A data breach may not only damage your computer system or IT infrastructure, but it may also destroy your brand reputation. The consequences of a data breach may be very horrific, which may lead organisations, whether they be large companies or small businesses, to bankruptcy.
In short, a data breach may impact an organisation in the following ways:
The cost of responding to a data breach, such as hiring a public relations firm or offering identity theft protection services to affected customers, can add up quickly.
Damage to reputation
A data breach can harm a company’s reputation and public image, leading to a loss of customer trust and loyalty.
If sensitive data or information is lost or stolen, organisations may be liable for regulatory fines, lawsuits, or other legal action.
Loss of sensitive information
In some cases, a data breach can result in the loss of sensitive information, such as credit card numbers, Social Security numbers, or medical records.
A data breach can disrupt business operations and result in lost productivity, sales, and revenue.
Overall, the impacts of a data breach may lead to devastating results.
In such times when cyber crimes are at their prime, there exists a need for some insurance policy that might provide at least a limited cyber coverage against financial losses occurring due to a cyber attack, data breaches and other related incidents.
In this article, we’ll look at some statistics and figures for cyber insurance claims and payouts.
What is cyber insurance?
Before we move on towards looking at the numbers, facts and figures, let us first have an understanding of what cyber insurance is and why it is important.
Cyber insurance is a type of insurance policy that provides coverage against financial losses resulting from cyber-attacks, identity fraud, data breaches, and other related events. The coverage offered by cyber insurance policies can vary but often include expenses such as the cost of response and recovery after a cyber event, as well as compensation for losses such as data damage, business interruption, and theft of funds. Cyber insurance policies can also provide access to resources and expertise for managing the aftermath of a data breach, such as identity fraud, public relations and credit monitoring services. The purpose of cyber insurance is to help organisations manage the financial and operational cyber risks associated with cyber threats.
What is the importance of cyber insurance? Why is cyber insurance needed?
Cyber insurance is becoming increasingly important for organisations due to the growing frequency and severity of cyber threats. Some of the reasons why cyber insurance is important and necessary include the following:
Protects against financial losses
Cyber insurance can help organisations recover from the financial losses that can result from a cyber-attack or data breach.
Manages legal and regulatory risks
Cyber insurance can help organisations navigate the legal and regulatory landscape, potentially covering the costs of fines, lawsuits, and regulatory investigations.
Enhances overall security posture
By purchasing cyber insurance, organisations can demonstrate to stakeholders that they are taking cyber security seriously and are proactively managing risks.
Facilitates breach response
Cyber insurance can provide access to resources and expertise for managing the aftermath of a data breach, such as public relations and credit monitoring services.
Bridges the gap in traditional insurance coverage
Traditional insurance policies may not provide adequate cyber coverage for losses related to cyber-attacks and data breaches, making cyber insurance a necessary supplement.
How does having cyber insurance protect organisations from data breaches?
Cyber insurance protects organisations from the potential harm a data breach may cause, both financially and operationally. It offers numerous benefits to organisations facing data breaches, including:
Coverage for response and recovery costs
Cyber insurance covers the expenses involved in responding to and recovering from a data breach, which may include digital forensics investigations and data restoration efforts.
Reimbursement for losses
Cyber insurance provides compensation for financial losses resulting from a data breach, including lost revenue, business interruption, and theft of funds.
Access to resources and expertise
Cyber insurance may provide organisations with access to resources and expertise to manage the aftermath of a data breach, such as public relations.
Legal and regulatory support
Cyber insurance offers support in dealing with the legal and regulatory implications that may arise from a data breach and also covers the costs of fines, lawsuits, and regulatory investigations.
Some general cyber insurance coverage and claims statistics over the last few years
- The cyber insurance market globally was estimated to be worth around $7 billion in the year 2020.
- It is forecasted that the cyber insurance market will grow with a yearly compound growth rate of over 15% from 2021 to 2028.
- In the past five years, there has been a substantial rise, nearly 50%, in the number of firms that bought cyber insurance.
- Approximately 60% of small to medium-sized businesses in the US currently have cyber insurance coverage.
- In the United Kingdom, premiums for cyber insurance have increased by more than 70% over the past two years.
