Cyber insurance has gained traction over the past few years as more companies have jumped on board and purchased cyber liability coverage to mitigate the financial losses that occur when faced with a cyber incident. Due to the influx of cyber insurance policyholders, and the constant cyber threats, cyber insurance claims are rising. Irrespective of those media reports that say cyber insurance claims denials are rising, which are few and far in between, far more cyber insurance claims are paid than denied.
The NetDiligence® Cyber Claims Study, a highly respected study of cyber insurance claims is published every year, has just released their 2019 Cyber Claims Study report. The report analyzed 2,081 cyber insurance claims arising from events that occurred during 2014-2018. It is important to note, that the overall number of cyber insurance claims is much higher as the study is based on the selective claims data of the participating cyber insurance carriers.
While cyber risk leaves all industries vulnerable, the hardest hit were SMEs, The industries experiencing the most cyber insurance claims include professional services (predominantly SMEs), healthcare, retail, financial services and education.
The report shows that of the 2,081 claims analyzed, 96% of claims ($357M in total) from small to medium enterprises (SMEs with <$2B in annual revenue). The remaining 4% of claims ($433M) came from large companies (with >$2B in annual revenue).
Nonetheless, based on this study, small-medium sized businesses were the most targeted group that experienced a larger share of the cyber insurance claims analyzed.
The average breach costs reported for by insurers for an SME breach shows $178k vs. $5.6M for a large company. The associated claim legal costs were segregated and slightly higher for an SME ($181k average cost) vs. larger companies ($2.2M average legal costs).
As it relates to a data breach and the total number of records exposed, larger companies had an average of 19.6M records exposed with an average $296 per-record cost. Indeed, this is higher than the Ponemon Data Breach Study $148 average per-record cost. SMEs had an average of 280k records exposed in a breach, with a $234 average per-record cost.
The study also reported on “recordless” claims versus claims with exposed records. One of the critical findings for 2018 shows that recordless claims have increased. In 2018 alone, there were 411 recordless claims vs. 987 for the 2014-2017 time period.
The study shows that the financial impact of cyber crimes occurring most frequently include business interruption, malicious insiders, social engineering and ransomware.
When it comes to social engineering, SMEs appear to fall for hackers schemes more than larger companies. The average SME social engineering claim cost was $107k and Business Email Compromise claim costs averaged $106k. Indeed, SMEs could certainly benefit from implementing phishing training to help employees better understand what to look for and avoid when being schemed by hackers.
In addition, SMEs also experienced a higher volume of ransomware incidents leading to cyber insurance claim costs of $150k on average. SMEs that were hacked had 289 incidents of the 2,081 claims assessed with an average $337k claim cost. Larger companies didn’t quite have as many hacking incidents (20 out of 2,081 claims), however, their average claim cost was far higher ($7.9M).
While the report touches on many other statistics and includes a wealth of claims data not found anywhere else, the one statistic that we found very interesting was PCI Fines. Of the claims assessed, only 21 claims in the five-year data included PCI fines. This doesn’t mean that companies should forego PCI coverage, especially since when fines are assessed, they tend to be very expensive. Of the 21 claims, the fines ranged from $7k to $4.2M and totaled $13.7M. SMEs had the bulk of the fines (19 of them) with an average $700k fine. Large companies fared much better (only 2 claims), with PCI fines of $25k and $385k. Typically, PCI fines are not assessed until 12-18 months or more after an event which could explain why the claim count is very low.
In addition, lost business income was another area in which the number of claims (96) is low. Especially since ransomware continues to be hitting SMEs hard and the most frequent cause of lost business income. Of the 96 claims that included lost business income, 90 included costs for recovery expense. Recovery expenses, are also known in a cyber insurance policy as “extra expenses” and are those necessary extra expenses incurred to avoid or minimize a business interruption loss. In our opinion, insurers must be doing a pretty good job of getting insureds back up an running fairly quickly. Otherwise, there would be a larger number of lost business income claims.
There was only one large company claim that included these costs. It was due to a network outage/system glitch. The lost income reported for that event was $60M; the recovery expense was $20M.
Lastly, a word about self-insured retentions (SIRs). SMEs on average have a $16k retention, with a $250k maximum. Larger companies tend to take on more risk and on average had a $2.6M retention, with a $15M maximum. We always find it interesting when smaller companies ask for a higher retention, when they are the most vulnerable and susceptible to cyber risk. While larger companies are no exception to cyber risk, they can certainly afford to take on higher risk when opting for a higher retention. Based on our experience with cyber claims, we always advise SMEs to opt for a lower retention rather than go with a higher retention being that cyber incidents are already devastating enough, why add more financial stress?
It should no longer come as a surprise that when a cyber incident happens, there are many costs associated with the aftermath and they can be pretty significant. Due to the ever evolving technologies and our interconnected global business environment, cyber risk is a constant and all companies need to consider having cyber insurance before an incident happens.
While some of us may loathe hearing, “It’s not a question of if an attack will happen, it is only a matter of when” – when yours happens, it may be more suitable to ask “Will your company have cyber insurance or will your company wished it had the right cyber insurance?”
Indeed, having a cyber insurance policy and the right policy in place can make all the difference.
Want To Know More About Cyber Insurance?
- Learn about first-party and third-party cyber insurance coverages
- Contact our Cyber Insurance Leader, Christine Marciano
- Read our Cyber Insurance blog
- Subscribe to our monthly Cyber Insurance newsletter
- Request a Cyber Insurance Quote