Cyber Liability Claims Statistics
The following data was provided by Swett & Crawford regarding cyber liability claims: As more organizations choose to buy cyber liability, one of the most significant issues is no longer the decision to purchase but selecting the appropriate limits. This is a difficult task for any organization. Recent claims cost studies may help an organization understand the type of losses and costs being paid to choose limits for themselves.
NetDiligence, a Cyber Risk Assessment and Data Breach Services company, released its fourth annual NetDiligence Cyber Claims Study using actual cyber claims reported by insurance carriers from a sampling of 117 insured data breach claims. Of the 117 shares, 111 involved disclosing sensitive personal data, and six involved business interruption losses or the theft of trade secrets. Key metrics taken from the study found:
The average number of records exposed in each breach was 2.4 million.
The average cost of each paper exposed was $956
The average claims payout was $733,000
The total claims payout was $62.3M; of this total:
Below find the breakout of Crisis Services Costs expense as categorized above:
The average Crisis Services payout was $366K, up to $13.7M.
Payouts for regulatory defense went up to $5M.
Payouts for regulatory settlements ran up to $2.5M.
Payouts for PCI Fines ranged from $11K to $6.9M (based upon three reported PCI-related claims)
Additional information on Crisis Service costs is available from the 2013 report issued by Zurich Insurance Company. The following average cost information was reported:
Forensic ExpenseExpense- $200 to $1,500 per hour
Notification – $2 to $15 per record
Call Center Expense – Dependent entirely on call volume, hours, training, and staffing requirements (no set amount)
Credit Monitoring – $10 to $30 per record per year
Public Relations – based on the level of crisis management services customer requests (no set amount)
Based on a review of these studies, note the following considerations in determining the costs of a cyber breach:
There is often very little correlation between the payout for the claim and the number of records exposed. For instance, a breach with one of the most miniature records lost incurred defense and settlement costs of over $11M.
While Crisis Services costs are relatively consistent, legal, regulatory fees, and PCI fines or assessments are not.
Crisis Services costs are scalable; the price per record for notificationper-record and credit monitoring decreases when the number of affected individuals increases. Various insurance carriers have also reported that credit monitoring is only elected by 10% to 20% of those affected by a breach, thus dramatically lowering the cost.
It can be argued that there is no accurate way to estimate potential losses based on any pre-determined cost per record feature. This makes any attempt to benchmark potential claim payouts unreliable. With this high degree of uncertainty, all organizations should carefully select their cyber liability limits.
In determining limits, an organization should evaluate the type of data held and its risk to regulatory action or PCI fines, penalties, or assessments, which may necessitate purchasing higher limits for these areas of exposure. In determining Crisis Services costs, an organization should seek to determine the number of confidential records stored or processed in a year. This number can be used to determine a starting point for limits covering these costs. Various insurance companies and cyber risk consulting firms have made available breach cost calculators to help organizations consider their limits.