- According to a report by Beazley, the average cost for a cyber insurance claim stands at $600,000.
- The financial services sector experiences the highest average cost per claim, which is $1.2 million.
- In Europe, the average cost per claim is $180,000.
- Approximately 90% of cyber insurance claims are linked to data breaches.
- The average length of time to resolve a cyber insurance claim is 4 months.
- A typical deductible for a cyber insurance policy is $10,000.
- It is anticipated that the cost of cyber insurance premiums will keep increasing over the next 5 years.
- In 2021, the majority of cyber insurance claims for standalone cyber insurance policies in the United States were for first-party claims, accounting for 75% of all claims.
- Around 10,100 first-party cyber insurance claims were filed for standalone cyber insurance policies in that year.
- By contrast, only 3,500 third-party insurance claims were filed.
- Approximately 9,350 first-party cyber claims were filed for packaged cyber insurance policies in 2021.
- Likewise, the number of third-party cyber claims filed for packaged policies was relatively low, with only 2,950 claims reported.
- The frequency of cyber insurance companies reimbursing businesses for expenses related to ransomware incidents increased from 2019 to 2021.
- However, the frequency of cyber insurance companies paying the average ransom declined over the same period.
- Based on a survey of IT professionals in 31 countries, cyber insurance providers made claim payouts in response to 98% of claims in 2021.
- This percentage is higher than the 95% payout rate two years before.
- After experiencing ransomware attacks, the majority of organisations worldwide that had cyber insurance policies received some form of financial compensation from their cyber insurers.
- More than 72% of organisations’ clean-up costs were covered by cyber insurance in most ransomware incidents.
- Only 58% and 44% of organisations in lower education and local/state government, respectively, received a payout for these losses.
- A majority of Europe’s biggest insurance groups do not provide any type of cyber insurance, according to a 2019 survey.
- A majority of insurance providers that offered cyber insurance provided standalone coverage through both standalone policies and endorsements to other policies like professional liability insurance.
- By 2025, the global cyber insurance market is anticipated to grow to around 22 billion U.S. dollars, representing a doubling of its current size.
Some cyber insurance claims statistics
- In a 2022 survey, only 19% of organisations reported having cyber insurance coverage that extends beyond $600,000.
- In 2022, 1,153 cyber insurance claims were related to business email compromise scams.
- Approximately 8,100 cyber insurance claims costs were paid in 2021.
- Of the cyber insurance claims made in the past 7 years, 73% were related to data breaches, incident response, and crisis management.
- Small and medium-sized enterprises (SMEs) have become a prime target for cyber attacks, with over 56% of claims originating from companies with less than 25 million dollars in revenue.
- The average cost of a cyber insurance claim for an SME is approximately $345,000.
- Ransomware was the main cause of recovery expense losses, accounting for 81% of such claims.
- The frequency of cyber insurance claims has increased by 100% in the past three years.
- This couples with a 200% increase in claims that were closed with payments.
- 27% of data breach claims had exclusions within the insurance package, resulting in either non-payment or partial payments.
- While 24% of first-party claims had exclusions within the insurance package.
- The cyber insurance industry is already substantial, and it is projected to expand even further in the future.
- In 2020, the global cyber insurance market was valued at $7.8 billion, according to the latest data available.
- Industry forecasts indicate that cybersecurity insurance will continue to grow, with expectations that it will become a $20 billion market by 2025.
- Business cyber insurance makes up the majority of the cybersecurity insurance market, with 75% of cyber insurance premiums in the United States in 2018 being for businesses.
- The remaining 25%, equivalent to $500 million, was for individuals.
Some statistics for cyber insurance premiums
Cyber insurance premiums refer to the charges imposed by insurance providers to policyholders in return for protecting them against financial losses and liabilities resulting from cyber incidents such as data breaches and other cyber events and attacks. The amount of the premiums are usually based on several factors, including the extent of offering cyber coverage separately, the nature of the business, the company’s size, the industry sector, and the overall cybersecurity posture of the organisation.
- Stand-alone cyber insurance policies have become the predominant type of cyber insurance policy in the U.S., with 1.63 billion U.S. dollars of stand-alone policies written in 2020, surpassing the 1.12 billion U.S. dollars of packaged policies.
