2016 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Our objective for this study is to help risk management professionals and insurance underwriters understand the true impact of data insecurity by consolidating claims data from multiple insurers so that the combined pool of claims is large enough that it allows us to ascertain real costs and project future trends.

While many leading cyber liability insurers participate in the study every year, there are many insurers that have not yet processed enough cyber claims to be able to participate. So our annual study remains a work in progress, while still producing some interesting results.

It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.

Download the Report

2015 NetDiligence® Cyber Claims Study
 
The fifth annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective . Our goal is to raise awareness about cyber risk within the risk manager community .
 
For this study, we asked insurance underwriters about data breaches and the claim losses they sustained . We looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization . We also looked at the two additional data points: was there insider involvement and was a thirdparty vendor responsible for the incident . 
 
We then looked at the costs associated with Crisis Services (forensics, notification, credit/ID monitoring, legal counsel and miscellaneous other), Legal Damages (defense and settlement), Regulatory Action (defense and settlement) and PCI Fines . 
 
This report summarizes our findings for a sampling of 160 data breach insurance claims, 155 of which involved the exposure of sensitive personal data in a variety of business sectors . Two business interruption claims did not involve the loss of sensitive information and three claims were for defense of class action lawsuits alleging wrongful data collection .
 
It is important to note that many of the claims submitted for this study remain ‘open’, therefore aggregate costs as presented in this study represent “payouts to-date” . It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated .
  
  • The majority of claims submitted for this study are for smaller (Main Street) organizations and our findings best represent that group .  
  • Many insurers are leveraging legal counsel (Breach Coach®) early in the claims process to minimize mistakes on the part of the affected organization .This tends to prevent or minimize follow-on regulatory fines, legal defense and settlement costs . 
  •  Insurers are putting in place ‘preferred vendor panels’ with pre-negotiated rates for Crisis Services costs, which we believe significantly reduces the cost of breach  response for policyholders of those insurance carriers . We estimate data breach response costs for an uninsured organization could be up to 30% higher than costs for an insured organization .
 
 
2014 Privacy (Cyber) Liability & Data Breach Insurance Claims. 
A NetDiligence Study of Actual Claim Payouts

 

This year's report summarizes NetDiligence's findings for a sampling of 117 cyber liability insurance claims, 111 of which involved the exposure of sensitive data. The study examines the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. For the first time this year, the study also examines claims due to third-party breaches and claims due to insider involvement, both accidental and malicious.

Once again, however, the primary focus of the study is the costs incurred by underwriters due to cyber claim events, including Crisis Services (forensics, notification, and legal counsel), Legal (class action lawsuit defense and settlement), Regulatory (defense and settlement) and PCI (fines).

 "As an independent and trusted partner to the cyber liability insurance industry, NetDiligence is uniquely positioned to combine data from multiple insurers so that the pool of claims is large enough to ascertain real costs, project future trends and better educate concerned Risk Managers and CFOs," said Mark Greisiger, president of NetDiligence. "We are gratified that our cyber liability insurance carrier and broker partners continue to share some of their loss data with NetDiligence. Without them, the valuable insights this educational study provides would not be possible."

Sponsoring this year's NetDiligence Cyber Claims Study are AllClear ID, McGladrey and ICSA Labs.

Bo Holland, founder and CEO, indicated that AllClear ID sponsored the study again this year because understanding the total costs of a data breach is of utmost importance to cyber insurers and their customers. "Underwriting cyber insurance policies is becoming increasingly complex in the face of the new cyber risk threats. The insight this study provides will help cyber insurers and businesses mitigate the financial risks presented by cyber attacks."  

Andy Obuchowski, security and privacy director at McGladrey, discussed his firm's decision to sponsor this year's study. "The reputational and financial impacts to small and middle market companies can be more damaging than the Fortune 500 organizations we have read about in the media, since many do not have the resources to address security and privacy issues themselves. The data points contained in this report provide insight into the costs associated with data breach incidents and the value of understanding related risks. This study can help further educate the market on potential risks and associated damages and promote more proactive efforts to help protect organizations in today's environment."

