Cyberinsurance Claims: The Biggest Payouts

Claim Payouts Totaled $84 Million

A recent study of 145 data breach claims in 2013 conducted by NetDiligence, a Philadelphia-based cyber risk assessment services company, found that insurance companies paid out $84 million in data-breach- and security-incident-related costs. Mark Greisiger, president of NetDiligence, told CRN that the company works with cyberinsurance companies and hopes its annual study can be used to illuminate the real costs of incidents from an insurer’s perspective.

The claims were paid out for legal defense, legal settlements, regulatory fines, forensics costs, credit monitoring and identity theft remediation costs, the study revealed. The bulk of the payouts paid for crisis services, which include forensics, notification, credit monitoring and legal counsel. The smallest payout for crisis services was $2,560, while the largest payout was $11.5 million. The average payout was $737,473.

CRN brought together some of the interesting findings from the report that shed insight into the struggle businesses go through when dealing with data breaches.

Claims For Lost Or Stolen Laptops

Lost and stolen laptops have been consistently cited as the most serious threat to organizations. It has driven interest in data loss prevention, encryption and other data protection technologies. The NetDiligence analysis found lost and stolen laptops and storage devices accounting for more than 20 percent of claim events. The security incidents themselves resulted in less than 1 percent of records exposed, the company said.

Claims For Hacking, Malware Incidents

Hackers accounted for fewer incidents, but their actions resulted in large data breaches, NetDiligence said. Hackers accounted for just more than 18 percent of claims but were responsible for more than 97 percent of records exposed. This is primarily due to two large hacking attacks that exposed 100 million records each, the company said.

Rogue employees were responsible for 17 claims. Breaches where malware was involved came in next with 14 claims, followed by the loss of paper records.

Claims For Denial Of Service Attacks

Five security incidents associated with claims resulted in business interruption. Denial of service attacks resulting in business disruption and downtime were associated with three claims, NetDiligence said. The incidents occurred in retail, financial services, manufacturing and telecommunications. The costs for these incidents are still pending.

NetDiligence’s 2011 study found 10 first‐party loss incidents caused by DDoS attacks, malware and cyber extortion. That year, the claims reported approximately $1.22 billion in lost business income and $23 million in expenses. One incident resulted in fines of approximately $4 million, NetDiligence said.

Claims For Improper Collection Of Personal Data

California passed the Song-Beverly Act in 2011, which changed the definition of personally identifiable information and placed restrictions on whether organizations can collect ZIP codes and other indentifiable information. Four claims involved the improper collection of sensitive data. Twelve claims resulted from losses caused by lawsuits that were brought on following the passage of the Song-Beverly law. NetDiligence said organizations experienced losses for lawsuits involving online copyright infringement, weak passwords and unencrypted email.

Health-Care Claims Increase

Health care is now the clear leader with 41 claims, almost twice the 21 claims that occurred in financial services, according to the NetDiligence analysis. Retail was in third place with 18 claims, followed by professional services, technology and education.

Payouts for regulatory fines were reported for four claims. All four incidents involved the loss of personal health information. The claims were for fines of $150,000 for each incident. One incident involved the improper handling of paper records.

Most Claims Based On Credit Card Loss

Credit or debit card information was exposed in 23 of the claims submitted, NetDiligence said. Of the 88 claims that reported payouts, seven included PCI fines ranging from $11,000 to $120,000.

In one claim, the theft of one donor’s credit card information from a nonprofit resulted in a forensics investigation, a lawsuit and a PCI fine. The per-record cost for that incident was $50,000, NetDiligence said.

Median Payout Falls Between Narrow Range

Across all data types, the range of claim payouts was enormous, from a low of $2,560 up to $20 million.

Surprisingly however, the median payout -- regardless of data type -- fell within a relatively narrow range, between $207,000 and $317,000, NetDiligence said.

There were two large claims for incidents in which more than 100 million records were exposed. For this reason, personally identifiable information accounted for more than 95 percent of the records exposed, NetDiligence said. Personal health information accounted for only 2.48 percent of records exposed.