Security Experts:

Study Shows Costs of Cyber Incidents From Insurer's Perspective

Cyber risk assessment and data breach services company NetDiligence published a new study on Monday focusing on the costs incurred by insurance underwriters due to cyber incidents.

The fourth annual Cyber Claims Study has been sponsored by AllClear ID, McGladrey and ICSA Labs, and it's based on the sampling of 117 data breach insurance claims. The focus is on 111 of these cases in which sensitive personal data was exposed.

The report shows that in 2013 payouts ranged between $600 and $6.5 million, but typical claims ranged from $30,000 to $400,000. The average claim payout was $733,109.

The financial services and the healthcare industries were the most affected, accounting for a total of 44% of the claims. However, these sectors accounted for only 4% of the total number of records exposed. The report puts the entertainment sector (52% of exposed records) and the technology sector (39% of exposed records) at the top of the chart.

The average claim payout in the healthcare sector was $1.3 million. In the case of the entertainment ($1.4 million), media ($1.1 million), retail ($1.1 million) and technology ($700,000) sectors, high payouts were the result of major cyberattacks, NetDiligence said.

RelatedThe Hidden Strategic Advantage in Cyber Insurance

The average number of records lost was 2.4 million, with the average cost per record calculated at $956.21. When it comes to causes of loss, hackers accounted for most claims (29%), followed by staff mistakes (13%), malware (11%), and rogue employees (11%).

The costs incurred by underwriters are for legal matters, such as class action lawsuit defense and settlement; crisis services, such as notification, legal counsel and forensics; fines for PCI violations; and regulatory costs that include defense and settlement.

In the case of crisis services, the average cost was $366,484, while for legal defense it was $698,797.  The average cost for legal settlement was $558,520, the report shows.

Judging by the size of affected organizations, micro-revenue organizations accounted for 33% of claims, followed by nano-revenue organizations (30% of claims), mid-revenue organizations (12% of claims), and large-revenue organizations (4% of claims). However, NetDiligence has pointed out that the cases covered by the study represent only 5-10% of the total number of claims handled in 2013 by all markets.

"The reputational and financial impacts to small and middle market companies can be more damaging than the Fortune 500 organizations we have read about in the media, since many do not have the resources to address security and privacy issues themselves," said Andy Obuchowski, security and privacy director at McGladrey. "The data points contained in this report provide insight into the costs associated with data breach incidents and the value of understanding related risks. This study can help further educate the market on potential risks and associated damages and promote more proactive efforts to help protect organizations in today's environment."

The large number of data breaches has made many organizations consider adopting cyber insurance. However, a study published last month shows that most brokers have not seen a significant increase in sales, despite the heightened interest from executives and boards.

 The complete Cyber Claims Study (PDF) from NetDiligence is available online.

Related: The Hidden Strategic Advantage in Cyber Insurance

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.