“Know Your Limits”

Among the more difficult decisions faced by companies buying cyberinsurance is determining appropriate policy limits.  The truth is that there is no one way to determine appropriate limits.  Businesses should consider their industry, their annual revenue and the types and amount of records that they process and maintain.  There are also really interesting tools out there, like this Data Breach Cost Calculator.  But unlike most other forms of insurance, where lost histories and experience allow businesses to comfortably select appropriate coverage limits, finding the right cyberinsurance limits remains a challenge.

The Ponemon Institute’s 2015 Cost of Data Breach Study was released this past June, and it offers valuable insight into the costs associated with data breaches.  The Study found that the average, all-in cost of a data breach was $3.8 million.  This number is by no means gospel.  However, Ponemon did survey 350 companies across four continents and 16 industry sectors, and the surveyed companies had data breaches ranging from relatively small (about 3,000 records) to over 100,000 compromised records.  This finding makes those $5 million policies that so many companies seem to be snapping up seem fairly reasonable.

Ponemon also reports that, in the United States, the average per-compromised record cost following a breach is $217.  For healthcare records, that number rises to $363 per record.  Based on the number of records a business processes and maintains, it may be able to estimate the potential cost of a breach.  This approach has its difficulties though.  Most notably, a business can’t possibly know ahead of time whether a particular breach will reach all of its records or only a narrow subset.

Which leads to my final point.

There are ways to minimize breach costs.  Ponemon found that the cost of a breach is linearly related to the mean time that it takes to identify the problem and contain it.  That means that having an incident response team with a pre-determined incident response plan (preferably that has been tested – think fire drill) will reduce data breach costs.  Ponemon also found that extensive use of encryption and employee training were other keys to limiting costs, but the clearest way to reduce exposure is to have personnel ready to respond to a breach when it occurs.

No one can tell you precisely what limits will strike the balance between cost-effectiveness and comprehensive coverage.  But considering the average cost of a breach, the average per-record cost of a breach and the actual steps taken to mitigate the effects of a breach should help guide the conversation.