Cyber Liability Claims Statistics

November 19, 2015

 

The following data was provided by Swett & Crawford in regards to cyber liability claims: As more organizations choose to buy cyber liability, one of the biggest issues is no longer the decision to buy but choosing the appropriate limits.   This is a difficult task for any organization. Looking at recent claims cost studies may help an organization understand the type of losses and or costs actually being paid in order to choose limits for themselves.

 

In the fall of 2014, NetDiligence, a Cyber Risk Assessment and Data Breach Services company, released its fourth annual NetDiligence Cyber Claims Study using actual cyber claims reported by insurance carriers from a sampling of 117 insured data breach claims. Of the 117 claims, 111 involved disclosure of sensitive personal data and 6 involved business interruption losses or the theft of trade secrets. Key metrics taken from the study found:

  • The average number of records exposed in each breach was 2.4 million

  • The average cost of each record exposed was $956

  • The average claims payout was $733,000

  • The total claims payout was $62.3M, of this total:

Below find the breakout of Crisis Services Costs expense as categorized above:

  • The average Crisis Services payout was $366K ranging up to $13.7M

  • Payouts for regulatory defense ranged up to $5M

  • Payouts for regulatory settlements ranged up to $2.5M

  • Payouts for PCI Fines ranged from $11K to $6.9M (based upon 3 reported PCI related claims)

Additional information on Crisis Service costs are available from the 2013 report issued by Zurich Insurance Company. The following average cost information was reported:

  • Forensic Expense- $200 to $1,500 per hour

  • Notification – $2 to $15 per record

  • Call Center Expense – Dependent entirely on call volume, hours, training and staffing requirements (no set amount)

  • Credit Monitoring – $10 to $30 per record per year

  • Public Relations – based on level of crisis management services customer requests (no set amount)

Based on a review of these studies, note the following considerations in determining the costs of a cyber breach:

  • There is often very little correlation between the payout for the claim and the number of records exposed.   For instance, a breach with one of the smallest number of records lost incurred defense and settlement costs in excess of $11M

  • While Crisis Services costs are relatively consistent, legal, regulatory costs and PCI fines or assessments are not

  • Crisis Services costs are scalable; the cost per record for notification and credit monitoring decreases when the number of affected individuals increases. It has also been reported by various insurance carriers that credit monitoring is only elected by 10% to 20% of those affected by a breach, thus dramatically lowering the cost

  • It can be argued that there is no accurate way to estimate potential losses based on any pre-determined cost per record feature. This makes any attempt to benchmark potential claim payouts unreliable.   With this high degree of uncertainty, all organizations should take great care in selecting their cyber liability limits

In determining limits, an organization should evaluate the type of data held and evaluate its risk to regulatory action or PCI fines, penalties or assessments, which may necessitate purchasing higher limits for these areas of exposure. In determining Crisis Services costs, an organization should seek to determine the number of confidential records stored or processed in a year, as this number can be used to determine a starting point for limits covering these costs. Various insurance companies and cyber risk consulting firms have made available breach costs calculators to assist organizations in considering their limits.

Share on Facebook
Share on Twitter
Please reload

Featured Posts

Restoration Insurance News: Understanding Your Workers Compensation Experience Mod (Part 2)

July 13, 2017

1/3
Please reload

Recent Posts

March 4, 2020

Please reload

Archive