Filed Under:Markets, Commercial Lines

Hacked! The cost of a cyber breach, in 5 different industries

Travelers’ cybersecurity experts discuss five common cyber claims scenarios.

The cost of a data breach or other cyber incident can quickly add up to hundreds of thousands, if not millions, of dollars. (Photo: Thinkstock/solvod)
The cost of a data breach or other cyber incident can quickly add up to hundreds of thousands, if not millions, of dollars. (Photo: Thinkstock/solvod)

We’ve all read or heard about the many data breaches and cyber “incidents” in the news, including Sony, the U.S. government’s Office of Personnel Management, and several airlines. To put those data breaches—a more accurate term than cyber attacks—in perspective, Tim Francis, Enterprise Cyber Lead, Travelers, speaking at a recent cyber media event, “Hacked: The Realities of a Cyber Event,” held Oct. 1 in Washington, D.C., provided an overview of the threat landscape. He explained that according to the Symantec Internet Security Report, there are 34,529 known computer security penetration incidents per day. Not all the incidents result in the theft of personally identifiable information but the huge numbers are troublesome.

The panel, moderated by Joan K. Woodward, President, Travelers Institute and Executive Vice President, Public Policy, also included

  • Tom Finan, Senior Cybersecurity Strategist and Counsel, U.S. Department of Homeland Security
  • Chris Hauser, 2nd Vice President, Cyber Fraud, Travelers Investigative Services and former FBI agent responsible for cyber investigations
  • John Mullen, Managing Partner, Lewis Brisbois Bisgaard & Smith LLP, and Chair, U.S. Data Privacy & Network Security Practice
  • Melanie Dougherty-Thomas, Managing Director, Crisis Communications Management, Inform

The panelists agreed that small to mid-sized businesses are the most vulnerable, and one successful attack can shut those businesses down completely. But what types of claims are the most common and what do they really cost?

Travelers’ cybersecurity experts have developed common cyber claims scenarios across five industries, as shown in the following pages. The costs add up quickly, often reaching more than $1 million.

Click NEXT to learn more about the specific industries and how their data breaches happened.

[Related: What keeps Americans up at night? Travelers Consumer Risk Index]

Male-sales-assistant-checkout-counter-older-couple-buying-clothes-ThinkstockPhotos-crop-109266267-Monkey Business Images

(Photo: Thinkstock/Monkey Business Images)

1. Hack in the retail industry

Company Profile:  A local retailer, $30 million in revenue

A credit card company identified 50,000 credit cards that were used legitimately at a retailer and then were subsequently compromised. The retailer also needed to hire a law firm to serve as counsel and breach coach. Costs included required notifications to the 50,000 victims as well as on-going credit monitoring. As a result of this incident a class action lawsuit was filed.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs for this event for the retailer could be:

Incident Investigation Costs:

$158,000

Customer Notification and Crisis Management Costs:

$920,000

Class Action Lawsuit Costs:

$689,000

PCI Related Costs:

$783,000

Total Costs:

$2,550,000

 According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $5,920,000 for a business.

Lost Business Costs:

$3,720,000

Post Breach Costs:

$1,640,000

Notification Costs:

$560,000

Risk Management Tips:

  • Maintain and frequently review compliance obligations under the Payment Card Industry (PCI) Agreement.
  • Consider implementing end-to-end encryption of credit card transactions.
  • Employ a chief information security officer (CISO) to develop and implement your business-wide data privacy procedures.

Editor’s Note: The NetDiligence® Data Breach Cost Calculator and other tools are available to insurers on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.

Large-hospital-building-crop-ThinkstockPhotos-483184788-peterspiro

(Photo: Thinkstock/peterspiro)

2. Hack in the healthcare industry

Company Profile:  A Nonprofit Hospital, $100 million in annual revenue

An employed physician of the hospital accidently left his hospital-issued laptop on a train.  The laptop contained an unencrypted database of current patient records that included protected health information with the name, Social Security number, credit card, insurance ID and limited medical information of 550 patients. The data stored on that laptop was completely unsecured as it did not contain remote take-down capabilities nor was it password protected. 

According to the NetDiligence® Data Breach Cost Calculator the estimated costs of the 550 lost records for the Nonprofit Hospital could be:

Incident Investigation Costs:

$180,000

Customer Notification and Crisis Management Costs:

$34,000

Fines & Penalties:

$167,000

Total Costs:

$381,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type impacts 28,000 records driving the average cost to a business to $3,149,000.

