A Few Challenges in Calculating Total Cost of a Data Breach Using Insurance Claims Payment Data

Let me first state that I am a big fan of the Verizon DBIR and have read every one. I also have a great deal of respect for the NetDiligence Cyber Claims Study and like many in the insurance industry, find it extremely valuable. I was, however, taken by surprise when I read the latest Verizon report and saw that their cost of a data breach analysis was based on the NetDiligence data set. Here’s why:

All insurance policies have limits and nearly all have sub-limits. So for example, XYZ Company might buy a cyber liability policy with a $1M limit. Generally speaking, that means the policy would cover qualified expenses up to $1M. All costs exceeded the $1M mark would be the responsibility of XYZ Company. (This is why it’s so important to try to calculate and purchase the right amount of coverage for your specific situation.) So the first problem with using payment claims data to calculate the total cost of a breach is that it will exclude costs beyond the limit of the policy and only include amounts actually paid by the insurance company. Think Target with $100M in cover (less $10M self-insured retention) but total breach costs in excess of $252M and counting. But it gets more complicated than that.

Back to XYZ Company and their $1M policy. It would not be unusual for the policy to have a sublimit of $250,000 for First Party Privacy, $25,000 for Crisis Management, $250,000 for Regulatory Coverage, $250,000 for Legal and Forensic, etc. Likewise, there may be specific deductibles like $5000 for Privacy Notification Costs, etc.  If XYZ Company experienced a breach and submitted claims that exceed the sublimits for any of the above categories, the insurance company is only obligated to pay up to the specified sublimit and not beyond. Looking at payment claims data alone will not tell you whether XYZ Company’s total expense is accurately reflected in the number. The terms of each policy must be reviewed to determine if a sublimit has been exceeded, and if so, the researcher would have to turn to XYZ Company to find out what additional expenses were not included in the data.

To further complicate the picture, all insurance policies have exclusions as well, which would disallow reimbursement for certain costs, even though they may be a direct consequence of the breach. These exclusions can be all over the map, but one easy example would be business interruption expense, which is optional coverage, typically only provided at additional cost. Only three companies bought it in NetDiligence's 2014 data set, but it's quite likely that many companies incurred such expenses. It can get even more complicated if you look at whether another separate policy, possibly from another carrier, provides umbrella coverage or coverage for some other piece of breach related costs. Even if we assume the NetDiligence data set includes only straight forward claims situations, there is no single standard across cyber insurance policies regarding limits, sublimits, exclusions, etc.

So it seems that in order to move beyond calculations describing insurance company costs for claims paid, to arrive at a formula for total breach related costs for each company, would have required that every breach in the NetDiligence data set had every claim paid in full, and all companies submitting claims had zero uninsured breach-related expenses. Assuming this was not the case, such a calculation of total breach costs would further require a review of the terms of each company’s insurance policy and an analysis of the claims submitted, paid and rejected by the insurance company. This sounds a lot like the kind of in depth interviewing and analysis that the Ponemon institute conducts with breached companies, but with the addition of discussions with the claims teams handling these breaches.

Again, these comments do not diminish in any way the value of NetDiligence's data nor the Verizon DBIR – both are superb reports. The cyber security community must continue to test current assumptions and common practices, and to experiment with new ways of quantifying cyber risk. Incorporating cost data into Verizon’s DBIR is an entirely welcome development, but it appears that the current report lacks a method of accounting for the artificial cost caps and other excluded costs that are not part of the NetDiligence insurance claims payment data. This could result in a significant under estimation of the total cost of a breach. Unfortunately, it is not readily apparent how to quantify this without a lot more digging…

# # #

Ben Goodman, CRISC, is the founder of Enterprise Risk Associates, a licensed insurance agency, and a member of the Casualty Actuarial Society’s Cyber Risk Task Force. He also serves as President of 4A Security and Compliance, a firm that helps clients strengthen their information security while managing cyber risk and meeting compliance requirements. With over 25 years of experience in information technology, technology strategy and risk management, he is dedicated to strengthening the cyber defenses and resiliency of US organizations, institutions and critical infrastructure.

Ben is the recipient of ISACA’s CRISC, Worldwide Achievement Award, and a founding member of Drexel University’s College of Computing and Informatics Cybersecurity Institute’s Advisory Board.