Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


07:00 PM
Connect Directly

The Real Cost of Cyber Incidents, According To Insurers

Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.

In August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.

NetDiligence surveyed cyber insurance providers only about claims they paid out; the data does not include submitted claims that the insurers did not cover. The data is from 117 claims: 111 cases of personal information exposure, three denials of service, and three thefts of trade secrets. Though the number of claims is small, NetDiligence estimates that it accounts for 5-10% of all paid cyberclaims.

The total payout of the 117 claims was $62.3 million. The size of the checks varied widely -- from $1,000 to $13.7 million. This year's average of $733,109 was 23% lower than last year's.

When calculating payouts, respondents include "self-insured restrictions" -- the amount a policy holder must pay out of pocket before getting a dime from the insurer. The policies mostly do not cover things like lost customers and opportunity costs, but those might be covered by other insurance policies held by an organization.

Type of costs
Overall, 48% of that $62.3 million went to "crisis services," which include forensic investigation, breach notification, and legal "guidance" (lawyers' advice, not representation). Individually, those costs vary widely. For example, though some claims did not spend a dollar on notification, another claim spent $6.15 million on it.

Fifteen percent of the total went to legal defense, 10% to legal settlements, 10% to regulatory defense, 11% to PCI fines, and 6% to other regulatory fines. Very few claimants had to pay for regulatory defense or regulatory settlement, but those who did paid dearly. Defense cost as much as $5 million, and settlement as much as $2.5 million.

Yet those high price tags don't necessarily have anything to do with the number of records exposed. The median per-record cost for all breaches was only $19.84, but the maximum was a whopping $33,000 per record. From the NetDiligence report:

    Whatever factors generate regulatory scrutiny for a given claim event, it appears that the number of records exposed is not necessarily a primary consideration....
    For example, in one incident in this years dataset, only 80
    [records] were lost. However, the legal defense and settlement costs were quite high, resulting in a cost per-record of more than $11,000.00. We think this is especially true in the Healthcare sector, where enforcement by State Attorneys General has been aggressive.

Causes of incidents
The NetDiligence report attributed each claim to a primary cause: hackers, malware, theft of hardware, employee error, paper records, and rogue employees, among others. "Hackers" and "malware" together accounted for only 40% of the claims, but they were responsible for 97% of lost records. And they were expensive. The median cost of incidents due to "hackers" was $242,762; the most expensive one cost $11.75 million. The median cost of a malware-related incident was $164,125; the maximum was $1.85 million.

Thirty-two percent of the incidents were attributable to insiders, and, not surprisingly, malicious insiders caused more damage than accidents. On average, rogue insiders accounted for 65,433 exposed records; unintentional staff errors accounted for 30,020. On average, rogue insiders caused $224,653 in financial losses; staff errors caused $137,778.

Source and size
Most breaches in the NetDiligence report were considered the joint fault of both an organization and a third party. Only 5% were blamed on the organization alone; 20% were blamed on a third party alone.

Therefore, there is an argument to be made that insuring one's organization against the failures of a third party -- if that third party does not itself have some cyber liability policy -- might be even more important than insuring against one's own failures. This is troubling when one considers that, according to Ponemon, only 11% of respondents' insurance policies covered the impacts of third-party security incidents.

Generally speaking, according to the NetDiligence report, small companies (by revenue) experience the most incidents, large companies have the fewest, and those in the middle suffer the worst damage.

The smallest companies -- those with annual revenue of $300 million or less -- filed 62% of the claims, which accounted for 1% of the lost records and cost between $1,000 and $1.3 million. The largest companies -- those with $1 billion to $10 billion of revenue -- filed 4% of the claims, which accounted for 4% of the lost records and cost between $1 million and $6.5 million. Medium companies -- those with $300 million to $10 billion of revenue -- filed 34% of the claims, which accounted for 95% of the lost records and cost between $2,500 and $13.7 million.

Sources, causes, costs vary widely by industry
The healthcare industry filed the most claims (23%) but accounted for only 3% of the lost records. However, the records that were stolen may have been particularly well-targeted, because healthcare was also hit disproportionately hard by malicious insiders (40% of total incidents). Healthcare also suffered the most expensive incidents, largely because personal health information breaches incurred the highest legal fees. The average payout for healthcare claims was $1.3 million (about 87% higher than average).

According to the Ponemon report, only 29% of respondents in the healthcare industry actually had cyber insurance policies in the first place.

Like healthcare, the financial services industry filed lots of claims (22%) but lost a small percentage of the records (1%). Finance was hit hardest by third-party incidents, accounting for 32% of them. Yet the cost was comparatively low: $288,000 on average.

Conversely, the entertainment industry had just a few incidents (3%) but lost the most records by far (52%) and had the highest average cost ($1.45 million). Entertainment payouts went mostly to high costs for legal and regulatory expenses.

The technology sector accounted for only 8% of the claims but 39% of the records lost. What set the tech industry apart, however, was that all three of the claims involving leaked trade secrets were in technology, and all were committed by "hackers." The claims cost between $150,000 and $900,000, most of which was spent on forensic investigations.

As for retail, it accounted for 10% of the claims and 1% of the lost records, and a pricey $1.41 million per claim, due to high legal and regulatory costs related to PCI. Note that these figures are for claims filed in 2013. There's no doubt all the figures will be higher next year, as insurance companies sort out the pile of claims they've received from the major retailers hit with PoS malware over the spring and summer.

None of the claims were paid to government agencies.

Read the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 10:13:20 AM
Re: Drawing conclusions
Totally agree @Sara. It's a good baseline for a conversation with potential insurers. Really does  shine a spotlight on the fact that the cyber insurance industry is in its infancy.
Sara Peters
Sara Peters,
User Rank: Author
12/4/2014 | 10:08:01 AM
Re: Drawing conclusions
@Marilyn  Yes, there's still a lot we don't know. The report was really aimed at an audience of insurers, to give them info that would help them develop cyber-insurance policies going forward. My takeaway was that cyber insurance can be a big help, but might not cover as much as you'd like it to, and you should negotiate and plan accordingly. I think these numbers are something a CISO and a CRO should look at together.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:49:19 AM
Drawing conclusions
These numbers are fascinating, but it's hard to draw firm conclusions about the value of cyber insurance or the areas of greatest potential risk. It would be interesting to know more about the submitted claims that the insurers didn't cover -- and why. 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.