Rising cost of cyber breaches
With new regulations on the horizon that will impose large fines on companies which suffer certain types of data breaches, a snapshot study of the scale of cyber incidents has been released.
The 2017 Cyber Claims Study by NetDiligence, featuring input from major insurance companies, found that the average total cost of a cyberbreach incident was $394,000. However, for companies with revenues above $2 billion, the average cost was $3.2 million.
By sector, retail accounted for the biggest exposure of records, at 420 million, or 67 per cent of the data set in this year's study.
While ransomware and cyberextortion affected every sector, with maximum breach costs higher than $500,000.
The study found that hackers were the most common cause of loss, followed by malware and viruses, ransomware and cyberextortion, and staff mistakes.
Maliciously motivated insider events elevated the cost of claims by a factor of four. While breaches were 20 per cent higher when there was cloud involvement.
Last year, the average cost per breached record was $17,035, while the average cost for 2014-2017 was $8,100. However, NetDiligence noted that this metric can be “heavily skewed by outliers”. Excluding the top and bottom five per cent of the data set, the average fell to $787. The median cost per record was $46.50.
The consolidated claims data in the study came from multiple insurers. Companies that participated in the study included Ace, Aspen Insurance, AIG, XL Group, Zurich, Travelers, and Sompo International.
AllClear ID, a major sponsor of the 53-page study, noted: “The uptick in unpredictable and unique threats such as ransomware and cyber extortion adds a new layer of complexity.
“While businesses cannot block every type of attack against their sensitive information, they can and should take steps to ensure they are ready to respond to their customers with quality, speed and care after a data breach.”
The company said new regulations, such as the European Union's General Data Protection Regulation, and the New York Department of Financial Services's cybersecurity regulation, demand as fast as 72-hour reaction time to data-breach events.
“That means that businesses must take a proactive approach to breach readiness, and be certain their plans and teams will hold up to a live breach incident.”
The GDPR goes into effect in May 2018 and applies to all EU countries and companies based in those countries, and non-EU companies that process the data of EU citizens. Maximum fines for lack of compliance are up to 4 per cent of overall turnover/revenues, or €20 million ($23.8 million), which ever is greater.
This year's seventh annual Cyber Claims Study was presented by US-based NetDiligence, which specialises in cyber-risk readiness and response.
Click on Related Media to view the full study report.