There's plenty of attention paid when a company like Target or Home Depot gets hacked. These major cyber breaches attract extensive media coverage, often creating the illusion that it's only big businesses that are at risk of an attack. But that's far from the case.

There's plenty of attention paid when a company like Target or Home Depot gets hacked. These major cyber breaches attract extensive media coverage, often creating the illusion that it's only big businesses that are at risk of an attack. But that's far from the case.

Clyde & Co partner Christina Terplan led a panel at the NetDiligence conference in Santa Monica this month which discussed the claims study produced by Clyde & Co and risk analytics platform Corax, the annual claims report produced by NetDiligence, and claims trends with representatives from AIG and NAS Insurance.

As a leading law firm serving as coverage and monitoring counsel for cyber insurer clients throughout the world, Clyde & Co has worked on over 5,000 data breaches, ranging from the mega-breaches to the "everyday." For this study, the firm and Corax analyzed information from 321 randomly selected data breach events. The in-depth examination of these cyber insurance claims uncovered important insights about the day-to-day breaches that most businesses are experiencing and the costs of these events.

Perhaps most notable to those who are under the impression that hackers only bother with big companies, SMBs reported the highest number of "everyday" breaches. Of the breach events studied, 90% of the organizations that experienced breaches were small and medium sized. With a median event cost of USD18,000 these are numbers that simply can't be ignored and speak to the importance for businesses to access cyber insurance.

Some takeaways from the study include:

Every industry is at risk, but costs may vary.

The most common breach events occurred in the Healthcare industry, and these were similar in cost (USD15,000) to all other industry types, with the exception of Leisure/Retail/Hospitality (USD45,000) and Technology/Media/Telecommunications (USD33,000). This is at least partially explained by the types of records held by each industry.

Breach events within Leisure/Retail/Hospitality were on average the most expensive (USD45,000) and the second most common industry sector. These breach events were 36% more expensive than the next most expensive industry sector, Technology/Media/Telecommunications (USD33,000), which ranked 5th out of 8 in terms of frequency.

The median duration of a breach event is 78 days.

The study found that the size of a company has no material impact on event duration. This can be explained by the fact that legal requirements surrounding breach events are largely the same irrespective of company size. While there was some correlation between the size of breach and duration, the correlation is not as strong as one might anticipate. Record type, however, does increase duration:

  • Social security numbers and credit card records increase event duration by 1.5 times.
  • Credit card data breaches are 3 times more costly than other record types.

Breaches include many event types.There is no single solution for preventing data breach events. A combination of both technological and human training solutions is required. So where should SMBs focus their attention?

  • Data breach events involving unauthorized access or manipulation, caused by internal and external parties, were found to be the most prevalent. User rights management and the use of data at rest encryption is clearly an important factor in preventing data breach events.
  • The prevalence of ransomware was the second most common breach event type, closely followed by unauthorized disclosure, malware and phishing.
  • Just 8% of events were due to lost or stolen devices. Historically, these events would have been more prevalent within this data set, suggesting a downward shift in this trend.

The need for cyber insurance has never been greater.

The number of reported breaches only continues to rise, and as this study revealed, no industry or organization is exempt from risk. The more we learn about the nature of smaller profile breaches, the clearer it becomes that companies of all sizes must concern themselves with cyber education and risk prevention.

To download the 2018 Cyber Breach Insights paper please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.