October 12, 2017 by Canadian Underwriter
The aggregated average total breach cost of a cyber event is US$394,000, with an average claim for a large company of US$3.2 million, a new report from NetDiligence has found.
NetDiligence, a provider of cyber risk readiness and response services, outlined the figures in its seventh annual 2017 Cyber Claims Study, released earlier this week. The study calculates actual losses for data breach events covered by cyber liability insurance carriers.
This year’s study contrasts and compares cyber claims data aggregated over the last four years, NetDiligence noted in a press release. The report includes loss data from studies published in 2014-2016, as well as 354 claims collected in 2017. It summarizes findings from 2,411 submissions: each one, a data breach insurance claim. Of the cases in that analysis data subset, 582 cases represented claims from American organizations, while two cases represented claims from Canada. There were also four cases from the United Kingdom and two cases from Australia.
The study found that the aggregated average total breach cost was US$394,000, with an aggregated average payout for “crisis services” of US$249,000, the release said. The average claim in the financial services sector was US$588,000, while the average claim in the healthcare sector was US$537,000. For large companies (revenues greater than US$2 billion), the average breach cost was US$3.2 million, with the largest regulatory claim upwards of US$6 million.
“As an independent and trusted partner to the cyber insurance industry, NetDiligence is uniquely positioned to consolidate claims data from multiple insurers into an information repository that risk managers, company executives and insurance underwriters can use to solve real-world problems,” Mark Greisiger, president of NetDiligence, said in the release.
The survey noted that the numbers in the report are empirical as they were supplied directly by the “underwriters who paid the claims.” The study added that it is also important to note that many of the claims submitted for the study remain “open,” therefore aggregate costs as presented represent “’payouts-to-date’ and ‘breach costs to-date.’ It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated.”