We've all read or heard about the many data breaches and cyber"incidents" in the news, including Sony, the U.S. government'sOffice of Personnel Management, and several airlines. To put thosedata breaches—a more accurate term than cyber attacks—inperspective, Tim Francis, Enterprise Cyber Lead, Travelers,speaking at a recent cyber media event, "Hacked: The Realities of aCyber Event," held Oct. 1 in Washington, D.C., provided an overviewof the threat landscape. He explained that according to theSymantec Internet Security Report, there are34,529 known computer security penetration incidents perday. Not all the incidents result in the theft of personallyidentifiable information but the huge numbers are troublesome.

|

The panel, moderated by Joan K. Woodward, President, TravelersInstitute and Executive Vice President, Public Policy, alsoincluded

  • Tom Finan, Senior Cybersecurity Strategist and Counsel, U.S.Department of Homeland Security
  • Chris Hauser, 2nd Vice President, Cyber Fraud, TravelersInvestigative Services and former FBI agent responsible for cyberinvestigations
  • John Mullen, Managing Partner, Lewis Brisbois Bisgaard &Smith LLP, and Chair, U.S. Data Privacy & Network SecurityPractice
  • Melanie Dougherty-Thomas, Managing Director, CrisisCommunications Management, Inform

The panelists agreed that small to mid-sized businesses are themost vulnerable, and one successful attack can shut thosebusinesses down completely. But what types of claims are the mostcommon and what do they really cost?

|

Travelers' cybersecurity experts have developed common cyberclaims scenarios across five industries, as shown in the followingpages. The costs add up quickly, often reaching more than $1million.

|

Click NEXT to learn more about the specificindustries and how their data breaches happened.

|

[Related: What keeps Americans up at night? TravelersConsumer Risk Index]

|

Male-sales-assistant-checkout-counter-older-couple-buying-clothes-ThinkstockPhotos-crop-109266267-Monkey Business Images

|

(Photo: Thinkstock/Monkey Business Images)

|

1. Hack in the retail industry

|

Company Profile:  A local retailer, $30 million inrevenue

|

A credit card company identified 50,000 credit cards that wereused legitimately at a retailer and then were subsequentlycompromised. The retailer also needed to hire a law firm to serveas counsel and breach coach. Costs included required notificationsto the 50,000 victims as well as on-going credit monitoring. As aresult of this incident a class action lawsuit was filed.

|

According to the NetDiligence® Data Breach Cost Calculator theestimated costs for this event for the retailercould be:

Incident Investigation Costs:

$158,000

Customer Notification and Crisis Management Costs:

$920,000

Class Action Lawsuit Costs:

$689,000

PCI Related Costs:

$783,000

Total Costs:

$2,550,000

 According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $5,920,000 for a business.

Lost Business Costs:

$3,720,000

Post Breach Costs:

$1,640,000

Notification Costs:

$560,000

Risk Management Tips:

  • Maintain and frequently review complianceobligations under the Payment Card Industry (PCI) Agreement.
  • Consider implementing end-to-end encryption ofcredit card transactions.
  • Employ a chief information security officer(CISO) to develop and implement your business-wide data privacyprocedures.

Editor's Note: The NetDiligence® DataBreach Cost Calculator and other tools are available to insurers onthe Travelers' eRisk Hub®. eRisk Hub isa registered trademark of NetDiligence.

|

Large-hospital-building-crop-ThinkstockPhotos-483184788-peterspiro

|

(Photo: Thinkstock/peterspiro)

|

2. Hack in the healthcare industry

|

Company Profile:  A Nonprofit Hospital, $100 million inannual revenue

|

An employed physician of the hospital accidently left hishospital-issued laptop on a train.  The laptop containedan unencrypted database of current patient records that includedprotected health information with the name, Social Security number,credit card, insurance ID and limited medical information of 550patients. The data stored on that laptop was completely unsecuredas it did not contain remote take-down capabilities nor was itpassword protected. 

|

According to the NetDiligence® Data Breach Cost Calculator theestimated costs of the 550 lost records for theNonprofit Hospital could be:

Incident Investigation Costs:

$180,000

Customer Notification and Crisis Management Costs:

$34,000

Fines & Penalties:

$167,000

Total Costs:

$381,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event ofthis type impacts 28,000 records driving theaverage cost to a business to $3,149,000.

Detection Costs:

$610,000

Notification Costs:

$560.000

Regulatory Costs:

$1,979,000

Risk Management Tips:

  • Implement procedures for using effectivepasswords and mandate periodic changes.
  • Consider implementing security measuresincluding encrypting protected health information (PHI) that may bestored on the laptops and having remote disablingcapabilities.
  • Consider storing PHI on acentral server and accessing the information via a secureconnection.

