Netdiligence: 2015 Cyber Claims Study

30/09/2015 21:12

The fifth annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective. Our goal is to raise awareness about cyber risk within the risk manager community. 

For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. We also looked at the two additional data points: was there insider involvement and was a thirdparty vendor responsible for the incident. 


We then looked at the costs associated with Crisis Services (forensics, notification, credit/ID monitoring, legal counsel and miscellaneous other), Legal Damages (defense and settlement), Regulatory Action (defense and settlement) and PCI Fines. 


This report summarizes our findings for a sampling of 160 data breach insurance claims, 155 of which involved the exposure of sensitive personal data in a variety of business sectors. Two business interruption claims did not involve the loss of sensitive information and three claims were for defense of class action lawsuits alleging wrongful data collection. 


It is important to note that many of the claims submitted for this study remain ‘open’, therefore aggregate costs as presented in this study represent “payouts to-date”. It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated. 

  • The majority of claims submitted for this study are for smaller (Main Street) organizations and our findings best represent that group. 
  • Many insurers are leveraging legal counsel (Breach Coach®) early in the claims process to minimize mistakes on the part of the affected organization. This tends to prevent or minimize follow-on regulatory fines, legal defense and settlement costs. 
  • Insurers are putting in place ‘preferred vendor panels’ with pre-negotiated rates for Crisis Services costs, which we believe significantly reduces the cost of breach response for policyholders of those insurance carriers. We estimate data breach response costs for an uninsured organization could be up to 30% higher than costs for an insured organization.