Average cyber breach costs US$394,000, higher in financial services sector: NetDiligence

The aggregated average total breach cost of a cyber event is US$394,000, with an average claim for a large company of US$3.2 million, a new report from NetDiligence has found.

NetDiligence, a provider of cyber risk readiness and response services, outlined the figures in its seventh annual 2017 Cyber Claims Study, released earlier this week. The study calculates actual losses for data breach events covered by cyber liability insurance carriers.

This year’s study contrasts and compares cyber claims data aggregated over the last four years, NetDiligence noted in a press release. The report includes loss data from studies published in 2014-2016, as well as 354 claims collected in 2017. It summarizes findings from 2,411 submissions: each one, a data breach insurance claim. Of the cases in that analysis data subset, 582 cases represented claims from American organizations, while two cases represented claims from Canada. There were also four cases from the United Kingdom and two cases from Australia.

The study found that the aggregated average total breach cost was US$394,000, with an aggregated average payout for “crisis services” of US$249,000, the release said. The average claim in the financial services sector was US$588,000, while the average claim in the healthcare sector was US$537,000. For large companies (revenues greater than US$2 billion), the average breach cost was US$3.2 million, with the largest regulatory claim upwards of US$6 million.

“As an independent and trusted partner to the cyber insurance industry, NetDiligence is uniquely positioned to consolidate claims data from multiple insurers into an information repository that risk managers, company executives and insurance underwriters can use to solve real-world problems,” Mark Greisiger, president of NetDiligence, said in the release.

Other survey findings include:

• The retail sector exposed 67% (420 million) of the number of records in the total dataset;
• Companies with less than US$50 million in revenue were the most impacted, accounting for 47% of the claims;
• Cyber event recovery expense was reported as high as US$475,000;
• The gaming and casino sector incurred the highest forensics costs, averaging US$345,000, as well as the highest median breach cost of US$190,000;
• Healthcare claims for notification were the highest at US$695,000;
• Ransomware/cyber extortion affected every sector, with maximum breach costs in excess of US$500,000;
• Breach costs were 20% higher when there was cloud involvement;
• Payment card industry data was exposed in 16% of claims, but accounted for 67% of records. Personal health information data represented 15% of claims and 17% of exposed records, while personally identifiable information accounted for 36% of claims, but only 16% of exposed records; and
• Maliciously motivated insider events resulted in more expensive claims by a factor of four.

The survey noted that the numbers in the report are empirical as they were supplied directly by the “underwriters who paid the claims.” The study added that it is also important to note that many of the claims submitted for the study remain “open,” therefore aggregate costs as presented represent “’payouts-to-date’ and ‘breach costs to-date.’ It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated.”