Guest Author: Dane Greisiger

A Q&A with Patrick Florer and Heather Goodnight-Hoffmann

The annual NetDiligence^® Cyber Claims Study examines reported claims by leading insurers to assess the true costs of data breaches. As we unveil the 2016 study, I spoke with Patrick Florer and Heather Goodnight-Hoffmann of Risk Centric Security who compiled the data and analyzed its results.

While there are other studies out there that may be a bit more well known, this study categorizes the data differently and includes hard costs that have actually been paid out by insurance companies.

Who contributes the data to the NetDiligence Study?
The claims/loss data is submitted by about 17+ leading commercial P&C insurance companies that offer cyber liability insurance products that specifically cover data breach events that might negatively impact businesses and other organizations. The data is sanitized before it reaches NetDiligence so it does not list the organization that actually suffered the loss.

Who benefits from the information gathered in this study?
Many entities, companies and organizations are very eager to see the costs involved in a data breach. We address the report specifically to insurers, underwriters, risk managers, CEOs, CFOs and CSOs. That being said, it would be of interest to anyone who wants to understand the complexities inherent to underwriting cyber security risk. While there are other studies out there that may be a bit more well known, this study categorizes the data differently and includes hard costs that have actually been paid out by insurance companies.

What are the top three findings or trends in this year’s report?
The key findings include:

1. Breaches are not just for Fortune 500 companies and the cost of big company breaches is not necessarily going to be greater. The number of records lost can be exceedingly large, no matter the size of the organization. Total costs can range from $300 to $15 million. You don’t see patterns that scale—certainly the size will dictate the cost to an extent, but we had one breach where a very small number of records (<10) resulted in a HIPAA violation that cost the insured business over $1.5 million.
2. Cost data can be highly skewed by large breaches. Most of the data we received came from smaller breaches and companies that report less than $2 billion revenue. We look at both the median and average costs and the average is 10-12 times more than the median, due to the larger scale breaches.
3. Creating a predictable model with a high level of confidence for determining per record cost is challenging.. For example, the average per record cost was $17,000; however the median cost was $40. At the moment the costs are as varied as they have ever been because every breach requires different kinds of services—some require more forensics, for instance. We do believe that there may be more predictability in terms of breaches related to ransomware, which we are seeing more of.

How would you improve a future study?
We want to add new kinds of breakdowns, categorizations and stratifications to make the data more specific and potentially help insurance companies in creating their actuarial tables. From our experience in IT Security and business, we can apply different ways of thinking about the categories—for instance, creating multiple categories for cloud-related breaches. We would also like to include a one-page questionnaire that might include data such as the amount paid over the year for aggregate claims across a book of business, what was the insurer’s loss ratio, and so forth.

To what degree will cyber data analytics continue to play a role in the cyber liability insurance industry? What sort of qualifications/education will be required of future employees?
Analytics in general will play a huge role in our lives. That said, numbers alone won’t save us—it’s about applying the numbers in a credible way. As far as the education or training needed, data scientists might require a PhD, while data analysts would not. You need number smarts, an understanding of statistics and business, so perhaps an MBA with a minor in statistics. The research aspect requires creativity, curiosity and aptitude for querying to get the right answers.

In summary… 
We want to thank Heather Goodnight-Hoffmann and Patrick Florer for their expert insights into data analytics, as it relates to the annual NetDiligence Cyber Claims Study.
Note: You can hear Patrick speak on data analytics and modeling at the NetDiligence cyber risk conferences. See inside your insurer’s eRiskHub^® portal.