] were lost. However, the legal defense and settlement costs were quite high, resulting in a cost per-record of more than $11,000.00. We think this is especially true in the Healthcare sector, where enforcement by State Attorneys General has been aggressive.

Causes of incidents
The NetDiligence report attributed each claim to a primary cause: hackers, malware, theft of hardware, employee error, paper records, and rogue employees, among others. "Hackers" and "malware" together accounted for only 40% of the claims, but they were responsible for 97% of lost records. And they were expensive. The median cost of incidents due to "hackers" was $242,762; the most expensive one cost $11.75 million. The median cost of a malware-related incident was $164,125; the maximum was $1.85 million.

Thirty-two percent of the incidents were attributable to insiders, and, not surprisingly, malicious insiders caused more damage than accidents. On average, rogue insiders accounted for 65,433 exposed records; unintentional staff errors accounted for 30,020. On average, rogue insiders caused $224,653 in financial losses; staff errors caused $137,778.

Source and size
Most breaches in the NetDiligence report were considered the joint fault of both an organization and a third party. Only 5% were blamed on the organization alone; 20% were blamed on a third party alone.

Therefore, there is an argument to be made that insuring one's organization against the failures of a third party -- if that third party does not itself have some cyber liability policy -- might be even more important than insuring against one's own failures. This is troubling when one considers that, according to Ponemon, only 11% of respondents' insurance policies covered the impacts of third-party security incidents.

Generally speaking, according to the NetDiligence report, small companies (by revenue) experience the most incidents, large companies have the fewest, and those in the middle suffer the worst damage.

The smallest companies -- those with annual revenue of $300 million or less -- filed 62% of the claims, which accounted for 1% of the lost records and cost between $1,000 and $1.3 million. The largest companies -- those with $1 billion to $10 billion of revenue -- filed 4% of the claims, which accounted for 4% of the lost records and cost between $1 million and $6.5 million. Medium companies -- those with $300 million to $10 billion of revenue -- filed 34% of the claims, which accounted for 95% of the lost records and cost between $2,500 and $13.7 million.

Sources, causes, costs vary widely by industry
The healthcare industry filed the most claims (23%) but accounted for only 3% of the lost records. However, the records that were stolen may have been particularly well-targeted, because healthcare was also hit disproportionately hard by malicious insiders (40% of total incidents). Healthcare also suffered the most expensive incidents, largely because personal health information breaches incurred the highest legal fees. The average payout for healthcare claims was $1.3 million (about 87% higher than average).

According to the Ponemon report, only 29% of respondents in the healthcare industry actually had cyber insurance policies in the first place.

Like healthcare, the financial services industry filed lots of claims (22%) but lost a small percentage of the records (1%). Finance was hit hardest by third-party incidents, accounting for 32% of them. Yet the cost was comparatively low: $288,000 on average.

Conversely, the entertainment industry had just a few incidents (3%) but lost the most records by far (52%) and had the highest average cost ($1.45 million). Entertainment payouts went mostly to high costs for legal and regulatory expenses.

The technology sector accounted for only 8% of the claims but 39% of the records lost. What set the tech industry apart, however, was that all three of the claims involving leaked trade secrets were in technology, and all were committed by "hackers." The claims cost between $150,000 and $900,000, most of which was spent on forensic investigations.

As for retail, it accounted for 10% of the claims and 1% of the lost records, and a pricey $1.41 million per claim, due to high legal and regulatory costs related to PCI. Note that these figures are for claims filed in 2013. There's no doubt all the figures will be higher next year, as insurance companies sort out the pile of claims they've received from the major retailers hit with PoS malware over the spring and summer.

None of the claims were paid to government agencies.

Read the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 10:13:20 AM
Re: Drawing conclusions
Totally agree @Sara. It's a good baseline for a conversation with potential insurers. Really does  shine a spotlight on the fact that the cyber insurance industry is in its infancy.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/4/2014 | 10:08:01 AM
Re: Drawing conclusions
@Marilyn  Yes, there's still a lot we don't know. The report was really aimed at an audience of insurers, to give them info that would help them develop cyber-insurance policies going forward. My takeaway was that cyber insurance can be a big help, but might not cover as much as you'd like it to, and you should negotiate and plan accordingly. I think these numbers are something a CISO and a CRO should look at together.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:49:19 AM
Drawing conclusions
These numbers are fascinating, but it's hard to draw firm conclusions about the value of cyber insurance or the areas of greatest potential risk. It would be interesting to know more about the submitted claims that the insurers didn't cover -- and why. 

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.