No real relationship between number of records exposed, total claims payouts

By Erin Ayers on December 9, 2014

money1A recent survey of cyber insurance claims costs suggests the most expensive data breach events might not be the ones involving the largest number of breached records, and evaluating per-record costs does not provide insurers with effective loss modeling data, according to a new study from NetDiligence.

The study revealed that the average claim payout was $733,109. The average claim payout for a large company was $2.9 million. The most frequently breached industry sector was healthcare, where the average payout was $1.3 million.

“As we have seen in prior studies, there was a wide range of claim payouts for every data type, from a minimum of $1,000 up to $13.7 million,” said NetDiligence. “It should be noted that the median payout for [personal health information]-related breaches was substantially higher than other data types; 41 percent higher than [payment card information] and a whopping 66 percent higher than [personally identifiable information].”

The number of records varied widely among the claims submitted by insurance underwriters, ranging from 0 to 109 million records.

“The median number of records exposed was much smaller, coming in at 3,500. This continues a trend we saw in the past two years’ studies. The median number of records exposed was 45,000 in our inaugural 2011 study, 29,000 in 2012 and a mere 1,000 in 2013. It is clear that more claims are being submitted for breaches with a relatively small number of records exposed,” the firm reported in the study.

Cyber insurance claims include costs such as forensic investigations, customer notification, legal costs, regulatory fees, payment card compliance fines. While pinpointing an average per-record cost of $956.21, NetDiligence explained that several factors can drive up costs in a breach involving even a low number of records.

“Insurers should not feel comfortable estimating potential losses using any standard cost-per-record figure. There continues to be no meaningful correlation between the number of records exposed and the total payout for the claim,” said the firm. “For example, in one incident in this year’s dataset, only 80 were lost. However, the legal defense and settlement costs were quite high, resulting in a costper-record of more than $11,000.00.”

NetDiligence looked at 117 insurance claims for data breaches, occurring between 2011 and 2013, resulting in a claim paid in 2013. Of those, 111 claims involved the exposure of sensitive personal data in a variety of business sectors. Six claims involved either business interruption or the theft of trade secrets. The study also looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization.

Claims related to third-party breaches and insider incidents were also evaluated. Hackers were the most typical cause of loss, and while PCI and personal health information PHI were exposed, the most common type of data lost was personally identifiable information PII, which covers a wide range of information including email addresses and passwords. However, PHI tends to be the biggest ticket in terms of claims payments.

Of the claims examined, 85 involved payouts totaling $62.3 million. NetDiligence found that almost half (48  percent) of the costs were spent on crisis services (such as forensics and breach notification), 15 percent on legal defense, 10 percent on legal settlements, 10 percent on regulatory defense, 6 percent on regulatory fines and 11 percent for PCI fines. Not every claim involved all of these services – forensics, breach notification and legal services were the most frequently used – and paid for – services.

Behind the Breach Costs

NetDiligence emphasized that claims data, while not perhaps not instructive for loss modeling, can help illustrate the costs associated with data breaches.

“As an independent and trusted partner to the cyber liability insurance industry, NetDiligence is uniquely positioned to combine data from multiple insurers so that the pool of claims is large enough to ascertain real costs, project future trends and better educate concerned risk managers and CFOs,” said Mark Greisiger, president of NetDiligence.

Bo Holland, founder and CEO of AllClear ID, a sponsor of the survey, said: “Underwriting cyber insurance policies is becoming increasingly complex in the face of the new cyber risk threats. The insight this study provides will help cyber insurers and businesses mitigate the financial risks presented by cyber attacks.”

Andy Obuchowski, security and privacy director at McGladrey, also a sponsor, stated, “The reputational and financial impacts to small and middle market companies can be more damaging than the Fortune 500 organizations we have read about in the media, since many do not have the resources to address security and privacy issues themselves. The data points contained in this report provide insight into the costs associated with data breach incidents and the value of understanding related risks. This study can help further educate the market on potential risks and associated damages and promote more proactive efforts to help protect organizations in today’s environment.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].