Detection Costs:

$610,000

Notification Costs:

$560.000

Regulatory Costs:

$1,979,000

Risk Management Tips:

  • Implement procedures for using effective passwords and mandate periodic changes.
  • Consider implementing security measures including encrypting protected health information (PHI) that may be stored on the laptops and having remote disabling capabilities.
  • Consider storing PHI on a central server and accessing the information via a secure connection.

Computer-monitor-online-banking-screen-crop-ThinkstockPhotos-516283059-ayo888

(Photo: Thinkstock/ayo888)

3. Hack in the financial industry

Company Profile:  A Community Bank, $350 million in assets

Computer hackers commenced a distributed denial-of-service attack (DDoS) to the bank’s website as a smoke screen to hack into its network. This malicious attack shut down the bank’s online banking for three days.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs for this event for the Community Bank could be:

Incident Investigation Costs:

$192,000

Customer Notification and Crisis Management Costs:

$475,000

Fines & Penalties:

$132,000

Total Costs:*

$799,000

*Not including the loss of business income the bank suffered during the attack.

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $2,810,000 for a business.

Detection Costs:

$610,000

Notification Costs:

$560,000

Post Breach Costs:

$1,640,000

Risk Management Tips:

  • Create, implement and test a business continuity plan and disaster recovery plan.
  • Implement an intrusion detection system on your network.
  • Have a secondary system available for online access, and ensure this system is regularly tested for functionality.

Asian-woman-working-on-laptop-in-office-ThinkstockPhotos-87455862-Ablestock.com

(Photo: Thinkstock/Ablestock.com)

4. Hack in the technology industry

Company Profile: Software as a Service (SAAS) provider of human resources and membership management software for gymnasiums countrywide

An employee opened up a phishing e-mail that infiltrated the company’s centralized network. Anti-virus software failed to keep out the malicious code, exposing names, addresses, dates of birth, Social Security numbers and financial information, such as credit card and bank account numbers. A computer forensics investigator was hired, who determined that personally identifiable information had been compromised. This included information related to the customers’ employees as well as the company’s own employees. 

According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the software service provider could be:

Incident Investigation Costs:

$291,000

Customer Notification and Crisis Management Costs:

$504,000

Fines & Penalties:

$550,000

Total Costs:

$1,345,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $2,810,000 for a business.

Detection Costs:

$610,000

Notification Costs:

$560,000

Post Breach Costs:

$1,640,000

Risk Management Tips:

  • Implement vendor security into your Information Security policies and procedures.
  • Add provisions that address cybersecurity into your vendor contracts.
  • Practice cyber-attack response drills with your vendors.

[Related: Cyber security precautions needed with insurer-TPA relationships]

Factory-workers-view-looking-down-crop-ThinkstockPhotos-82659764-Felipe Dupouy

(Photo: Thinkstock/Felipe Dupouy)

5. Hack in the manufacturing industry

Company Profile:  A manufacturer with 400 employees

The Internal Revenue Service discovered that hundreds of fraudulent tax returns were filed on behalf of employees that work for the same manufacturing company. They notified the FBI, and the FBI alerted the manufacturer. The investigation determined that the personnel files of 298 past and current employees had been accessed. 

According to the NetDiligence® Data Breach Cost Calculator the estimated costs of the 298 lost records for the manufacturer could be:

Incident Investigation Costs:

$180,000

Customer Notification and Crisis Management Costs:

$29,000

Fines & Penalties:

$6,000

Total Costs:

$215,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type impacts 28,000 records, driving the average cost to a business to $1,728,000.

Detection Costs:

$610,000

Notification Costs:

$560,000

Legal Settlement Costs: 

$558,000

Risk Management Tips:

  • Establish an information retention policy and include guidance on what types of information should be retained, how long it should be retained and procedures for destruction of unneeded data.
  • Establish new hire training and regularly scheduled refresher training courses in order to instill the data security culture of your organization.
  • Create, implement and test an incident response plan.

As Tim Francis likes to remind business owners and risk managers, all businesses are vulnerable: “It’s not a matter of if, but when.” Be sure to review your insurance coverage with your agent, broker or carrier to understand what cyber coverage you have and what you might need.

[Related: 6 tips for selling cyber insurance]

How can you transform your risk management preparedness and response strategy into a competitive advantage?
 
Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.

Featured Video

Most Recent Videos

Video Library ››

Top Story

5 warning signs of an embezzler

It might be hard to catch an embezzler because some of the characteristics of him or her may be counterintuitive.

Top Story

Enter NU’s Excellence in Cyber Security Risk Management Award today!

Nominate your cybersecurity program for NU's Excellence in Cyber Security Risk Management Award before time runs out.

More Resources

Comments

eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.