Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

New report shines light on what cyber insurance can and can't do for enterprises that suffer data breaches.

A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.

Most data breaches are small -- consisting of fewer than 500 records lost -- and the median data breach is only 100 records, the report says. But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000. 

Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.

“There’s a lot of misconceptions around cyber security insurance -- what it does, what it could do,” says John Pescatore, director of emerging security trends at SANS. It's it’s not for every day occurrences, he says.

Take auto insurance, for example: your insurance provider isn’t going to pay to fix your flat tire, nor is cyber insurance going to cover smaller breaches, he says.  It doesn’t make economic sense. “The survey brought out a lot of the reality of [cyber insurance’s] limited role,” Pescatore says. 

Advisen’s product manager Aloysius Tan concurs that there is a gap in coverage, “in that a lot of these smaller breaches are not exactly covered by insurance companies." So it would be wise to have a contingency to cover the cost of small breaches, Tan says.

Of the 203 risk professionals participating in the survey, the majority classified themselves as chief risk manager/head of risk management department (41%), representing businesses of all sizes and across all regions of the US. 

The study also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.

Jeremy Henley, director of breach services at ID Experts, believes that more groups from the organization need to get involved in the incident response process. “At a minimum, you’re going to want IT, legal, privacy and compliance, and risk management [involved],” says Henley. “When your breach starts getting larger, operations, marketing/communications/PR need to get involved."

Include HR as well, he says, because the breach could be caused by an employee training or discipline issue and you’ll need to be able to prove that you handled the response appropriately. 

While the cyber insurance industry is still very much in its nascent stages, it has more than doubled in value from 2012, from $1 billion to $2 billion in 2015, and according to Moody’s, and could triple by 2020. A report released by Marsh last year says the massive growth can be attributed to the broader scope of hacktivists in the growing landscape of cyber threats.   

Despite the fact that cyber insurance doesn’t currently cover small breaches, both Henley and Tan see an opportunity for insurance carriers to offer assistance to organizations that need advice from external data breach response groups. “There is a pretty big gap where insurance companies can fill in terms of their business strategy,” Tan says.

ID Experts' Henley says carriers could offer more tools for preparing and responding to smaller incidents -- such as connections for legal counsel, data breach response vendors, and public relations agencies. 

Insurance carriers basically need to get more involved in incidents, he says. But he acknowledges that not everyone wants to disclose every little incident to their insurance company for fear of seeing increased premiums.

If you can establish a comfort level with the insurance company, Henley says, they can offer you advice and services to potentially minimize the costs of these smaller breaches such as data breach issues involving W2 forms, something Henley is seeing a lot of as tax season approaches. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2016 | 10:18:47 AM
Re: Will cyber insurance premiums ever decrease?
If premiums under $600 are what you're looking for, all you need to do is look a bit harder.  Excellent coveragee suites from substantial Insurance Carriers with deductibles as low as $1,000 are readily available for SME.

For SME, ANY breach could be catastrophic.  They need a Cyber SWAT Team that they can call and have everything handled.  That is one of the best features of the insurance policies currently available and affordable.

We certainly buy insurance to protect against serious & catastrophic circumstances.  For SME, a 100-500 PII Breach is just that.  60% of them go out of business within 6 months of a cyber crime.  The insurance industry has indeed responded to the needs of SME to transfer this risk effectively and inexpensively.


User Rank: Apprentice
3/22/2016 | 10:06:49 AM
Security Pros Missing The Mark
According to the Survey cited, the lack of insurance coverage for the average breach is solely attributable to the size of deductibles in the respondant's insurance policy.  Establishinging an average deductible of $10,000 indicates that the overwhelming number of respondants are not Small-MidSized Enterprises. 

The current Marketplace for Cyber Insurance is repleat with deductibles as low as $1,000 for the SME segment, the very firms who would be crippled or bankrupted by a 100-500 PII breach.

Is cybersecurity the panacea for these firms (or any for that matter)?  Obviously not, as the headlines would illustrate.  No, Breach Response is the critical factor and SME needs assistance and guidance the most.

To imply that Cyber Insurance isn't worth buying is fundamentally irresponsible.
User Rank: Apprentice
3/11/2016 | 5:39:04 PM
Will cyber insurance premiums ever decrease?
This is definitely a case of where size matters. As the article mentions, it's very similar to car insurance. While you have insurance to cover a serious accident or catastrophic damage, you still have to pay your deductible for the accident. And so businesses will need to cover a portion off every security breach. A more interesting aspect might be that the article noted that cyber insurance coverage is increasing in the market. This will bring more competition and hopefully lower premiums for businesses. Unfortunately, with the huge amount of breaches that continue to happen annually, it remains to be seen if premiums can be reduced.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.