Risk // Compliance
12/3/2014
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Real Cost of Cyber Incidents, According To Insurers

Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.

In August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.

NetDiligence surveyed cyber insurance providers only about claims they paid out; the data does not include submitted claims that the insurers did not cover. The data is from 117 claims: 111 cases of personal information exposure, three denials of service, and three thefts of trade secrets. Though the number of claims is small, NetDiligence estimates that it accounts for 5-10% of all paid cyberclaims.

The total payout of the 117 claims was $62.3 million. The size of the checks varied widely -- from $1,000 to $13.7 million. This year's average of $733,109 was 23% lower than last year's.

When calculating payouts, respondents include "self-insured restrictions" -- the amount a policy holder must pay out of pocket before getting a dime from the insurer. The policies mostly do not cover things like lost customers and opportunity costs, but those might be covered by other insurance policies held by an organization.

Type of costs
Overall, 48% of that $62.3 million went to "crisis services," which include forensic investigation, breach notification, and legal "guidance" (lawyers' advice, not representation). Individually, those costs vary widely. For example, though some claims did not spend a dollar on notification, another claim spent $6.15 million on it.

Fifteen percent of the total went to legal defense, 10% to legal settlements, 10% to regulatory defense, 11% to PCI fines, and 6% to other regulatory fines. Very few claimants had to pay for regulatory defense or regulatory settlement, but those who did paid dearly. Defense cost as much as $5 million, and settlement as much as $2.5 million.

Yet those high price tags don't necessarily have anything to do with the number of records exposed. The median per-record cost for all breaches was only $19.84, but the maximum was a whopping $33,000 per record. From the NetDiligence report:

    Whatever factors generate regulatory scrutiny for a given claim event, it appears that the number of records exposed is not necessarily a primary consideration....
    For example, in one incident in this years dataset, only 80
    [records] were lost. However, the legal defense and settlement costs were quite high, resulting in a cost per-record of more than $11,000.00. We think this is especially true in the Healthcare sector, where enforcement by State Attorneys General has been aggressive.

Causes of incidents
The NetDiligence report attributed each claim to a primary cause: hackers, malware, theft of hardware, employee error, paper records, and rogue employees, among others. "Hackers" and "malware" together accounted for only 40% of the claims, but they were responsible for 97% of lost records. And they were expensive. The median cost of incidents due to "hackers" was $242,762; the most expensive one cost $11.75 million. The median cost of a malware-related incident was $164,125; the maximum was $1.85 million.

Thirty-two percent of the incidents were attributable to insiders, and, not surprisingly, malicious insiders caused more damage than accidents. On average, rogue insiders accounted for 65,433 exposed records; unintentional staff errors accounted for 30,020. On average, rogue insiders caused $224,653 in financial losses; staff errors caused $137,778.

Source and size
Most breaches in the NetDiligence report were considered the joint fault of both an organization and a third party. Only 5% were blamed on the organization alone; 20% were blamed on a third party alone.

Therefore, there is an argument to be made that insuring one's organization against the failures of a third party -- if that third party does not itself have some cyber liability policy -- might be even more important than insuring against one's own failures. This is troubling when one considers that, according to Ponemon, only 11% of respondents' insurance policies covered the impacts of third-party security incidents.

Generally speaking, according to the NetDiligence report, small companies (by revenue) experience the most incidents, large companies have the fewest, and those in the middle suffer the worst damage.

The smallest companies -- those with annual revenue of $300 million or less -- filed 62% of the claims, which accounted for 1% of the lost records and cost between $1,000 and $1.3 million. The largest companies -- those with $1 billion to $10 billion of revenue -- filed 4% of the claims, which accounted for 4% of the lost records and cost between $1 million and $6.5 million. Medium companies -- those with $300 million to $10 billion of revenue -- filed 34% of the claims, which accounted for 95% of the lost records and cost between $2,500 and $13.7 million.

Sources, causes, costs vary widely by industry
The healthcare industry filed the most claims (23%) but accounted for only 3% of the lost records. However, the records that were stolen may have been particularly well-targeted, because healthcare was also hit disproportionately hard by malicious insiders (40% of total incidents). Healthcare also suffered the most expensive incidents, largely because personal health information breaches incurred the highest legal fees. The average payout for healthcare claims was $1.3 million (about 87% higher than average).

According to the Ponemon report, only 29% of respondents in the healthcare industry actually had cyber insurance policies in the first place.

Like healthcare, the financial services industry filed lots of claims (22%) but lost a small percentage of the records (1%). Finance was hit hardest by third-party incidents, accounting for 32% of them. Yet the cost was comparatively low: $288,000 on average.

Conversely, the entertainment industry had just a few incidents (3%) but lost the most records by far (52%) and had the highest average cost ($1.45 million). Entertainment payouts went mostly to high costs for legal and regulatory expenses.

The technology sector accounted for only 8% of the claims but 39% of the records lost. What set the tech industry apart, however, was that all three of the claims involving leaked trade secrets were in technology, and all were committed by "hackers." The claims cost between $150,000 and $900,000, most of which was spent on forensic investigations.

As for retail, it accounted for 10% of the claims and 1% of the lost records, and a pricey $1.41 million per claim, due to high legal and regulatory costs related to PCI. Note that these figures are for claims filed in 2013. There's no doubt all the figures will be higher next year, as insurance companies sort out the pile of claims they've received from the major retailers hit with PoS malware over the spring and summer.

None of the claims were paid to government agencies.

Read the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 10:13:20 AM
Re: Drawing conclusions
Totally agree @Sara. It's a good baseline for a conversation with potential insurers. Really does  shine a spotlight on the fact that the cyber insurance industry is in its infancy.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/4/2014 | 10:08:01 AM
Re: Drawing conclusions
@Marilyn  Yes, there's still a lot we don't know. The report was really aimed at an audience of insurers, to give them info that would help them develop cyber-insurance policies going forward. My takeaway was that cyber insurance can be a big help, but might not cover as much as you'd like it to, and you should negotiate and plan accordingly. I think these numbers are something a CISO and a CRO should look at together.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:49:19 AM
Drawing conclusions
These numbers are fascinating, but it's hard to draw firm conclusions about the value of cyber insurance or the areas of greatest potential risk. It would be interesting to know more about the submitted claims that the insurers didn't cover -- and why. 

 

 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.