NetDiligence’s Fifth Annual Cyber Claims Study, released yesterday, has found that Small Businesses still make up the majority of claims made pursuant to cyber-insurance policies. For the study, NetDiligence analyzed information relating to 160 data breach insurance claims filed between 2012 and 1015, including the type of data exposed, the cause of loss, the business sector in which the incident occurred, the size of the affected organization, whether there was insider involvement, and whether there was a third-party vendor responsible for the incident.

As has been the case with past surveys, the NetDiligence survey found that Small Businesses (<$300m in revenue) accounted for the majority of breach-related claims. This trend underscores the importance of smaller organizations taking cyber security seriously, including allocating sufficient resources to threat detection and prevention, training for employees and the procurement of cyber-insurance. NetDiligence estimates that data breach response costs for an uninsured organization could be up to 30% higher than costs for one that is insured.

Among other findings of the survey are:

  • PII was the most frequently exposed data (45% of claims), followed by PCI (27%) and PHI (14%).

  • Nano organizations experienced the most incidents (29%), followed closely by Small organizations (25%).

  • Extremely large breaches occurred in Nano, Small and Large organizations.

  • The largest breaches occurred in the Retail sector, followed by Healthcare.

  • The average claim for a large company was $4.8 million, while the average claim in the Healthcare sector was $1.3 million.

  • Hackers were the most frequent cause of loss (31%), followed by Malware/Virus (14%).

  • Staff Mistakes and Rogue Employees tied for third (11%).

  • Healthcare was the sector most frequently breached (21%), followed closely by Financial Services (17%).

  • Third parties accounted for 25% of the claims submitted.

  • There was insider involvement in 32% of the claims submitted.

  • The median cost for legal defense was $73,600 and the average cost was $434,354.

  • The median number of records lost was 2,300,and the average number was 3.2 million.

  • The median per-record cost was $13.00, and the average per-record cost was $964.31.

  • Claims in this year’s study ranged from $0 to $15 million, with typical claims ranging from $30,000 to $263,000.

  • The median cost for legal settlement was $50,000 and the average cost was $880,839.

  • The median claim was $76,984 and the average claim was $673,767.

  • The median cost for Crisis Services was $60,563 and the average cost was $499,710.

While the Study yielded some interesting results, we note that the cyber-insurance market is still in its infancy, and it could take analysis of substantially more claims before we see some of the numbers cited by NetDiligence stabilize.