SANTA MONICA, Calif.—The average cost of a cyber breach in 2015 was nearly $674,000—for now, according to NetDiligence’s latest cyber claims study.
Revealed at its Cyber Risk & Privacy Liability Forum here, the claims study is based on a sampling of 160 cyber liability claims, with a claim range of zero to $15 million. Claims involving the loss of records containing personal identifiable information made up the most (45 percent). Nearly a third involved hackers.
NetDiligence said the dataset, received from about 20 insurers, includes some claims that have not yet been paid. The average could rise to $1.1 million assuming self-insured retentions are met.
“It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated,” read the report.
For samples in the pool of 160 claims that reported both the number of records involved in the incident and cost, the average cost per record was about $964—a slight increase from an average of about $956 reported a year ago.
With the help of NetDiligence, Verizon said it looked at the average cost per record from a breach and found it isn’t constant and can be inversely related to the number of records.
“Small breaches could have costs that skyrocket into tens of thousands of dollars per record, while very large breaches (millions of records) will have their cost per record drop down to just pennies per record,” Verizon said. “Any simple cost-per-record estimate will greatly underestimate the costs for small breaches and grossly overstate the losses from larger breaches.”
NetDiligence concluded the average legal costs were about $434,000 and the average settlement was $880,800. The average cost of crisis services was $500,000, with a median total of $60,000.
The report, for the first time, delves into organization size. Smaller organizations made up most of the claims, with organizations with revenue of less than $50 million accounting for 28 percent and organizations with a revenue range of $50 million to $2 billion making up 43 percent.
Symantec, a sponsor of the report, added some comments: “Why smaller organization? These organizations tend to be operating with the tightest budget for security and staff, they have business connections to larger companies through partnerships and products, and the data they are storing and transmitting is still very useful to nefarious individuals.”
Attacks on smaller companies can cause other incidents and claims. Symantec called for data to analyze how far one attack on a small business can travel into the industry around it.