5 figures to know from NetDiligence's Cyber Claims study
The ninth edition of the NetDiligence Cyber Claims Study is based on 2,081 claims.
Businesses have to contend with a number of risk factors, but few are more concerning than cyber risks. No matter the size of the business or the industry they operate in, cybercriminals have shown they will target whoever they think is most susceptible. It is no longer a question of if, but when.
Cyberattacks threaten a business’s financial standing, reputation and much more. But while cyber insurance is readily available and a much-needed form of coverage in today’s digital landscape, many companies still lack coverage — despite the studies that show the cost of a cyberattack and the countless headlines that have detailed how attacks at companies like Equifax took place.
More often than not, experiencing loss is the best wakeup call. But this is not a winning strategy, and many companies cannot guarantee they will be able to weather the storm to a brighter tomorrow. An examination of cyber claims, their costs and causes of loss, however, might illuminate why businesses need to be more proactive with cyber going forward.
5 figures that jump out
The ninth edition of the NetDiligence Cyber Claims Study is based on 2,081 claims arising from events that occurred during 2014-2018. The claims analyzed in this study come from companies of all sizes. These companies represent over 18 business sectors. The top four, as defined by the number of claims, were professional services, health care, retail and financial services.
Key figures to know:
- Of the 2,081 claims in the dataset, 787 were for events that constituted some form of a data privacy breach, and thus, exposed records. The total number of records exposed in these events was 1.2 billion. The number of records exposed per claim ranged from a single record to over 300 million. Events at small to medium enterprises (SME) accounted for 737 of these claims and 207 million records. Events at large companies accounted for 50 claims and almost 1 billion records.
- In the five-year period from 2014-2018, 96% of claims came from SMEs and 4% of claims from large companies. As might be expected, there were very large differences in breach costs for organizations of the $2 billion annual revenue threshold. (Organizations with less than $2 billion in annual revenue were classified as SMEs, while those with greater than $2 billion in annual revenue were classified as large companies.) For SMEs, average breach costs were $178,000 versus $5.6 million for large companies.
- Social engineering, ransomware, hackers and malware/viruses were the leading causes of loss in this year’s report. Social engineering and ransomware occupied the top spots in 2018 and the five-year period. The increasing prevalence of social engineering claims speaks for itself: 48% in 2018 versus 30% for the five-year total.
- Of the 2,081 claims in the dataset, 96 included costs for lost business income and 90 included costs for recovery expense. Ransomware is the most frequent cause of lost business income, accounting for almost 70% of claims; it is also the most frequently cited cause of recovery expense, accounting for 87% of claims. Malware/virus (15%) and hackers (9%) are the second and third most common causes of lost business income; malware/virus, hackers, rogue employees and system glitches are the primary causes of loss in the other 13% of claims.
- One of the clearest trends in the data is the increasing percentage of claims caused by criminal activity. This percentage has increased to 86% in 2017 and 2018 from 72% in 2014. Criminal events include hacking, ransomware, phishing and distributed denial of service attacks, among others; noncriminal events included staff mistakes, programming errors, lost laptops, system glitches and more.
A full edition of the NetDiligence Cyber Claims Study can be found on the company’s website.
Related: