I was talking with a friend the other day and the cost of cyber breaches came up. Not so much the loss of reputation (which everyone faces), and the loss of sales, (which many face) and the loss of jobs (as Target executives faced)—but the cost of liability insurance assuming there is such a thing. With the tidal wave of internal and external breaches, you would think that cyber insurance, if you can get it, would be enormous.
The fourth annual NetDiligence Cyber Claims Study reveals the actual cyber liability insurance reported claims to show the real cost of incidents from an insurance point of view. Illuminating.
The study asked insurance underwriters about data breaches and the claim losses they sustained. The study looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the effected organization. And for the first time, the report looked at whether there was insider involvement or a third party vendor responsible for the incident.
I would recommend this report for light reading at bedtime. But it’s likely to keep you up all night.
I’ve never seen the costs associated with Crisis Services (forensics, notification, legal counsel); Legal Damages (defense and settlement); Regulatory Action (defense and settlement) and Payment Card Industry (PCI) fines.
While a strong brand might recover from the damage to its reputation swiftly, and this seems likely given the mind numbing number of breaches reported monthly—not to mention how swiftly even Target customers returned to old purchasing patterns, these incidences represent hard numbers that come right off the bottom line.
The average claim payout for a large company was $2.9 million. That’s embarrassing if your security budget is already that high. Non-zero claim payouts ranged from $600,000 to a whopping $6.5 million. (Can someone please look up this term and put it in this blog comment section?)
But wait, there’s more…
Cyber Liability Insurance Costs
The average cost for Crisis Services and Legal Defense alone ran $1.1 million. Hey, a million here and a million there might get the attention of those people in the corner offices.
We’ve talked a great deal about both insider threats in our blogs. In this report, staff mistakes and rogue employees account for almost one-quarter of the entire data set. It will be interesting as additional reports come out over the next few years to see if this number rises.
For the health care industry specifically, insider threats had a huge effect. Specifically, only 23 percent of the claims in the dataset occurred in health care, yet that sector was responsible for 40 percent of malicious insider incidents. Additionally, malicious incidents tended to expose a larger number of sensitive records than did unintentional ones. Malicious incidents that exposed records were approximately double that of unintentional incidents, the data shows.
"The same holds true for costs," the report explains. "Despite the fact that the single largest payout for an insider claim event was caused by a staff mistake, overall, malicious incidents tended to result in much higher costs."
The two largest claim events had virtually nothing in common – one involved a small number of Personal Health Information (PHI) records and the other a large number of PCI DSS records – yet legal/regulatory costs for both were in the millions of dollars.
I was curious to find out what the cost of premiums might be and the extent to which losses affect them, but despite my best efforts I wasn’t able to determine that. If you have any idea, you might let the rest of us know.
Of course, I haven’t even touched on regulatory issues.
Cyber Liability and Industry Regulations
Health care cyber security and overall HIPAA HITECH violations committed by organizations, for example, continue to be a main focus for regulators going into 2015 I am told. Last month the Office of Inspector General (OIG) announced that its 2015 Work Plan will bring a greater focus to its scrutiny of certain areas of HIPAA compliance. The OIG is going to review hospitals’ EHR contingency plans for the first time to determine the extent to which hospitals comply with contingency planning requirements of HIPAA. And that’s only regulation creep in one industry.
There is no question that breaches, whether from the inside or the outside, are costly to an organization’s reputation. Nevertheless, these hard dollars certainly make you stop and consider the impact on the bottom line. I thought you might want to know. And, of course, you know whose door they will come knocking on when companies have to pay out millions of those "hard" dollars.
Begin your identity and access management initiative by following expert recommends for business process workflow automation, self-service administration and IT security.