Articles Posted in Policy Limits

The struggle to identify appropriate policy limits continues to frustrate many in the market for cyberinsurance.  So does the difficulty involved with comparing premiums across policies offering coverage terms with a lot of variation.  But publicly available data continues to improve, and this piece from the folks at Cyber Data Risk Managers is particularly interesting.  CDRM shared data on 34 actual clients’ premiums and limits based on industry and annual revenue.  Among the highlights:

Highest Revenue: A pharmaceutical benefits management company with annual revenues of $4B bought a policy with a $5M limit for a premium of $84,000.

Highest Limits:  A data storage center with annual revenues of $15M bought a policy with a $20M limit for a premium of $120,000.

Many (lucky) institutions lack historical data breach response cost information.  They therefore struggle to select cyber policy limits.  A popular approach is to multiply the total number of records maintained by an average “per-record” data breach cost, a figure increasingly identified by reputable studies.  Sounds easy.  Too easy.  This approach has the comfort of feeling scientific, but it suffers from a serious flaw.  There is wild inconsistency among thought leaders as to what’s “average.”  Consider the following:

The Ponemon Institute’s 2015 Cost of Data Breach Study analyzed data breaches at 350 companies, with breaches implicating from 3,000 – 100,000 records.  Ponemon concluded that the average per-record cost of a data breach was $217 (for non-health records).

The NetDiligence 2015 Cyber Claims Study considered actual claims information from insurance carriers concerning 160 data breaches, with breaches compromising from 1 to over 100 million records.  It found that the average per-record cost of a data breach was nearly $1,000.

Among the more difficult decisions faced by companies buying cyberinsurance is determining appropriate policy limits.  The truth is that there is no one way to determine appropriate limits.  Businesses should consider their industry, their annual revenue and the types and amount of records that they process and maintain.  There are also really interesting tools out there, like this Data Breach Cost Calculator.  But unlike most other forms of insurance, where lost histories and experience allow businesses to comfortably select appropriate coverage limits, finding the right cyberinsurance limits remains a challenge.

The Ponemon Institute’s 2015 Cost of Data Breach Study was released this past June, and it offers valuable insight into the costs associated with data breaches.  The Study found that the average, all-in cost of a data breach was $3.8 million.  This number is by no means gospel.  However, Ponemon did survey 350 companies across four continents and 16 industry sectors, and the surveyed companies had data breaches ranging from relatively small (about 3,000 records) to over 100,000 compromised records.  This finding makes those $5 million policies that so many companies seem to be snapping up seem fairly reasonable.

Ponemon also reports that, in the United States, the average per-compromised record cost following a breach is $217.  For healthcare records, that number rises to $363 per record.  Based on the number of records a business processes and maintains, it may be able to estimate the potential cost of a breach.  This approach has its difficulties though.  Most notably, a business can’t possibly know ahead of time whether a particular breach will reach all of its records or only a narrow subset.