The release of the NetDiligence® 2015 Cyber Claims Study, the only one of its kind, reveals the most current data on cyber security events and their true costs. NetDiligence President Mark Greisiger shares the latest findings, including the top areas of concern for both insurers and the C-Suite.
What’s the history behind the claims study?
About five years ago, we recognized that the risk management community needed objective research to shine a brighter light on the many cyber risk exposures facing all sectors, and specifically the financial risks involved. This information is of great interest not just to our insurance partners, but also to reinsurers, brokers, clients and risk managers. Everyone wants a better understanding of incident frequency and severity and the media stories never reveal the bottom line implications.
How is this study different from what was already available?
The problem with many existing studies is that they are conducted by security firms and used for marketing purposes. Those studies that are more objective, such as Verizon’s Data Breach Investigations Report, are more focused on identifying the causes of data breaches and less focused on their financial impact. We wanted to offer a cost-focused study that doesn’t exaggerate or understate the risks but that takes an objective approach for industry awareness’ sake.
How is the study conducted? Where do you get your data and how is it reviewed?
We prepare a data collection form that’s simple and straightforward and asks claims people for information on losses that have been paid out over the last year. We send this form each year to all of the leading insurers that we support with our services. The information, about 160 claims, is collected over the subsequent months. The data is anonymous—the breached entity is never identified. We find out what happened and what caused the event, and the amounts paid out to the covered entity. We take this data to our A Team, which includes a statistician who crunches the numbers.
Each year we try to identify and highlight emerging trends and changes so that our readers can put the information into context.
How is the information broken down?
The goal is to create a layperson-friendly report with clean graphics that underscores key risk areas based on actual claims. We look at the business sectors impacted, the type of data losses, the cause of the data loss, the average size of losses and the size of overall claims. Each year we try to identify and highlight emerging trends and changes so that our readers can put the information into context.
Why do insurers participate? What’s in it for them?
There are a lot of advantages to having this information out there. Insurers participate because it helps educate their clients about risk. Industry brokers need to show their clients empirical data and not just media news reports about breaches which typically offer little to no information about claim payouts. CEOs and board members want to know how to stay ahead of cyber risk. That being said, we are honestly pleasantly surprised at the support and response we get, because we know it takes time to assemble this information, and we are grateful for it.
What are some highlights of this year’s findings?
We’ve created an infographic with some of our key findings, to which I would add:
- The per-record cost is holding steady at $964 (last year it was $956).
- Crisis service costs are down, and we see this positive trend as a reflection of wider usage of Breach Coaches® and the fact that our insurer partners are leveraging eRiskHub®’s Tiger Teams to help control and reduce these costs.
- Healthcare is the top breached sector, with 21 percent of reported events and healthcare’s costs are greater on average than in other sectors, averaging $1.3 million per event.
What are the takeaways for the insurance industry and for the C-Suite of covered entities?
The fact that we’re seeing greater numbers of insider involvement and third-party breaches should be eye-opening, but these are manageable risks for organizations. A greater focus on employee background checks and security and privacy awareness training programs can address the insider involvement issue. Due-diligence assessment of third-party vendors and precise contract language around privacy practices and obligations can help minimize vendor risk.
We’re also seeing a rise in wrongful data collection (class action liability) cases and this is another risk that can and should be managed from the highest levels of the organization by making consistent policy and practice a priority.
Overall, it’s important that organizations engage an objective, independent third-party to assess data security privacy practices and take proactive steps to identify weaknesses and remediate them.
Where do you see this study evolving in the next five years?
As the study grows, I would like to get more insurers participating and sharing more claims data, which will only make the study more useful. I would like to drill down into more specific details about the causes of loss and which safeguards are not proving effective. We expect the third-party vendor- and cloud provider-related losses to continue given the growth of outsourcing and connectivity, so I hope the study can provide more detail on these issues. As wrongful data collection class action suits grow, I also hope to gather more information about these ‘ethical privacy’ cases, including the costly fines and penalties related to enforcement actions. Finally, we already have an alliance with Verizon (their DBIR research team) and I hope to partner with other cybersecurity researchers and actuary firms to continue to improve the quality of our information and the presentation of data.
You can download the NetDiligence® 2015 Cyber Claims Study from our website: http://netdiligence.com/articles.php
NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.