Cyberinsurance Can't Keep The Hackers Out, But It Can Keep A Business Running


BY THE NUMBERS: DATA BREACH CLAIMS

Insurance claim data yields information into data breach causes and the associated expenses of security incidents. A recent study of 145 data breach claims in 2013 conducted by NetDiligence found that claims ranged from $25,000 to $400,000. The company's analysis found that smaller businesses experienced the most incidents, while larger firms lost more records.

Insurance claim payouts helped offset many standard expenses following a data breach. Crisis services cost an average $737,473, and legal defense cost an average of $574,984, according to NetDiligence. The average legal settlement was $258,099.

Businesses are relying more on cyberinsurance to cover the growing legal expenses associated with data breaches. Class-action lawsuits are common, but legal action, backed by cyberinsurance carriers, is helping businesses settle regulatory action related to incidents.

Security experts are watching Wyndham Hotel Corp., which is scuffling with the Federal Trade Commission in court over fines it received related to several breaches at its hotel chain that took place between 2008 and 2010. More than 600,000 credit card numbers were stolen and $10.5 billion in fraudulent transactions were reported as a result of the exposure. The FTC claims that Wyndham Hotel should have had stronger protections in place to protect its customer information. Wyndham says the FTC doesn't have the authority to govern cybersecurity issues.

Of $84 million in total payouts, about half was spent on digital forensics investigations, breach notification, credit monitoring and identity theft remediation following a security incident, according to the NetDiligence study. About 35 percent of payouts addressed legal defense activities, 13 percent helped offset legal settlement costs and less than 1 percent of payouts covered PCI and regulatory fines.

Credit and debit card information was exposed in the majority of the claims examined by the NetDiligence, followed by other financial data and billing records. NetDiligence said one claim involved copyright infringement.

Fines associated with the Payment Card Industry Data Security Standards (PCI-DSS) ranged from $11,000 to $120,000, according to the study. Two incidents occurred at restaurants and were caused by hackers. A third incident occurred at an organization in the education sector and involved hacking a point-of-sale device, the study found.

"The dirty little secret of the infosec world, and with compliance in particular, is that there is no comfort to be gained from meeting requirements," said Pete Lindstrom, a security expert and principal analyst at Spire Security. "Your likelihood of having an incident doesn't actually change. Compliance doesn't equal security."

According to the NetDiligence study, of the 145 data breach claims only four addressed health-care data, resulting in coverage of fines of $150,000 each. The health-care firms either improperly handled paper records or were struck by malware infections, exposing personal health-care information.

Cyberinsurance also paid out in the case of a staff member of a health-care provider who commented on a patient's diagnosis on a social media website. The resulting legal expenses caused the per‐record cost for that incident to exceed a quarter of a million dollars, according to the study. In another claim, the theft of one donor's credit card information from a nonprofit resulted in a forensics investigation, a lawsuit and a PCI fine led to $50,000 in expenses.

Most incidents stemmed from lost or stolen laptops and storage devices followed by external hackers. Rogue employees came in next, responsible for 17 claims, followed by malware infections and exposure of data in paper records. Denial of service attacks resulting in business disruption and downtime were associated with three claims, according to NetDiligence.

PUBLISHED JAN. 21, 2014



Get a roundup of CRN's security coverage right to your inbox with the Security Advisor newsletter.