Canadian Underwriter
News

Majority of data breach respondents did not have cyber insurance: Ponemon Institute


May 8, 2014   by Canadian Underwriter


Print this page

Only one in three companies surveyed by Ponemon Institute LLC have a cyber insurance policy to manage the risk of data breaches, but the average cost per compromised record was US$145, with some respondents reporting more than 100,000 compromised records.

Traverse City-based Ponemon Institute announced Monday its ninth annual Cost of Data Breach Study, sponsored by IBM Corp.

Thirty-two per cent of respondents “have a cyber insurance policy to manage the risk of attacks and threats” and of those, 54% “are satisfied with the coverage,” Ponemon Institute stated in the report.

“An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company,” Ponemon Institute notes. “While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.”

The study was based on 1,690 interviews of information technology, compliance and information security practitioners “who are knowledgeable about their organization’s data breach and the costs associated with resolving the breach.” Those respondents were from 314 organizations in the United States, Britain, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates and Saudi Arabia.

“All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records.”

A breach includes “an event in which an individual’s name plus a medical record and/or a financial record or debit card is potentially put at risk-either in electronic or paper format.” Those breaches could be from malicious attacks, system glitches and human error.

Ponemon Institute defines a record as “information that identifies the natural person (individual) whose information has been lost or stolen in a data breach,” such as a name associated with credit card information.

The company calculated the average cost, per record, of data breaches in each region. From all respondents, the average cost was $145. In the U.S., it was $201 in 2014, up from $188 in 2013. All figures are in U.S. dollars, converted from local currencies.

Ponemon Institute also broke down the cost per record of a data breach by industry class, such as $359 in healthcare, $294 in education, $227 in pharmaceutical, $206 in financial and $177 in communications.

“The appointment of a Chief Information Security Officer (CISO) to lead the data breach incident response team reduced the cost of a breach by more than $6,” per record, IBM stated Monday in a press release announcing the survey. “Consistent with previous Cost of Data Breach studies, the most common cause of a data breach is a malicious insider or criminal attack.”

The average cost to an organization of a data breach was $5.85 million in the United States.

The survey included both direct and indirect costs, which included investigations to determine root cause, identifying the probable victims, public outreach and legal services for defence and compliance.

The report also took into account “opportunity costs,” such as the “estimated number of customers who will most likely terminate their relationship as a result of the breach incident” and the estimated number of potential customers who decided not to have a relationship with the company as a result of the breach.

Ponemon Institute noted the sampling methods are “not scientific” and therefore it cannot apply margins of error.

“It is our belief that the current sampling frame is biased toward companies with more mature privacy or information security programs.”