Curiously, while the numbers on data security and cyber liability losses have grabbed headlines, the published information has not focused on the insurance perspective. NetDiligence® recently released its Cyber Claims Study 2014 (the Study), which focuses on cyber liability insurance claims and provides grave warnings to mid and small cap policyholders, their brokers and insurers. Businesses in all sectors must consider the catastrophic harm a cyber crisis event will have on their economic lives and discuss with their brokers the availability of cyber coverage options. Based on the variety of cyber policies available, insurers are able to assist smaller companies in preparing for and surviving a cyber event.
The Study establishes that cyber threats are affecting smaller businesses with greater cost and consequence. Businesses classified as “small-revenue” ($300 million to $2 billion), “micro-revenue” ($50 million to $300 million) and “nano-revenue” (less than $50 million) now account for 72 percent of all data breaches. NetDiligence evaluated 117 data breach insurance claims between 2011 and 2013, representing a 5 percent to 10 percent sampling of the total number of cyber claims in all markets in 2013. Notwithstanding the daily barrage of news reports of cyber crime, what that snapshot of claims reveals is shocking on two fronts. First, the vast majority of data breach claims arise not as a consequence of the work of skilled computer “hackers” but rather as a result of the more elusive “human error”; and second, the costs incurred by those compromised businesses continue to expand in both scope and size. Clearly, small and mid-size companies are not only less prepared but also less able to weather a cyber event that negatively impacts their supply chain.
The Study spotlights the potential costs and expenses that companies will incur after suffering a cyber event. The bottom line for a mid-size or small company is whether they have the available funds because the standard insurance portfolio of general liability and property coverages will not provide coverage for a cyber crisis event.
A Case in Point
The Study’s findings provide sobering cost estimates for any company involved in responding to and surviving a cyber crisis event. For example, Company A, a “micro-revenue” company, discovers that it has suffered a cyber event. Whether it is an employee error or an attack, the costs begin to mount immediately. First, consultants to assist Company A will include forensic services, notification assistance, legal guidance and public relations. While it is likely already too late because Company A’s C-suite failed to properly create and develop an incident response plan, it now scrambles to find the experts who will provide the appropriate third-party services. As the Study provides, the average payout for crisis consultants is $366,484. While Company A’s other officers are struggling to retain the right third-party service providers, the CFO is trying to figure out how the company will pay the expected fees and costs, because it failed to invest in a cyber policy as part of its incident response plan.
However, paying for these services is only the beginning. Handling the regulatory investigation is likely one of the most stressful and time-consuming efforts in a cyber crisis event. While the C-suite attempts to maintain a balance between business continuity and handling the cyber event, the regulatory investigation becomes more and more intrusive and demanding. Mistakes made in response to a regulatory investigation and without expert assistance can be crippling. The Study found that the average payout for regulatory defense costs amounted to $1,041,096, and the payout for regulatory settlements was $937,500. Defense costs also mount as Company A’s efforts are extended to survive the cyber event. The Study found that the average cost for legal defense amounted to $698,797. Additionally, payouts for legal settlements amounted to an average of $558,520. While Company A’s efforts to survive the cyber crisis event may eventually be successful, the bottom line has suffered significantly and unnecessarily. In some cases, Company A may not survive and could close its doors as a result of an investigation alone.
Based on the Study’s findings, the average payout for a company that has suffered a cyber event is $733,109. A “small-revenue,” “micro-revenue” or “nano-revenue” company will have to ask if it has sufficient funds to respond to and survive such an event. If not, these companies and their brokers must consider enhancing the standard insurance portfolio with a cyber policy or face the possibility that the cyber crisis event will have catastrophic consequences.