The study is now available for download at the NetDiligence website (http://www.netdiligence.com/articles.php). eRisk Hub® licensors and their clients can download the study from the Learning Center of the eRisk Hub. The eRisk Hub (www.eriskhub.com) is a web-based cyber risk management portal that helps organizations prevent and recover from data breaches.

Download the Report

 

2013 Privacy (Cyber) Liability & Data Breach Insurance Claims. 
A NetDiligence Study of Actual Claim Payouts
 
This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more.
 
Key Findings
PII was the most frequently exposed data (28.7% of breaches), followed closely by PHI (27.2% of breaches).
 
Lost/Stolen Laptop/Devices were the most frequent cause of loss (20.7%), followed by Hackers (18.6%).
 
Healthcare was the sector most frequently breached (29.3%), followed by Financial Services (15.0%).
 
Small‐Cap ($300M‐$2B) and Nano‐cap (< $50M) companies experienced the most incidents (22.9% and 22.1% respectively). 
Mega‐Cap (> $100B) companies lost the most records (45.6%).
 
The median number of records lost was 1,000. The average number of records lost was 2.3 million.
 
Claims submitted for this study ranged from $2,500 to $20 million. Typical claims, however, ranged from $25,000 to $400,000.
 
The median claim payout was $242,500. The average claim payout was $954,253. 
However, many claims in our dataset have not yet been paid. If we assume that, at a minimum, the SIR will be met, the median claim payout would be $250,000 while average claim payout would be $3.5 million.
 
The median per‐record cost was $107.14. The average per‐record cost was $6,790. However, if we exclude outliers (incidents with a low number of records exposed but extremely high payouts), the median per‐record cost was $97 and the average per‐record cost was $307.
 
The median cost for Crisis Services (forensics, notification, credit monitoring and legal guidance) was $209,625. The average cost for Crisis Services was $737,473.
 
The median cost for legal defense was $7,500. The average cost for legal defense was $574,984.
 
The median cost for legal settlement was $22,500. The average cost for legal settlement was $258,099.
 
 
Source:  http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf
2012 Cyber Liability & Data Breach Insurance Claims
 
A Study of Actual Payouts for Covered Data Breaches
 
By Mark Greisiger
President NetDiligence®
October 2012
 
In 2011, some 23 million confidential records were exposed through more than 414 reported security breaches, according to the national nonprofit Identity Theft Resource Center (ITRC). These figures represent a 44 percent increase in the number of records exposed, yet a 37percent decrease in the number of reported incidents, over what was reported for 2010.
 
Clearly while 2011 brought us fewer incidents, many of the incidents that did occur were large in scale.
 
In fact, 2011 saw some of the biggest data breaches ever reported: Sony, Sutter Health,Science Applications International Corporation (a third- party provider for Tricare), Epsilon and the Texas Comptroller’s Office. 
 
While this paper focuses on incidents that occurred from 2009 through 2011, we should note that 2012 has already seen a significant number of really large breaches, including Global Payments (1.5 million records), Yahoo! (400 thousand passwords), Wyndham Hotels (600thousand credit cards), eHarmony (1.5 million passwords), LinkedIn (6.5 million passwords), Zappos (24 million records), Gamigo (3 million records), and the Texas Attorney General’s Office (6.6 million records).
 
 
 
2011 Cyber Liability & Data Breach Insurance Claims
 
A Study of Actual Payouts for Covered Data Breaches
 
By Mark Greisiger
President NetDiligence®
July 2011

 

For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, what caused the loss, and which business sector suffered the incident. We also looked at the number of records exposed and the associated crisis services (forensics, notification, credit monitoring, and legal counsel), legal damages (defense and settlement), business interruption costs, and fines (PCI & regulatory). 
 
Lastly, we asked leaders in the industry representing insurance carriers, law firms, general counsel and cyber breach consultants to offer their insights into recent developments and trends in breach events.
 
This report summarizes our findings for a sampling of data breach insurance claims occurring between 2005 and 2010 in a variety of industries, including airlines, consulting, education, financial services, retail, manufacturing, information technology and healthcare. 
 


Download The Report

Source:http://www.netdiligence.com/files/CyberLiability-0711sh.pdf