Cyber Risk Costs Not Big Enough to Spur Investment by Businesses
Insurance Journal, September 2016
The cost of a typical cyber breach to an American company is much less than has been generally estimated, providing one possible explanation for why companies do not invest more to improve computer security, according to a new RAND Corp. study.
The typical cost of a breach is about $200,000 and most cyber events cost companies less than 0.4 percent of their annual revenues, the study found. The $200,000 cost is roughly equivalent to a typical company’s annual information security budget.
Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think,” said Sasha Romanosky, author of the study and a policy researcher at RAND, a nonprofit research organization. “It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can’t begrudge them for working that way.”
The RAND study estimate is a lot less than the estimate in a May 2014 report by the Ponemon Institute at the University of Michigan. The Ponemon report put a $3.5 million pricetag on an individual data breach. Ponemon surveyed 314 companies in 10 countries.
The RAND study, which is published in the Journal of Cybersecurity, is based on a private dataset of 12,000 cyber incidents compiled by Advisen, which provides information on corporate losses to the insurance industry.
A 2015 study of 160 cyber liability insurance claims by NetDiligence, a data breach services company, found that the average total claim for a breach was $673,767. But the cost varied greatly by company. The average claim for a large company was $4.8 million, while the average claim in the healthcare sector was $1.3 million.
Cyber breaches at American companies have made headlines in recent years and put the personal information of millions of consumers at risk. The most recent and biggest was reported last week at Yahoo.
Romanosky said he undertook his study in part because of an executive order issued by President Obama in 2013 directing the National Institute for Standards and Technology to develop voluntary guidelines for improving information security.
The policy was put in place as public concern about cyber attacks began to rise with disclosures of major breaches at Target and other prominent companies, but Romanosky wondered whether the corporate world would be willing to adopt tougher measures.
Romanosky examined incidents across four categories: data breaches involving the disclosure of personal information, security incidents that resulted in the theft of intellectual property or disrupted business services, malicious harvesting of account information through phishing or skimming attacks, and privacy violations through the unauthorized collection, use or sharing of personal information from cell phones, web tracking and other means.
He found that security breaches were on the upswing, from 64 reported incidents in 2012 to nearly 250 reported incidents by 2014. The sectors with the highest number of reported hacks were finance and insurance, health care and government entities.
In analyzing the financial impact of such incursions, Romanosky considered factors such as the cost of investigating the causes of a breach, notifying consumers, increasing customer support, paying for identity theft insurance or credit monitoring, and dealing with legal actions.
Yet those costs, the RAND researcher found, generally were not onerous and were lower than losses companies face because of fraud, theft, corruption or bad debt.
“If it is true that on average that businesses lose 5 percent of their annual revenue to fraud, and that the cost of a cyber event represents only 0.4 percent of a firm’s revenues, then one may conclude that these hacks, attacks and careless behaviors represent a small fraction of the costs that firms face, and therefore only a small portion of the cost of doing business,” Romanosky said.
Given that finding — and surveys that indicate consumers are mostly satisfied with the ways companies respond to data breaches — he says that businesses “lack a strong incentive to increase their investment in data security and privacy protection.” Moreover, if their losses are not out of line with other costs, he said, “maybe the firms are already doing the right thing,” making government policies to induce more precautions unnecessary.
Romanosky said a more effective strategy might involve cyber insurance programs that offer reduced premiums in exchange for companies taking certain steps to beef up data security.
He also urges consumers to “stay vigilant and take precautions in sharing their information with just anyone.”
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008