A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.
Most data breaches are small -- consisting of fewer than 500 records lost -- and the median data breach is only 100 records, the report says. But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000.
Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.
“There’s a lot of misconceptions around cyber security insurance -- what it does, what it could do,” says John Pescatore, director of emerging security trends at SANS. It's it’s not for every day occurrences, he says.
Take auto insurance, for example: your insurance provider isn’t going to pay to fix your flat tire, nor is cyber insurance going to cover smaller breaches, he says. It doesn’t make economic sense. “The survey brought out a lot of the reality of [cyber insurance’s] limited role,” Pescatore says.
Advisen’s product manager Aloysius Tan concurs that there is a gap in coverage, “in that a lot of these smaller breaches are not exactly covered by insurance companies." So it would be wise to have a contingency to cover the cost of small breaches, Tan says.
Of the 203 risk professionals participating in the survey, the majority classified themselves as chief risk manager/head of risk management department (41%), representing businesses of all sizes and across all regions of the US.
The study also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.
Jeremy Henley, director of breach services at ID Experts, believes that more groups from the organization need to get involved in the incident response process. “At a minimum, you’re going to want IT, legal, privacy and compliance, and risk management [involved],” says Henley. “When your breach starts getting larger, operations, marketing/communications/PR need to get involved."
Include HR as well, he says, because the breach could be caused by an employee training or discipline issue and you’ll need to be able to prove that you handled the response appropriately.
While the cyber insurance industry is still very much in its nascent stages, it has more than doubled in value from 2012, from $1 billion to $2 billion in 2015, and according to Moody’s, and could triple by 2020. A report released by Marsh last year says the massive growth can be attributed to the broader scope of hacktivists in the growing landscape of cyber threats.
Despite the fact that cyber insurance doesn’t currently cover small breaches, both Henley and Tan see an opportunity for insurance carriers to offer assistance to organizations that need advice from external data breach response groups. “There is a pretty big gap where insurance companies can fill in terms of their business strategy,” Tan says.
ID Experts' Henley says carriers could offer more tools for preparing and responding to smaller incidents -- such as connections for legal counsel, data breach response vendors, and public relations agencies.
Insurance carriers basically need to get more involved in incidents, he says. But he acknowledges that not everyone wants to disclose every little incident to their insurance company for fear of seeing increased premiums.
If you can establish a comfort level with the insurance company, Henley says, they can offer you advice and services to potentially minimize the costs of these smaller breaches such as data breach issues involving W2 forms, something Henley is seeing a lot of as tax season approaches.