Computer-monitor-online-banking-screen-crop-ThinkstockPhotos-516283059-ayo888

|

(Photo: Thinkstock/ayo888)

|

3. Hack in the financial industry

|

Company Profile:  A Community Bank, $350 million inassets

|

Computer hackers commenced a distributed denial-of-serviceattack (DDoS) to the bank's website as a smoke screen to hack intoits network. This malicious attack shut down the bank's onlinebanking for three days.

|

According to the NetDiligence® Data Breach Cost Calculator theestimated costs for this event for the CommunityBank could be:

Incident Investigation Costs:

$192,000

Customer Notification and Crisis Management Costs:

$475,000

Fines & Penalties:

$132,000

Total Costs:*

$799,000

*Not including the loss of business income the bank sufferedduring the attack.

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $2,810,000 for a business.

Detection Costs:

$610,000

Notification Costs:

$560,000

Post Breach Costs:

$1,640,000

Risk Management Tips:

  • Create, implement and test a businesscontinuity plan and disaster recovery plan.
  • Implement an intrusion detection system onyour network.
  • Have a secondary system available for onlineaccess, and ensure this system is regularly tested forfunctionality.

Asian-woman-working-on-laptop-in-office-ThinkstockPhotos-87455862-Ablestock.com

|

(Photo: Thinkstock/Ablestock.com)

|

4. Hack in the technology industry

|

Company Profile: Software as a Service (SAAS) provider of humanresources and membership management software for gymnasiumscountrywide

|

An employee opened up a phishing e-mail that infiltrated thecompany's centralized network. Anti-virus software failed to keepout the malicious code, exposing names, addresses, dates of birth,Social Security numbers and financial information, such as creditcard and bank account numbers. A computer forensics investigatorwas hired, who determined that personally identifiable informationhad been compromised. This included information related to thecustomers' employees as well as the company's ownemployees. 

|

According to the NetDiligence® Data Breach Cost Calculator* theestimated costs for this event for the softwareservice provider could be:

Incident Investigation Costs:

$291,000

Customer Notification and Crisis Management Costs:

$504,000

Fines & Penalties:

$550,000

Total Costs:

$1,345,000

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $2,810,000 for a business.

Detection Costs:

$610,000

Notification Costs:

$560,000

Post Breach Costs:

$1,640,000

Risk Management Tips:

  • Implement vendor security into yourInformation Security policies and procedures.
  • Add provisions that address cybersecurity intoyour vendor contracts.
  • Practice cyber-attack response drills withyour vendors.

[Related: Cyber security precautions needed with insurer-TPArelationships]

|

Factory-workers-view-looking-down-crop-ThinkstockPhotos-82659764-Felipe Dupouy

|

(Photo: Thinkstock/Felipe Dupouy)

|

5. Hack in the manufacturing industry

|

Company Profile:  A manufacturer with 400 employees

|

The Internal Revenue Service discovered that hundreds offraudulent tax returns were filed on behalf of employees that workfor the same manufacturing company. They notified the FBI, and theFBI alerted the manufacturer. The investigation determined that thepersonnel files of 298 past and current employees had beenaccessed. 

|

According to the NetDiligence® Data Breach Cost Calculator theestimated costs of the 298 lost records for themanufacturer could be:

Incident Investigation Costs:

$180,000

Customer Notification and Crisis Management Costs:

$29,000

Fines & Penalties:

$6,000

Total Costs:

$215,000

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type impacts 28,000 records, driving theaverage cost to a business to $1,728,000.

Detection Costs:

$610,000

Notification Costs:

$560,000

Legal Settlement Costs: 

$558,000

Risk Management Tips:

  • Establish an information retention policy andinclude guidance on what types of information should be retained,how long it should be retained and procedures for destruction ofunneeded data.
  • Establish new hire training and regularlyscheduled refresher training courses in order to instill the datasecurity culture of your organization.
  • Create, implement and test an incidentresponse plan.

As Tim Francis likes to remind business owners and riskmanagers, all businesses are vulnerable: "It's not a matter ofif, but when." Be sure to review your insurancecoverage with your agent, broker or carrier to understand whatcyber coverage you have and what you might need.

|

[Related: 6 tips for selling cyberinsurance]

How can you transform your risk managementpreparedness and response strategy into a competitiveadvantage? Introducing ALM's cyberSecure — Atwo-day event designed to provide the insights and connectionsnecessary to implement a preparedness and response strategy thatchanges the conversation from financial risk to competitiveadvantage.  Learnmore about how this inaugural event can help youreduce risk and add business value.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Rosalie Donlon

Rosalie Donlon is the editor in chief of ALM's insurance and tax publications, including NU Property & Casualty magazine and NU PropertyCasualty360.com. You can contact her at [email protected].