Data breaches create insurance costs

Jun 12, 2014

Cyber attacks. Data breaches. Cyber crime. They've made headlines, and dealing with them is a growing business expense that can run into the millions of dollars for bigger companies.

Estimates of costs of a breach range from nearly $1 million to more than $3 million, according to research from Philadelphia-based cyber firm NetDiligence.

That's enough to drive a small business bankrupt, between possible fines, making customers whole and civil lawsuits.

LabMD, an Atlanta medical testing lab, closed in the face of the pressures and questions after the Federal Trade Commission began investigating the company's alleged loss of patient data.

Target still doesn't know how much its massive loss of customer information last year will cost the company. Its 2013 financial statement reported $61 million in costs already, with other experts estimating it will cost hundreds of millions more before the case and suits are resolved.

Because of the threats, a growing list of companies that keep customer data face a new cost: insurance. The policies deal with legal and communications expenses in the aftermath of a breach. They protect against the rising liabilities of digitally storing data, such as Social Security numbers, credit card numbers and addresses.

"(And) it's definitely increasing, for a variety of reasons," said Mark Greisiger, the president of NetDiligence, a cyber-risk management firm.

Financial services companies such as banks and advisers, health care and , hospitals, retailers, and technology and software companies are among the biggest buyers of the insurance, according to an August 2013 study authored by the Ponemon Institute, a Michigan research center dealing with privacy, data protection and information security policy.

Some businesses now require this type of coverage from vendors and contractors. The policies are often listed as a requirement when bidding on private contracts.

At the Risk and Insurance Management Society conference in Denver this April, about 100 risk managers were surveyed by Munich Re, a German company. Seventy-seven percent said their companies planned to buy some level of cyber-insurance coverage in the next year.

In 2013, there were 1,367 confirmed worldwide, according to Verizon's annual Data Breach Investigation Report released this spring.

A survey of cyber security insurers, compiled by NetDiligence last year, showed that the average data breach claim was for about $954,000.

Policies typically cover everything from liability, including the cost of hiring attorneys, to regulatory fines from federal and state regulators. A Georgia store with a website might have customers in South Carolina and Florida, possibly incurring multiple fines, and having to send out different types of legal notifications to customers in different states.

The insurance costs vary based on a business' revenue and industry and the amount of risk it has.

Hospitals and banks would face different digital breach hurdles and pay different premiums on cyber security insurance than a hotel or a restaurant.

A multi-state retailer with $100 million in revenue might pay $25,000 to $30,000 for the first $1 million in coverage, said Meredith Schnur, a senior vice president in the professional risk group at Wells Fargo Insurance, an offshoot of the bank. She helped organize NetDiligence's first conference in 2010.

There's no simple answer to the question of how much insurance a particular company should take out, Schnur said.

"Target (probably) bought a $100 million (policy) and obviously that's not enough. So are the other 70 national retailers buying a $100 million policy?"

"They probably weren't before, but they probably are now," she said.

COSTS PER BREACH:

-Average claim: $954,000 (down from $3.7 million in 2012). Average for larger companies is still $3 million.

-Claim range: $2,500 to $20 million.

-Median claim: $242,500.

-Typical claim: $25,000 to $400,000.

Crisis services costs (forensics, legal counsel, notification and credit monitoring)

-Average cost of crisis services: $737,000.

-Median cost of crisis services: $210,000.

Legal costs (defense & settlement)

-Average cost of defense: $575,000.

-Average cost of settlement: $258,000.

SOURCE: NetDiligence

Explore further: Neiman Marcus: 1.1M cards may be compromised (Update)

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Target exec's departure puts spotlight on CIOs

Mar 06, 2014

The departure of Target's chief information officer in the wake of the company's massive pre-Christmas data breach highlights the increased pressure facing executives who are charged with protecting corpora ...

ISS seeks ouster of most of Target's board

May 28, 2014

A prominent proxy advisory firm has recommended that Target shareholders vote out seven of its 10 board members after a massive pre-Christmas data breach.

Recommended for you

US warns shops to watch for customer data hacking

11 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 0