Risk //


07:00 PM
Connect Directly

The Real Cost of Cyber Incidents, According To Insurers

Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.

In August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.

NetDiligence surveyed cyber insurance providers only about claims they paid out; the data does not include submitted claims that the insurers did not cover. The data is from 117 claims: 111 cases of personal information exposure, three denials of service, and three thefts of trade secrets. Though the number of claims is small, NetDiligence estimates that it accounts for 5-10% of all paid cyberclaims.

The total payout of the 117 claims was $62.3 million. The size of the checks varied widely -- from $1,000 to $13.7 million. This year's average of $733,109 was 23% lower than last year's.

When calculating payouts, respondents include "self-insured restrictions" -- the amount a policy holder must pay out of pocket before getting a dime from the insurer. The policies mostly do not cover things like lost customers and opportunity costs, but those might be covered by other insurance policies held by an organization.

Type of costs
Overall, 48% of that $62.3 million went to "crisis services," which include forensic investigation, breach notification, and legal "guidance" (lawyers' advice, not representation). Individually, those costs vary widely. For example, though some claims did not spend a dollar on notification, another claim spent $6.15 million on it.

Fifteen percent of the total went to legal defense, 10% to legal settlements, 10% to regulatory defense, 11% to PCI fines, and 6% to other regulatory fines. Very few claimants had to pay for regulatory defense or regulatory settlement, but those who did paid dearly. Defense cost as much as $5 million, and settlement as much as $2.5 million.

Yet those high price tags don't necessarily have anything to do with the number of records exposed. The median per-record cost for all breaches was only $19.84, but the maximum was a whopping $33,000 per record. From the NetDiligence report:

    Whatever factors generate regulatory scrutiny for a given claim event, it appears that the number of records exposed is not necessarily a primary consideration....
    For example, in one incident in this years dataset, only 80
    [records] were lost. However, the legal defense and settlement costs were quite high, resulting in a cost per-record of more than $11,000.00. We think this is especially true in the Healthcare sector, where enforcement by State Attorneys General has been aggressive.

Causes of incidents
The NetDiligence report attributed each claim to a primary cause: hackers, malware, theft of hardware, employee error, paper records, and rogue employees, among others. "Hackers" and "malware" together accounted for only 40% of the claims, but they were responsible for 97% of lost records. And they were expensive. The median cost of incidents due to "hackers" was $242,762; the most expensive one cost $11.75 million. The median cost of a malware-related incident was $164,125; the maximum was $1.85 million.

Thirty-two percent of the incidents were attributable to insiders, and, not surprisingly, malicious insiders caused more damage than accidents. On average, rogue insiders accounted for 65,433 exposed records; unintentional staff errors accounted for 30,020. On average, rogue insiders caused $224,653 in financial losses; staff errors caused $137,778.

Source and size
Most breaches in the NetDiligence report were considered the joint fault of both an organization and a third party. Only 5% were blamed on the organization alone; 20% were blamed on a third party alone.

Therefore, there is an argument to be made that insuring one's organization against the failures of a third party -- if that third party does not itself have some cyber liability policy -- might be even more important than insuring against one's own failures. This is troubling when one considers that, according to Ponemon, only 11% of respondents' insurance policies covered the impacts of third-party security incidents.

Generally speaking, according to the NetDiligence report, small companies (by revenue) experience the most incidents, large companies have the fewest, and those in the middle suffer the worst damage.

The smallest companies -- those with annual revenue of $300 million or less -- filed 62% of the claims, which accounted for 1% of the lost records and cost between $1,000 and $1.3 million. The largest companies -- those with $1 billion to $10 billion of revenue -- filed 4% of the claims, which accounted for 4% of the lost records and cost between $1 million and $6.5 million. Medium companies -- those with $300 million to $10 billion of revenue -- filed 34% of the claims, which accounted for 95% of the lost records and cost between $2,500 and $13.7 million.

Sources, causes, costs vary widely by industry
The healthcare industry filed the most claims (23%) but accounted for only 3% of the lost records. However, the records that were stolen may have been particularly well-targeted, because healthcare was also hit disproportionately hard by malicious insiders (40% of total incidents). Healthcare also suffered the most expensive incidents, largely because personal health information breaches incurred the highest legal fees. The average payout for healthcare claims was $1.3 million (about 87% higher than average).

According to the Ponemon report, only 29% of respondents in the healthcare industry actually had cyber insurance policies in the first place.

Like healthcare, the financial services industry filed lots of claims (22%) but lost a small percentage of the records (1%). Finance was hit hardest by third-party incidents, accounting for 32% of them. Yet the cost was comparatively low: $288,000 on average.

Conversely, the entertainment industry had just a few incidents (3%) but lost the most records by far (52%) and had the highest average cost ($1.45 million). Entertainment payouts went mostly to high costs for legal and regulatory expenses.

The technology sector accounted for only 8% of the claims but 39% of the records lost. What set the tech industry apart, however, was that all three of the claims involving leaked trade secrets were in technology, and all were committed by "hackers." The claims cost between $150,000 and $900,000, most of which was spent on forensic investigations.

As for retail, it accounted for 10% of the claims and 1% of the lost records, and a pricey $1.41 million per claim, due to high legal and regulatory costs related to PCI. Note that these figures are for claims filed in 2013. There's no doubt all the figures will be higher next year, as insurance companies sort out the pile of claims they've received from the major retailers hit with PoS malware over the spring and summer.

None of the claims were paid to government agencies.

Read the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 10:13:20 AM
Re: Drawing conclusions
Totally agree @Sara. It's a good baseline for a conversation with potential insurers. Really does  shine a spotlight on the fact that the cyber insurance industry is in its infancy.
Sara Peters
Sara Peters,
User Rank: Author
12/4/2014 | 10:08:01 AM
Re: Drawing conclusions
@Marilyn  Yes, there's still a lot we don't know. The report was really aimed at an audience of insurers, to give them info that would help them develop cyber-insurance policies going forward. My takeaway was that cyber insurance can be a big help, but might not cover as much as you'd like it to, and you should negotiate and plan accordingly. I think these numbers are something a CISO and a CRO should look at together.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:49:19 AM
Drawing conclusions
These numbers are fascinating, but it's hard to draw firm conclusions about the value of cyber insurance or the areas of greatest potential risk. It would be interesting to know more about the submitted claims that the insurers didn't cover -- and why. 


Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-14
IBM Business Automation Workflow and is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...