“The (Broken) Record Approach to Policy Limit Selection”

Many (lucky) institutions lack historical data breach response cost information.  They therefore struggle to select cyber policy limits.  A popular approach is to multiply the total number of records maintained by an average “per-record” data breach cost, a figure increasingly identified by reputable studies.  Sounds easy.  Too easy.  This approach has the comfort of feeling scientific, but it suffers from a serious flaw.  There is wild inconsistency among thought leaders as to what’s “average.”  Consider the following:

The Ponemon Institute’s 2015 Cost of Data Breach Study analyzed data breaches at 350 companies, with breaches implicating from 3,000 – 100,000 records.  Ponemon concluded that the average per-record cost of a data breach was $217 (for non-health records).

The NetDiligence 2015 Cyber Claims Study considered actual claims information from insurance carriers concerning 160 data breaches, with breaches compromising from 1 to over 100 million records.  It found that the average per-record cost of a data breach was nearly $1,000.

The Verizon 2015 Data Breach Investigations Report reviewed information related to over 2,000 confirmed data breaches and concluded that the average per-record data breach cost is only $0.58 (albeit while warning that this figure is not worth the virtual paper I read it on).

To illustrate the implications of this variation, consider the recently reported UC Berkeley breach implicating approximately 80,000 records.  Using the Ponemon average, this breach would be expected to cost $17,360,000.  Using the NetDiligence average, $80,000,000.  And using the Verizon average, $46,400.  Ugh.

It gets worse.  There is not always a correlation between the number of records impacted and the cost of a breach.  Consider breaches involving relatively few records, but considerable regulatory fines, like the recent Lincare, Inc. breach involving less than 300 records but resulting in a $239,000 fine (though admittedly not an electronic data breach).  Or consider the “all-in” average breach costs identified by the above studies, all well below the UC Berkeley per-record predictions: (1) Ponemon – $3.8M; (2) NetDilligence – $637,767; and Verizon – $25,000 – $8.8M (long story about that spread, but that’s not the point here).  My point:  I’d be shocked if any of the per-record cost predictions for the Berkeley breach prove accurate.

The per-record approach to policy limit selection is an incomplete analysis.  Institutions should consider average “all-in” breach costs as reported by the above-mentioned and other studies, peer entity limit decisions, broker recommendations and, if you can afford it, a data breach cost audit.  More on that last item later (and e-mail me if you do that for a living).