Data leak insurance costs in US could reach $5bn a year

If all US businesses had cyber insurance, over $5 billion a year would be lost to the insurance industry from cyber data exfiltration alone, according to catastrophe risk modelling firm RMS.

Data breaches are the leading cause of cyber insurance loss.

“Data breaches can cost companies hundreds of millions of dollars, and our modelling shows the overall insurable loss across US businesses from data exfiltration is running at over $5 billion a year,” said RMS senior vice president Andrew Coburn. “The past year has also demonstrated the potential for future systemic cyber catastrophes, for which overall losses would far exceed $5 billion.”

Since 2010, the average cost per record of a data loss of over 100,000 records has more than doubled. This reflects increasing regulatory fines and procedures, growing costs of compensation, and escalation of legal complexities in dealing with identity loss. Projecting forward for 2017, a further inflation of costs by 15 to 25 percent could be expected.

Data leak volumes caused by cyber attacks have reached a new record in 2016, according to RMS.

The past year has seen the largest data leak events ever revealed, the company said in its ‘2017 Cyber Risk Landscape’ report. In April 2016, the world’s largest data leak by volume saw 2.6 terabytes of confidential tax data stolen from Mossack Fonseca. Yahoo! broke the record – twice – for the largest number of personal records compromised, first in September 2016 when it revealed that data on 500 million users had been hacked in 2014, and then again in December 2016 when it revealed a data breach of over one billion user accounts dating from 2013.

At the other end of the spectrum, there is a measurable reduction in the incidences of smaller data breaches, as routine security measures prevent the accidental loss of data by employees that caused many of the small loss incidents in the past.

The RMS historical catalogue of cyber data breaches shows a substantial increase in reported cyber data leak events in the previous 10 years, driven by a surge in the underlying attack rates and increased reporting.

But the frequency of occurrence of all sizes of data exfiltration events appears to have decreased since the peak of 2013 - 2015.

While the overall trend of events is flattening, the RMS catalogue shows that the number of events affecting more than one million personal records have grown substantially in the years prior to 2016 for the US.

One possible explanation is that professional criminals are concentrating their efforts on obtaining larger datasets where they can get a bigger return.

During 2016, the main cause of data breaches and losses was predominantly shown to be malicious interference from outside actors, rather than insider or whistleblower leaks.

There has been an increase in data breach incidences in the retail, IT services, and manufacturing sectors that has continued into 2016. Meanwhile there has been a significant reduction in data breaches from financial services companies – their incident rates are down in 2015 and 2016, compared to previous periods of breach records, reflecting the investment in security and data protection that is being made in this sector. Healthcare, despite some newsworthy events, has also seen a drop in the number of incidents – but this is counterbalanced by the fact that healthcare has seen a significant increase in extortion incidents.

Today’s stories

P&C underwriting profit plummets as National General expands in Q1

JLT Specialty boosts environmental practice with new hire in US

Marsh & McLennan acquires firm to expand in west Texas

UK SMEs claim brokers fail to discuss cyber insurance

NFP buys Arizona insurance firm McCullough

Did you enjoy reading this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.