Cyber insurance: quantifying data breaches
Coverage for cyber insurance clients includes direct financial losses and the resultant expenses of a breach, says Natalie van de Coolwijk, MD of CyGeist.
While general statistics on cyber crime and information security incidents are easy to come across, statistics relating to actual data breach costs are less readily available. Natalie van de Coolwijk, MD of cyber-focused UMA, CyGeist, which underwrites on behalf of Guardrisk, explores actual cyber insurance claims to shed light on breach costs.
"In the wake of an information security or privacy breach, a well planned and executed response can be instrumental in limiting potential damage to the affected organisation, as well as those whose data was compromised," advises Van de Coolwijk.
Effective breach response typically involves the following:
* Crisis management, such as a PR campaign to minimise reputational harm;
* Notification of the breach to affected parties;
* Remediation services, such as credit monitoring;
* Legal guidance;
* Forensic investigations;
* Data and services recovery;
* Legal expenses relating to defence and settlement of third party claims; and
* Potential fines and penalties.
NetDiligence, a US-based cyber risk assessment and data breach services company with whom CyGeist partners, recently analysed actual cyber insurance claims to obtain insight into the costs experienced as a result of a breach. Claims submitted for the study ranged from $2 500 to $20 000 000, with typical claims ranging from $25 000 to $400 000.
"While this study is not SA market specific, it provides valuable insight into quantum and breakdown of costs associated with breach response," states Van de Coolwijk.
What was the damage?
Total claim pay-outs amounted to $84 000 000, of which 50.4% was spent on crisis services, 35.6% on legal defence, 12.9% on legal settlements and 1.1% on PCI and regulatory fines. The average pay-out was $954 253 and the median $242 500. At an individual record level, the average cost per record was $6 790, while the median was $107.14. Interestingly, the report found no real correlation between the number of records lost and the total cost of a breach. "Factors such as the type of data compromised and industry in which the organisation operates typically play a large role in breach costs and subsequent costs per record," states Van de Coolwijk.
Crisis management pay-outs varied between $2 560 and $11 500 000, the average being $737 473 and the median $209 625. While crisis management costs depend on the nature of the incident, they proved to be frequent and costly contributors to claims costs:
* Forensic investigations occurred in 75.8% of claims, at a mean cost of $104 740 and median of $10 000. "An investigation generally requires specialist skills to ascertain the extent of the incident, how it was caused and who was affected," comments Van de Coolwijk.
* Notifications to affected parties occurred in 63.6% of claims, at a mean cost of $126 703 and median of $14 636. "Notification extends beyond sending out bulk e-mails or SMSes and should include call centres, dark Web sites and PR campaigns to provide a clear and consistent message to affected parties, while seeking to protect the reputation of the organisation and protect those affected from additional damages," advises Van de Coolwijk.
* Remediation services such as credit and/or identity theft monitoring occurred in 50% of claims, at a mean cost of $55 865 and median of $2 060. Such services can be pivotal in preventing further damages to affected parties and influencing how they view the organisation going forward.
* Legal guidance on complying with regulations occurred in 80.3% of claims, at a mean cost of $29 225 and median of $12 000. According to Van de Coolwijk: "It is highly advisable to enlist the advice of legal professionals in the wake of a breach to ensure compliance with evolving regulatory requirements."
Legal defence and settlement costs occurred in 28.6% of claims: the average pay-out in respect of defence was $574 984 and the median $7 500, while the average pay-out in respect of settlement was $258 099 and the median $22 500. It's worth noting that these costs have the potential to become exorbitant - the highest defence costs in the study amounted to $10 000 000 and the highest settlement was $20 000 000.
Who's to blame and who got hit the hardest?
The top three causes of claims were:
* Lost or stolen laptops/devices, accounting for 20.7% of claims with a mean cost of $1 754 986 and median of $166 000.
* Hackers, causing 18.6% of claims with a mean cost of $1 013 371 and a median of $327 500.
* Rogue employees, resulting in 12.1% of claims with a mean cost of $423 663 and a median of $251 430.
These numbers should be of particular concern to South African organisations, especially considering the prevalence of theft in SA, the infrequency with which mobile devices are encrypted, and economic and labour issues, which could cause employees to become disgruntled and take malicious action against employers.
Claims were noted in most business sectors, with healthcare, financial services and retail business being the top three affected industries. While smaller companies experienced the most incidents, larger companies lost the most records and had the highest claims pay-outs.
Relevance for South African organisations
The regulatory landscape is evolving constantly and for South African organisations, there are fundamental changes on the horizon. Beyond compliance with industry-specific requirements such as those imposed by Visa and MasterCard, companies will soon have to adhere to the requirements imposed by the Protection of Personal Information Act, which include mandatory notifications to affected parties and the Information Regulator, as well as regulatory fines and penalties. Proposed international legislation might also potentially impact South African organisations that store and process data relating to overseas citizens.
Why cyber insurance?
Cover varies, but generally includes:
* Third party claims arising from compromised systems or data;
* Costs to restore data and systems;
* Loss of business income as a result of systems downtime;
* Crisis management expenses;
* Expenses incurred to notify regulatory bodies as well as affected third parties of a breach; and
* Expenses of security specialists, attorneys, forensic investigators and loss adjusters to contain, manage and remediate an incident.
There is a common misconception that traditional insurance policies provide cover for the above costs. While some traditional coverage options might have cyber crime extensions, the cover provided by cyber insurance is significantly broader and has been tailored to assist organisations in responding to a breach.
As opposed to just covering the insured for direct financial losses, cyber insurance policies cover the resultant expenses of a breach. Furthermore, the product not only provides cover for breaches resulting from cyber crimes committed by external parties, but also breaches as a result of malicious or negligent acts carried out by employees.