The average cost of a data breach insurance claim for a large company was USD 3.2 million between 2014 and 2017, according to the latest Cyber Claims Study from NetDiligence.
For all companies the cost totalled USD 394,000, rising to USD 588,000 in the financial services sector and USD 537,000 in the healthcare sector. The largest breach cost was USD 16 million and the largest regulatory claim was upwards of USD 6 million. The study also found that breach costs were 20% higher when there was cloud involvement.
By comparison, the Cost of Data Breach Study from IBM and Ponemon found that the average cost of a data breach (whether insured or not) in the US was USD 7.35 million, up 5% on the prior year’s study. The average cost of a data breach in the US rose for the fourth consecutive year, hitting USD 225 per compromised record, the highest since the study began in 2006.
At USD 3.62 million, the global average cost of a data breach was almost half that of the US, where regulatory requirements tend to be tougher. This was 10% lower than in the previous year, although half of this reduction was due to currency fluctuations, according to the IBM study.
Despite the decline in the overall cost, companies are experiencing larger breaches, according to IBM and Ponemon. The average size of the data breaches increased 1.8% to more than 24,000 records.
NetDiligence’s analysis shows that mid-market companies are becoming an increased target for cyber criminals. Companies with revenues of less than USD 50 million were the most impacted, accounting for almost half of the 2,411 data breach insurance claims analyzed between 2014 and 2017. Organizations with less than USD 2 billion in revenues accounted for 88% of the claims.
However, despite only accounting for 12% of the claims, larger organizations accounted for 76% of records exposed. Unsurprisingly, breach costs for larger organizations were substantially higher than costs for smaller organizations. The average cost for an organization with revenues in excess of USD 2 billion was more than 15 times greater than the average cost for a smaller organization.
Overall, notification costs were 39% higher than in the previous study, while the maximum notification costs increased 176% to USD 5.52 million. Forensic costs increased 57%, ranging from USD 265 to USD 3.86 million, while public relations costs increased dramatically with an average of USD 81,000 compared to USD 54,000 last year.
According to NetDiligence, breaches involving intellectual property or trademark infringement had the highest average breach cost (USD 865,000), followed closely by payment card industry-related breaches (USD 844,000). The study showed an increase in breaches involving the theft of trade secrets or intellectual property, however, data breaches exposing personal identifiable information remained the largest cause of breach, representing 36% of cyber insurance claims.
Professional services firms experienced the largest number of claims in 2016, closely followed by healthcare. Financial services and retail occupied the third and fourth positions. However, when looking at the number of records exposed, the retail, healthcare and financial services sectors combined accounted for 99% of all records lost.
According to cyber insurer Beazley, professional services firms are the most targeted sector for cyber attacks using social engineering. According to Beazley’s analysis, social engineering has emerged as a worrying trend, accounting for 18% of all breaches reported to Beazley by professional firms.
Beazley’s third quarter 2017 Breach Insights report also revealed a rapid growth of social engineering attacks as a cause of data breaches reported to the insurer by its clients. The percentage of data breaches involving social engineering increased from 1% in the first nine months of 2016 to 9% of the incidents reported to Beazley in the same period of 2017.
For more information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.