Throughout October, dubbed National Cyber Security Awareness Month (NCSAM), the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) have been working together to educate consumers and businesses on how to prevent and recover from cyber scams, identity theft, ransomware attacks, and other cyber threats. This collaboration between government and private enterprise is critical to confronting cyber security matters—from state-sponsored attacks and malware to employee error and the ongoing encryption debate.
The severity of reported incidents, defined by the financial and reputational costs to a company or organization, is one aspect of cyber security that has been difficult to quantify given the variables at play. But in an effort to help entities understand the potential impact, cyber risk assessment company NetDiligence used reported cyber liability insurance claims to illustrate the real costs of incidents from an insurer’s perspective. The findings were published in NetDiligence’s sixth annual Cyber Claims Study:
- The average breach cost* $665K with an average claim payout of $495K.
- The average breach cost a large company (defined as $10B-$100B in revenue) $6M. That’s ten times the average claim for small companies.
- Breaches had the largest impact on the financial services industry at $1.8M.
- The healthcare industry was most frequently breached overall (19% of all reported incidents).
While these numbers may seem like a drop in the bucket for the Targets and Yahoos of the world, these household names are no longer the only targets for cyber criminals. SMEs are experiencing an increasing number of cyber incidents. In fact, 81% of the 21 cases in excess of $1M reported in NetDiligence’s 2016 study involved small-revenue organizations ($300M-$2B in revenue) that were victims of hackers or malware.
While businesses are increasingly putting detailed data security incident response plans in place, there is more that can be done in peacetime. Recruit third party experts who can help during the active incident management phase. Exercise your response team through tabletops and simulation drills to validate your plans and protocols. Adequately train employees on your data and privacy policies.
The companies that failed to do so faced large legal settlements on top of the cost of disclosing the breach. It’s never too soon to prepare for an incident that could cost your company millions of dollars and give your customers years of identity and credit monitoring headaches. But it can be too late.
*Most claims submitted to the study were for total insured losses, including self-insured retentions, which ranged from $0-$10M. In addition, aggregate costs as presented in this study represent payouts to-date.