In August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.
NetDiligence surveyed cyber insurance providers only about claims they paid out; the data does not include submitted claims that the insurers did not cover. The data is from 117 claims: 111 cases of personal information exposure, three denials of service, and three thefts of trade secrets. Though the number of claims is small, NetDiligence estimates that it accounts for 5-10% of all paid cyberclaims.
The total payout of the 117 claims was $62.3 million. The size of the checks varied widely -- from $1,000 to $13.7 million. This year's average of $733,109 was 23% lower than last year's.
When calculating payouts, respondents include "self-insured restrictions" -- the amount a policy holder must pay out of pocket before getting a dime from the insurer. The policies mostly do not cover things like lost customers and opportunity costs, but those might be covered by other insurance policies held by an organization.
Type of costs
Overall, 48% of that $62.3 million went to "crisis services," which include forensic investigation, breach notification, and legal "guidance" (lawyers' advice, not representation). Individually, those costs vary widely. For example, though some claims did not spend a dollar on notification, another claim spent $6.15 million on it.
Fifteen percent of the total went to legal defense, 10% to legal settlements, 10% to regulatory defense, 11% to PCI fines, and 6% to other regulatory fines. Very few claimants had to pay for regulatory defense or regulatory settlement, but those who did paid dearly. Defense cost as much as $5 million, and settlement as much as $2.5 million.
Yet those high price tags don't necessarily have anything to do with the number of records exposed. The median per-record cost for all breaches was only $19.84, but the maximum was a whopping $33,000 per record. From the NetDiligence report:
- Whatever factors generate regulatory scrutiny for a given claim event, it appears that the number of records exposed is not necessarily a primary consideration....
For example, in one incident in this year’s dataset, only 80 [records] were lost. However, the legal defense and settlement costs were quite high, resulting in a cost per-record of more than $11,000.00. We think this is especially true in the Healthcare sector, where enforcement by State Attorneys General has been aggressive.
Causes of incidents
The NetDiligence report attributed each claim to a primary cause: hackers, malware, theft of hardware, employee error, paper records, and rogue employees, among others. "Hackers" and "malware" together accounted for only 40% of the claims, but they were responsible for 97% of lost records. And they were expensive. The median cost of incidents due to "hackers" was $242,762; the most expensive one cost $11.75 million. The median cost of a malware-related incident was $164,125; the maximum was $1.85 million.
Thirty-two percent of the incidents were attributable to insiders, and, not surprisingly, malicious insiders caused more damage than accidents. On average, rogue insiders accounted for 65,433 exposed records; unintentional staff errors accounted for 30,020. On average, rogue insiders caused $224,653 in financial losses; staff errors caused $137,778.
Source and size
Most breaches in the NetDiligence report were considered the joint fault of both an organization and a third party. Only 5% were blamed on the organization alone; 20% were blamed on a third party alone.
Therefore, there is an argument to be made that insuring one's organization against the failures of a third party -- if that third party does not itself have some cyber liability policy -- might be even more important than insuring against one's own failures. This is troubling when one considers that, according to Ponemon, only 11% of respondents' insurance policies covered the impacts of third-party security incidents.
Generally speaking, according to the NetDiligence report, small companies (by revenue) experience the most incidents, large companies have the fewest, and those in the middle suffer the worst damage.
The smallest companies -- those with annual revenue of $300 million or less -- filed 62% of the claims, which accounted for 1% of the lost records and cost between $1,000 and $1.3 million. The largest companies -- those with $1 billion to $10 billion of revenue -- filed 4% of the claims, which accounted for 4% of the lost records and cost between $1 million and $6.5 million. Medium companies -- those with $300 million to $10 billion of revenue -- filed 34% of the claims, which accounted for 95% of the lost records and cost between $2,500 and $13.7 million.
Sources, causes, costs vary widely by industry
The healthcare industry filed the most claims (23%) but accounted for only 3% of the lost records. However, the records that were stolen may have been particularly well-targeted, because healthcare was also hit disproportionately hard by malicious insiders (40% of total incidents). Healthcare also suffered the most expensive incidents, largely because personal health information breaches incurred the highest legal fees. The average payout for healthcare claims was $1.3 million (about 87% higher than average).
According to the Ponemon report, only 29% of respondents in the healthcare industry actually had cyber insurance policies in the first place.
Like healthcare, the financial services industry filed lots of claims (22%) but lost a small percentage of the records (1%). Finance was hit hardest by third-party incidents, accounting for 32% of them. Yet the cost was comparatively low: $288,000 on average.
Conversely, the entertainment industry had just a few incidents (3%) but lost the most records by far (52%) and had the highest average cost ($1.45 million). Entertainment payouts went mostly to high costs for legal and regulatory expenses.
The technology sector accounted for only 8% of the claims but 39% of the records lost. What set the tech industry apart, however, was that all three of the claims involving leaked trade secrets were in technology, and all were committed by "hackers." The claims cost between $150,000 and $900,000, most of which was spent on forensic investigations.
As for retail, it accounted for 10% of the claims and 1% of the lost records, and a pricey $1.41 million per claim, due to high legal and regulatory costs related to PCI. Note that these figures are for claims filed in 2013. There's no doubt all the figures will be higher next year, as insurance companies sort out the pile of claims they've received from the major retailers hit with PoS malware over the spring and summer.
None of the claims were paid to government agencies.
Read the full report here.