Canadian Underwriter
News

Average claim payout for large company cyber breaches $2.9 million: survey


December 4, 2014   by Canadian Underwriter


Print this page

The average claim payout following a cyber breach for surveyed insurers in the United States amounted to US$733,109, notes a study released Wednesday by NetDiligence, a cyber risk assessment and data breach services company.

“The average claim payout for a large company was US$2.9 million, while the average payout in the healthcare sector was US$1.3 million,” states NetDiligence’s fourth annual edition of the report, Cyber Claims Study 2014.

The report – which included findings for a sampling of 117 data breach insurance claims – uses reported claims to determine real costs of incidents from an insurer’s perspective. The incidents occurred between 2011 and 2013, and the affected organizations had some form of cyber or privacy liability coverage.

Of the 111 claims submitted, 85 reported claims payouts, with total payouts amounting to US$62.3 million. The smallest claim payout was US$1,000 while the largest was US$13.7 million, notes the study, which examines the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization.

Of the US$62.3 million in payouts, 48% was spent on crisis services, 15% on legal defence, 10% on legal settlements, 10% on regulatory defence, 6% on regulatory fines, and 11% on payment card information (PCI) fines.

“We estimate that our dataset represents 5% to 10% of the total number of cyber claims handled by all markets in 2013,” the report notes. “Most claims submitted were for total insured losses and so included self-insured retentions (SIRs), which ranged from US$0 to US$1.5 million.”

Of the 117 data breach insurance claims, 111 of those involved the exposure of sensitive personal data in a variety of business sectors; the remaining six claims involved either business interruption or the theft of trade secrets.

Small-revenue (US$300 million to US$2 billion), micro-revenue (US$50 million to US$300 million) and nano-revenue (less than US$50 million) companies experienced the most incidents, accounting for 25%, 24% and 23%, respectively.

Other findings noted in the report include the following:

  • personally identifiable information (PII) was the most frequently exposed data (41% of breaches), followed by private health information (PHI), (21%), and PCI (19%);
  • hackers were the most frequent cause of loss (30%), followed by staff mistakes (14%);
  • there was insider involvement in 32% of the claims submitted;
  • the average number of records lost was 2.4 million;
  • the average cost for crisis services (forensics, notification, legal guidance and miscellaneous other) was US$366,797; and
  • the average cost for legal settlement was US$558,520.

“Despite increasing awareness around cyber security and the increasing frequency of data breach events, it has been difficult to fully assess the insurance cost (severity) of these events,” notes the report.

“We are gratified that our cyber liability insurance carrier and broker partners continue to share some of their loss data with NetDiligence,” Mark Greisiger, president of NetDiligence, says in a company statement. “Without them, the valuable insights this educational study (sponsored by AllClear ID, McGladrey and ICSA Labs) provides would not be possible,” Greisiger adds.

Understanding the total costs of a data breach is of utmost importance to cyber insurers and their customers, suggests Bo Holland, founder and CEO of AllClear ID. “Underwriting cyber insurance policies is becoming increasingly complex in the face of the new cyber risk threats. The insight this study provides will help cyber insurers and businesses mitigate the financial risks presented by cyber attacks,” Holland says.

“The reputational and financial impacts to small and middle market companies can be more damaging than the Fortune 500 organizations we have read about in the media, since many do not have the resources to address security and privacy issues themselves,” adds Andy Obuchowski, security and privacy director at McGladrey. “This study can help further educate the market on potential risks and associated damages and promote more proactive efforts to help protect organizations in today’s environment,” Obuchowski points out.