Among the more difficult decisions faced by companies buying cyberinsurance is determining appropriate policy limits. The truth is that there is no one way to determine appropriate limits. Businesses should consider their industry, their annual revenue and the types and amount of records that they process and maintain. There are also really interesting tools out there, like this Data Breach Cost Calculator. But unlike most other forms of insurance, where lost histories and experience allow businesses to comfortably select appropriate coverage limits, finding the right cyberinsurance limits remains a challenge.
The Ponemon Institute’s 2015 Cost of Data Breach Study was released this past June, and it offers valuable insight into the costs associated with data breaches. The Study found that the average, all-in cost of a data breach was $3.8 million. This number is by no means gospel. However, Ponemon did survey 350 companies across four continents and 16 industry sectors, and the surveyed companies had data breaches ranging from relatively small (about 3,000 records) to over 100,000 compromised records. This finding makes those $5 million policies that so many companies seem to be snapping up seem fairly reasonable.
Ponemon also reports that, in the United States, the average per-compromised record cost following a breach is $217. For healthcare records, that number rises to $363 per record. Based on the number of records a business processes and maintains, it may be able to estimate the potential cost of a breach. This approach has its difficulties though. Most notably, a business can’t possibly know ahead of time whether a particular breach will reach all of its records or only a narrow subset.