Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

New report shines light on what cyber insurance can and can't do for enterprises that suffer data breaches.

A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.

Most data breaches are small -- consisting of fewer than 500 records lost -- and the median data breach is only 100 records, the report says. But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000. 

Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.

“There’s a lot of misconceptions around cyber security insurance -- what it does, what it could do,” says John Pescatore, director of emerging security trends at SANS. It's it’s not for every day occurrences, he says.

Take auto insurance, for example: your insurance provider isn’t going to pay to fix your flat tire, nor is cyber insurance going to cover smaller breaches, he says.  It doesn’t make economic sense. “The survey brought out a lot of the reality of [cyber insurance’s] limited role,” Pescatore says. 

Advisen’s product manager Aloysius Tan concurs that there is a gap in coverage, “in that a lot of these smaller breaches are not exactly covered by insurance companies." So it would be wise to have a contingency to cover the cost of small breaches, Tan says.

Of the 203 risk professionals participating in the survey, the majority classified themselves as chief risk manager/head of risk management department (41%), representing businesses of all sizes and across all regions of the US. 

The study also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.

Jeremy Henley, director of breach services at ID Experts, believes that more groups from the organization need to get involved in the incident response process. “At a minimum, you’re going to want IT, legal, privacy and compliance, and risk management [involved],” says Henley. “When your breach starts getting larger, operations, marketing/communications/PR need to get involved."

Include HR as well, he says, because the breach could be caused by an employee training or discipline issue and you’ll need to be able to prove that you handled the response appropriately. 

While the cyber insurance industry is still very much in its nascent stages, it has more than doubled in value from 2012, from $1 billion to $2 billion in 2015, and according to Moody’s, and could triple by 2020. A report released by Marsh last year says the massive growth can be attributed to the broader scope of hacktivists in the growing landscape of cyber threats.   

Despite the fact that cyber insurance doesn’t currently cover small breaches, both Henley and Tan see an opportunity for insurance carriers to offer assistance to organizations that need advice from external data breach response groups. “There is a pretty big gap where insurance companies can fill in terms of their business strategy,” Tan says.

ID Experts' Henley says carriers could offer more tools for preparing and responding to smaller incidents -- such as connections for legal counsel, data breach response vendors, and public relations agencies. 

Insurance carriers basically need to get more involved in incidents, he says. But he acknowledges that not everyone wants to disclose every little incident to their insurance company for fear of seeing increased premiums.

If you can establish a comfort level with the insurance company, Henley says, they can offer you advice and services to potentially minimize the costs of these smaller breaches such as data breach issues involving W2 forms, something Henley is seeing a lot of as tax season approaches. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2016 | 10:18:47 AM
Re: Will cyber insurance premiums ever decrease?
If premiums under $600 are what you're looking for, all you need to do is look a bit harder.  Excellent coveragee suites from substantial Insurance Carriers with deductibles as low as $1,000 are readily available for SME.

For SME, ANY breach could be catastrophic.  They need a Cyber SWAT Team that they can call and have everything handled.  That is one of the best features of the insurance policies currently available and affordable.

We certainly buy insurance to protect against serious & catastrophic circumstances.  For SME, a 100-500 PII Breach is just that.  60% of them go out of business within 6 months of a cyber crime.  The insurance industry has indeed responded to the needs of SME to transfer this risk effectively and inexpensively.


User Rank: Apprentice
3/22/2016 | 10:06:49 AM
Security Pros Missing The Mark
According to the Survey cited, the lack of insurance coverage for the average breach is solely attributable to the size of deductibles in the respondant's insurance policy.  Establishinging an average deductible of $10,000 indicates that the overwhelming number of respondants are not Small-MidSized Enterprises. 

The current Marketplace for Cyber Insurance is repleat with deductibles as low as $1,000 for the SME segment, the very firms who would be crippled or bankrupted by a 100-500 PII breach.

Is cybersecurity the panacea for these firms (or any for that matter)?  Obviously not, as the headlines would illustrate.  No, Breach Response is the critical factor and SME needs assistance and guidance the most.

To imply that Cyber Insurance isn't worth buying is fundamentally irresponsible.
User Rank: Apprentice
3/11/2016 | 5:39:04 PM
Will cyber insurance premiums ever decrease?
This is definitely a case of where size matters. As the article mentions, it's very similar to car insurance. While you have insurance to cover a serious accident or catastrophic damage, you still have to pay your deductible for the accident. And so businesses will need to cover a portion off every security breach. A more interesting aspect might be that the article noted that cyber insurance coverage is increasing in the market. This will bring more competition and hopefully lower premiums for businesses. Unfortunately, with the huge amount of breaches that continue to happen annually, it remains to be seen if premiums can be reduced.
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.