Cyber Liability Claims Statistics
The following data was provided by Swett & Crawford in regards to cyber liability claims: As more organizations choose to buy cyber liability, one of the biggest issues is no longer the decision to buy but choosing the appropriate limits. This is a difficult task for any organization. Recent claims cost studies may help an organization understand the type of losses and/or costs actually being paid to choose limits for themselves.
NetDiligence, a Cyber Risk Assessment and Data Breach Services company, released its fourth annual NetDiligence Cyber Claims Study using actual cyber claims reported by insurance carriers from a sampling of 117 insured data breach claims. Of the 117 claims, 111 involved disclosing sensitive personal data, and 6 involved business interruption losses or the theft of trade secrets. Key metrics taken from the study found:
The average number of records exposed in each breach was 2.4 million.
The average cost of each record exposed was $956
The average claims payout was $733,000
The total claims payout was $62.3M, of this total:
Below find the breakout of Crisis Services Costs expense as categorized above:
The average Crisis Services payout was $366K ranging up to $13.7M.
Payouts for regulatory defense ranged up to $5M.
Payouts for regulatory settlements ranged up to $2.5M.
Payouts for PCI Fines ranged from $11K to $6.9M (based upon 3 reported PCI related claims)
Additional information on Crisis Service costs is available from the 2013 report issued by Zurich Insurance Company. The following average cost information was reported:
Forensic Expense- $200 to $1,500 per hour
Notification – $2 to $15 per record
Call Center Expense – Dependent entirely on call volume, hours, training, and staffing requirements (no set amount)
Credit Monitoring – $10 to $30 per record per year
Public Relations – based on the level of crisis management services customer requests (no set amount)
Based on a review of these studies, note the following considerations in determining the costs of a cyber breach:
There is often very little correlation between the payout for the claim and the number of records exposed. For instance, a breach with one of the smallest records lost incurred defense and settlement costs over $11M.
While Crisis Services costs are relatively consistent, legal, regulatory costs and PCI fines or assessments are not.
Crisis Services costs are scalable; the cost per record for notification, and credit monitoring decreases when the number of affected individuals increases. Various insurance carriers have also reported that credit monitoring is only elected by 10% to 20% of those affected by a breach, thus dramatically lowering the cost.
It can be argued that there is no accurate way to estimate potential losses based on any pre-determined cost per record feature. This makes any attempt to benchmark potential claim payouts unreliable. With this high degree of uncertainty, all organizations should take great care in selecting their cyber liability limits.
In determining limits, an organization should evaluate the type of data held and evaluate its risk to regulatory action or PCI fines, penalties, or assessments, which may necessitate purchasing higher limits for these areas of exposure. In determining Crisis Services costs, an organization should seek to determine the number of confidential records stored or processed in a year. This number can be used to determine a starting point for limits covering these costs. Various insurance companies and cyber risk consulting firms have made available breach costs calculators help organizations consider their limits.