Data Privacy Cyber Liability Insurance

THE ROLE OF INSURANCE IN MANAGING AND MITIGATING THE RISK

The cyber threat remains one of the most significant - and growing - risks facing UK business. 81% of large businesses and 60% of small businesses suffered a cyber security breach in the last year, and the average cost of breaches to business has nearly doubled since 2013. Working in partnership, the Government and industry have done much to improve understanding of cyber attacks and how to reduce their impact, yet more needs to be done. As part of this Government's long-term economic plan, we want to make the UK one of the safest places in the world to do business online. 

This report, the result of close working between the Government and the insurance sector, highlights the role insurers and insurance can play in reducing cyber risk. By asking the right questions in addressing cyber risks, insurers and insurance brokers can help promote the adoption of good practice, including the Government's Cyber Essentials scheme, which will reduce the frequency and cost of breaches.

The report includes some important messages for business. One is the need to value the risk of cyber attack properly. It also shows that many businesses are overestimating the extent to which their existing insurance provides cover for cyber risk. The report demonstrates how the insurance sector can help improve industry's understanding of cyber insurance. 

Another clear conclusion is that some businesses still feel they do not fully understand cyber risk. This highlights the need for companies to have clear accountability structures for cyber risk and to put in place robust cyber security risk management arrangements. We have provided a range of advice and guidance to business, which it can draw on, and a set of basic criteria for all organisations through the Cyber Essentials Scheme. 

Cyber security is not just a question of threats - it also represents an opportunity for the UK. The UK has worldleading cyber security expertise and cyber security services. The UK insurance sector is already a world-leader. With innovative ideas, like including Cyber Essentials certification as part of insurance cyber risk assessments for small to medium-sized enterprises (SMEs), the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.

Webinar Data Breach: It Can Happen to You

Is Cyber Insurance the Next Big Thing?

Data Breach Insurance Claims

The fifth annual NetDiligence® Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer's perspective. Our goal is to raise awareness about cyber risk within the risk manager community.

For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. We also looked at the two additional data points: was there insider involvement and was a thirdparty vendor responsible for the incident.

We then looked at the costs associated with Crisis Services (forensics, notification, credit/ID monitoring, legal counsel and miscellaneous other), Legal Damages (defense and settlement), Regulatory Action (defense and settlement) and PCI Fines.

This report summarizes our findings for a sampling of 160 data breach insurance claims, 155 of which involved the exposure of sensitive personal data in a variety of business sectors. Two business interruption claims did not involve the loss of sensitive information and three claims were for defense of class action lawsuits alleging wrongful data collection.

It is important to note that many of the claims submitted for this study remain 'open', therefore aggregate costs as presented in this study represent "payouts to-date". It is virtually certain that additional payouts will be made on a significant portion of the claims in our dataset and therefore the costs in this study are almost certainly understated.

  • The majority of claims submitted for this study are for smaller (Main Street) organizations and our findings best represent that group.
  • Many insurers are leveraging legal counsel (Breach Coach®) early in the claims process to minimize mistakes on the part of the affected organization.
  • This tends to prevent or minimize follow-on regulatory fines, legal defense and settlement costs. Insurers are putting in place 'preferred vendor panels' with pre-negotiated rates for Crisis Services costs, which we believe significantly reduces the cost of breach response for policyholders of those insurance carriers.
  • We estimate data breach response costs for an uninsured organization could be up to 30% higher than costs for an insured organization.