2019 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.Our objective for this study is to help risk management professionals and insurance underwriters understand the true impact of data insecurity by consolidating claims data from multiple insurers so that the combined pool of claims is large enough that it allows us to ascertain real costs and project future trends.
While many leading cyber liability insurers participate in the study every year, there are many insurers that have not yet processed enough cyber claims to be able to participate. So our annual study remains a work in progress, while still producing some interesting results.

It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.

Download The Report

2018 Cyber Claims Study

The eighth edition of the NetDiligence® Cyber Claims Study offers insights for business innovation. In the same way that a business gains operational perspective by going through an audit, both the insurer and the insured can use the findings of this research to inform decision making and risk management. 

By the Numbers 

  • 1,201 claims analyzed, arising from incidents occurring from 2013–2017 
  • 298 claims analyzed arising from incidents occurring in 2017 
  • Over 500 new claims collected in 2018, from incidents occurring from 2015–2017 
  • 85% of the claims were from smaller organizations (< $2 billion in revenues) 

The data from these claims have been aggregated and analyzed from many angles, including number of records exposed, crisis services cost, total breach cost and per-record cost. In addition, the study includes more than twenty categorizations of the data, including analyses by type of data, sector, revenue size, and cause of loss; losses caused by business interruption; losses for incidents that exposed no records; losses caused by criminal and non-criminal activity; and losses caused by a third party.

  Download The Rep ort

AIG Cyber Claims: 

GDPR and business email compromise drive greater frequencies

Business email compromise (BEC) has overtaken ransomware and data breach by hackers as the main driver of AIG EMEA cyber claims, according to the latest cyber claims statistics. Nearly a quarter of reported incidents in 2018 were due to business email compromise (BEC), up significantly from 11% in 2017.   Ransomware, data breach by hackers and data breach due to employee negligence were the other main breach types in 2018.

BEC has entered the report this year under a new category given the high number of BEC-related claims received by AIG over the past 12 months.

In most cases the compromise can be traced back to a phishing email containing a link or attachment. If the recipient engages with the content of a phishing email it may allow intrusion into the user’s inbox. The majority of users are familiar with the concept of phishing emails but there remains a high number of incidents where the user follows a link directing the recipient to a bogus login screen. As soon as the victim enters their credentials, they are captured by the cyber-criminal who then has the necessary information to login to the victim’s email account.

The perpetrator is then able to send and receive emails from the victim’s email address and access all the information in the victim’s email inbox. In many cases the BEC is exacerbated by malware that spreads the scam to contacts in the recipient’s inbox. A relatively simple type of scam, BEC attackers often target individuals responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier and requesting money transfers, tax records and/or other sensitive data.

At a Glance

  • Business Email Compromise (BEC) is now the top cause of loss for cyber claims followed by ransomware which is becoming increasingly targeted and disruptive, affecting business interruption costs. All cyber attack impacts are still greatly influenced by human error.
  • Professional Services is now the sector hardest hit by cyber claims, followed by Financial Services. However, incidents continue to spread among a range of sectors, indicating that no industry is immune to cyberattack.
  • The long term trend of increasing claims frequency continued in 2018 with around as many claims as the previous two years combined.
     

Methodology

In March 2019, AIG carried out an analysis of more than 1,100 EMEA claims notified under its cyber policies between 2013 and December 2018. The results of this analysis show general insights into this area only. It should be noted that other industries and sectors not highlighted in this report may also experience frequent and severe claims. In 2018, the number of claims notified under AIG’s cyber policies were broadly commensurate with AIG’s premium growth for this product.

 Download The Report

2016 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Our objective for this study is to help risk management professionals and insurance underwriters understand the true impact of data insecurity by consolidating claims data from multiple insurers so that the combined pool of claims is large enough that it allows us to ascertain real costs and project future trends.

While many leading cyber liability insurers participate in the study every year, there are many insurers that have not yet processed enough cyber claims to be able to participate. So our annual study remains a work in progress, while still producing some interesting results.

It is our sincerest hope that each year more and more insurers and brokers will participate in this study—that they share more claims and more information about each claim—until it truly represents the cyber liability insurance industry overall.

