Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

New report shines light on what cyber insurance can and cant do for enterprises that suffer data breaches.

A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.
Most data breaches are small -- consisting of fewer than 500 records lost -- and the median data breach is only 100 records, the report says. But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000.
Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.
“There’s a lot of misconceptions around cyber security insurance -- what it does, what it could do,” says John Pescatore, director of emerging security trends at SANS. Its it’s not for every day occurrences, he says.
Take auto insurance, for example: your insurance provider isn’t going to pay to fix your flat tire, nor is cyber insurance going to cover smaller breaches, he says. It doesn’t make economic sense. “The survey brought out a lot of the reality of [cyber insurance’s] limited role,” Pescatore says.
Advisen’s product manager Aloysius Tan concurs that there is a gap in coverage, “in that a lot of these smaller breaches are not exactly covered by insurance companies. So it would be wise to have a contingency to cover the cost of small breaches, Tan says.
Of the 203 risk professionals participating in the survey, the majority classified themselves as chief risk manager/head of risk management department (41%), representing businesses of all sizes and across all regions of the US.
The study
also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.
Jeremy Henley, director of breach services at ID Experts, believes that more groups from the organization need to get involved in the incident response process. “At a minimum, you’re going to want IT, legal, privacy and compliance, and risk management [involved],” says Henley. “When your breach starts getting larger, operations, marketing/communications/PR need to get involved.
Include HR as well, he says, because the breach could be caused by an employee training or discipline issue and you’ll need to be able to prove that you handled the response appropriately.
While the cyber insurance industry is still very much in its nascent stages, it has more than doubled in value from 2012, from $1 billion to $2 billion in 2015, and according to Moody’s, and could triple by 2020.
A report
released by Marsh last year says the massive growth can be attributed to the broader scope of hacktivists in the growing landscape of cyber threats.
Despite the fact that cyber insurance doesn’t currently cover small breaches, both Henley and Tan see an opportunity for insurance carriers to offer assistance to organizations that need advice from external data breach response groups. “There is a pretty big gap where insurance companies can fill in terms of their business strategy,” Tan says.
ID Experts Henley says carriers could offer more tools for preparing and responding to smaller incidents -- such as connections for legal counsel, data breach response vendors, and public relations agencies.
Insurance carriers basically need to get more involved in incidents, he says. But he acknowledges that not everyone wants to disclose every little incident to their insurance company for fear of seeing increased premiums.
If you can establish a comfort level with the insurance company, Henley says, they can offer you advice and services to potentially minimize the costs of these smaller breaches such as data breach issues involving W2 forms, something Henley is seeing a lot of as tax season approaches.
Find out more about
security threats
at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas.
Register today
and receive an early bird discount of $200.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows