Although it’s usually the more high profile cases such as Sony, Linkedin, Wyndham Hotels and Zappos that you tend to read about, smaller and medium size companies are frequently the victims of malicious or criminal attacks leading to data theft or inadvertently breach customer or third party data through negligence of their employees or ‘glitches’ in their IT systems.
According to the Identity Theft Resource Center, 23 million confidential records were exposed in 2011. 2011 also saw the expansion of what courts consider to be personally identifiable information (PII). After breaches at marketing firms Epsilon and Silverpop, email addresses are arguably considered as PII. The broadening of this definition, places further burdens on companies to ensure they comply with the notification requirements enshrined in both state and federal law, following a breach involving personal information.
Data breaches and cyber crime can cost organizations millions in fines, legal damages, notification costs, public relations expenses and loss of profits. In a recently released report by NetDiligence, the average cost per breach was $3.7m, with the average cost per record at $3.94 per record. This data was driven from 137 insurable events that occurred between 2009 and 2011. As the report correctly points out the sample is a small subset of total data and only focuses of those costs which the insurance carriers incurred.
Another authoritative report is the annual benchmark study carried out by the Ponemon Institute. In 2011’s study, the cost of a data breach was reported at $194 per record and $5.5m per breach.
So which number is correct?
The Ponemon report studies 49 U.S. companies in 14 different industries and examines a wider range of business costs following a data breach including expense outlays for detection, escalation, notification, impact of lost business and cost of increased customer turnover or churn. As the NetDiligence report also points out – we shouldn’t get too hung up on the cost per record. Although notification costs will correlate to the number of records, the legal and forensic costs are more likely to correlate to the complexity of the breach and the specific requirements of the industry.
As one study focuses on insurable costs and the other on total business costs, we can infer a number of conclusions from the studies:
(1) Not all your exposure is insurable – it’s important your broker or risk manager is able to clearly articulate what coverage is being offered. Cyber insurance is constantly changing and responding to emerging risks and new legislation. As there is no standardized form in the market place, as a buyer you must be fully informed of the coverage and exclusions being offered. Don’t stick your head in the sand and wait for a claim to come in!
(2) Only 10% of the NetDiligence study sample includes first party claims. That is first party expenses (excluding notification costs and other ‘crisis’ services) and loss of profits following a data breach. The variance between the two studies, would suggest that first-party losses make up the bulk of an organization’s exposure.
(3) As the Ponemon study notes, companies are becoming better at employing data loss prevention strategies and response plans. Those companies that are better prepared benefit from reduced losses when a data breach occurs. The Leading insurance carriers will offer support in implementing such strategies and plans as part of their overall service –indeed cover will often be contingent on implementing such controls. The variance in costs may also indicate that the insurance carriers are underwriting the better quality risks.
The overall variance between the two studies show that risk transfer through insurance is not a panacea but only one of several strategies companies should employ to reduce their exposure to data breaches. Those companies working in the financial services, healthcare, retail and technology sectors continue to have a significant exposure.