Download the Report

2015 NetDiligence® Cyber Claims Study
 
The fifth annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective . Our goal is to raise awareness about cyber risk within the risk manager community .
 
For this study, we asked insurance underwriters about data breaches and the claim losses they sustained . We looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization . We also looked at the two additional data points: was there insider involvement and was a thirdparty vendor responsible for the incident . 
 
We then looked at the costs associated with Crisis Services (forensics, notification, credit/ID monitoring, legal counsel and miscellaneous other), Legal Damages (defense and settlement), Regulatory Action (defense and settlement) and PCI Fines . 
 
This report summarizes our findings for a sampling of 160 data breach insurance claims, 155 of which involved the exposure of sensitive personal data in a variety of business sectors . Two business interruption claims did not involve the loss of sensitive information and three claims were for defense of class action lawsuits alleging wrongful data collection .
 
It is important to note that many of the claims submitted for this study remain ‘open’, therefore aggregate costs as presented in this study represent “payouts to-date” . It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated .
  
  • The majority of claims submitted for this study are for smaller (Main Street) organizations and our findings best represent that group .  
  • Many insurers are leveraging legal counsel (Breach Coach®) early in the claims process to minimize mistakes on the part of the affected organization .This tends to prevent or minimize follow-on regulatory fines, legal defense and settlement costs . 
  •  Insurers are putting in place ‘preferred vendor panels’ with pre-negotiated rates for Crisis Services costs, which we believe significantly reduces the cost of breach  response for policyholders of those insurance carriers . We estimate data breach response costs for an uninsured organization could be up to 30% higher than costs for an insured organization .
 
 
2014 Privacy (Cyber) Liability & Data Breach Insurance Claims. 
A NetDiligence Study of Actual Claim Payouts

 

This year's report summarizes NetDiligence's findings for a sampling of 117 cyber liability insurance claims, 111 of which involved the exposure of sensitive data. The study examines the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. For the first time this year, the study also examines claims due to third-party breaches and claims due to insider involvement, both accidental and malicious.

Once again, however, the primary focus of the study is the costs incurred by underwriters due to cyber claim events, including Crisis Services (forensics, notification, and legal counsel), Legal (class action lawsuit defense and settlement), Regulatory (defense and settlement) and PCI (fines).

 "As an independent and trusted partner to the cyber liability insurance industry, NetDiligence is uniquely positioned to combine data from multiple insurers so that the pool of claims is large enough to ascertain real costs, project future trends and better educate concerned Risk Managers and CFOs," said Mark Greisiger, president of NetDiligence. "We are gratified that our cyber liability insurance carrier and broker partners continue to share some of their loss data with NetDiligence. Without them, the valuable insights this educational study provides would not be possible."

Sponsoring this year's NetDiligence Cyber Claims Study are AllClear ID, McGladrey and ICSA Labs.

Bo Holland, founder and CEO, indicated that AllClear ID sponsored the study again this year because understanding the total costs of a data breach is of utmost importance to cyber insurers and their customers. "Underwriting cyber insurance policies is becoming increasingly complex in the face of the new cyber risk threats. The insight this study provides will help cyber insurers and businesses mitigate the financial risks presented by cyber attacks."  

Andy Obuchowski, security and privacy director at McGladrey, discussed his firm's decision to sponsor this year's study. "The reputational and financial impacts to small and middle market companies can be more damaging than the Fortune 500 organizations we have read about in the media, since many do not have the resources to address security and privacy issues themselves. The data points contained in this report provide insight into the costs associated with data breach incidents and the value of understanding related risks. This study can help further educate the market on potential risks and associated damages and promote more proactive efforts to help protect organizations in today's environment."

The study is now available for download at the NetDiligence website (http://www.netdiligence.com/articles.php). eRisk Hub® licensors and their clients can download the study from the Learning Center of the eRisk Hub. The eRisk Hub (www.eriskhub.com) is a web-based cyber risk management portal that helps organizations prevent and recover from data breaches.

Download the Report

 

Data Breaches: 
Greater frequency, greater costs for all companies
 
 
By
Tim Stapleton, CIPP/US
Deputy Global Head of Professional Liability
Zurich General Insurance