Corporate IT teams and compliance officers don't need to be told twice that a customer data breach is something to be avoided at all costs. However, hard numbers may help drive the message home more effectively than anecdotal evidence.
Researchers from NetDiligence, a cyber risk assessment consultancy, recently compiled and analyzed more than 130 cyber insurance liability claims from nearly 60 separate data breach incidents taking place between 2009 and 2011. Although this represents only a small sample of the security events that shook the business community during this time, NetDiligence adopted a unique approach to its study. While the Ponemon Institute has presented figures primarily from a consumer angle, NetDiligence focused on the insurer's perspective.
As a result, the report offered a more granular breakdown of the expenses incurred by companies facing lawsuits and sanctions for their data protection missteps. For example, researchers determined that the majority of the $3.7 million average cost of a breach could be attributed to legal damages. The typical company spent nearly $600,000 on trial defense, followed by an average plaintiff settlement of $2.1 million. Each of those figures represent notable year-over-year growth from 2010 to 2011, with the average settlement fee, in particular, more than doubling.
Smaller spread, larger impact
One of the more encouraging findings from the NetDiligence report was the fact that the average number of records exposed per incident dropped by nearly 20 percent between 2010 and 2011. Unfortunately, it seems the impact of each event became a bit more potent. The average cost per exposed record amounted to $3.94 in 2011, a significant leap from the $1.36 observed the previous year.
This phenomenon may have something to do with the evolution of hacker tactics. Judging by the variation in breaches experienced by different industries, it would seem that cybercriminals are homing in on the high-risk, high-reward opportunities that lie in the financial service and healthcare sectors.
From brazen attacks on the network underlying the NASDAQ Stock Exchange to social engineering schemes targeting local credit union, NetDiligence analysts saw a clear trend of hackers cutting out the middleman and going straight to the source of sensitive financial data.
Considering the vast financial and reputational damages that can come from a serious data breach, it is understandable that a company's first impulse may be to close ranks and keep the incident under wraps. However, failure to comply with notification requirements in a timely manner could make consequences even worse.
NetDiligence analysts cited one automotive company that had its cover-up tactics exposed and later saw more severe sanctions and steeper lawsuits when their notification delay was classified as a direct threat to customer safety.
Report authors also noted a "worrisome" trend in which companies continue to diffuse data security responsibility instead of making it a C-suite priority.
"As an underwriter, it concerns me when IT security is no longer considered an executive issue, but pushed back to operations to manage," Chubb Specialty Insurance senior vice president Tracey Vispoli explained. "A recent PricewaterhouseCoopers (PwC) survey indicated that in 2011 only 39 percent of executives evaluate their security policies annually, compared to 52 percent in 2009. At a time of unprecedented data security events, this is hard to imagine."
This may be the year that the tides starts to change, however. As NetDiligence noted, the market for cyber insurance has grown considerably more mature and is seeing mainstream interest. In fact, some larger corporations are even starting to keep personal data breach "coaches" on retainer to help promote best practice data protection and mitigate potential damages.
Data Security News from SimplySecurity.com by Trend Micro