- In 2015, the figures were 488 million and 515 million U.S. dollars for stand-alone and packaged policies, respectively.
- The loss ratio for stand-alone cyber insurance policies in the United States decreased by 7% between 2020 and 2021.
- The loss ratio in 2021 was 65%, which is a decrease from 72% in the previous year.
- More than half of small and medium-sized enterprises (SMEs) in the United Kingdom experienced a price increase in their cyber insurance premiums in 2022.
- Among this group, only 13.7% of policyholders reported an increase in their insurance coverage with the price increase.
- By comparison, 36.3% of SMEs in 2022 saw no change in their cyber insurance premiums.
- Chubb Ltd. was the largest provider of cyber security insurance in the United States in 2021.
- A Swiss property and casualty insurer wrote 473 U.S. dollars in cyber security premiums in 2021.
- French cyber insurers saw an increase of 55 million euros in earned premiums between 2020 and 2021.
- Earned cybersecurity insurance premiums in France reached 185.4 million euros in 2021, up from 130 million euros in the previous year.
Common reasons for cyber insurance claims
Phishing comes under social engineering attacks that involve tricking individuals into revealing their sensitive information, such as passwords or credit card details, by posing as a trustworthy entity through email, text messages, or fake websites. The goal of phishing is to steal personal information for malicious purposes, such as identity theft or financial fraud.
- It was reported that in 2021 nearly 83% of organisations fell victim to phishing attacks.
- For three consecutive years, phishing has remained a prevalent form of cybercrime.
- The number of phishing victims in 2021 reached a total of 323,972.
- In comparison to other types of attacks, such as investment fraud, the average amount of money lost per phishing victim is relatively low, at $136.
- The top brands impersonated in phishing attacks include Amazon and Google, which account for 13% of cases, followed by Facebook and WhatsApp at 9%, and Netflix and Apple at 2%.
Credit fraud is a type of financial crime in which an individual uses someone else’s personal and financial information to obtain credit, loans, or goods and services in their name without their knowledge or consent. This illegal activity involves the creation of false identities and impersonation of legitimate credit card holders or account holders and can result in catastrophic financial damages and damage to a person’s credit rating.
- Over the course of 2021-2022, there were notable occurrences of credit fraud, identity theft, and bank fraud.
- Notably, there was a 1% decrease in credit fraud.
- Identity theft increased by 7%.
- The number of bank frauds rose significantly by 39%.
- Additionally, there was a 64% increase in instances of fraudsters utilising stolen information to establish bank accounts under their victims’ names.
Internet scams refer to fraudulent activities conducted over the internet with the aim of stealing money, personal information, or other valuable assets from unsuspecting victims. These scams typically involve deceiving victims into giving away their personal and financial information or making fraudulent payments to the scammer. Some common types of internet scams include phishing, advance fee fraud, lottery scams, business email compromise, fake online shopping websites, and investment scams. These scams are often carried out through email, social media, or other online platforms and can cause significant financial and personal harm to victims.
- The second most frequent reason for loss leading to a claim on cybersecurity insurance was due to scams such as business email compromises.
- The number of cybersecurity insurance claims related to such incidents has risen from 80 in 2017 to nearly 300 in 2021, with a projected increase expected in the coming two years.
- Out of the 1,153 cyber insurance claims filed in 2022, business email compromise scams were responsible for the majority (1,153). The majority of these BEC attacks occurred in 2020 and 2021, accounting for 57% of the total claims.
- Business email compromise was responsible for approximately 10% of the total incident cost associated with cyber insurance claims in 2022.
- In 2020, more than 450 scams related to financial support during the COVID-19 pandemic were reported.
Malware is a significant cyber risk for businesses and organisations, as it can cause significant financial and reputational damage. As a result, cyber insurance policies often provide coverage for losses resulting from malware attacks. This coverage may include the costs associated with repairing or replacing damaged systems, lost revenue, and legal liabilities.
In addition, some cyber insurance policies may provide access to specialised cybersecurity resources, such as incident response teams, to help mitigate the impact of a malware attack. Some policies may also provide coverage for the costs of notifying affected customers and providing credit monitoring services to protect against identity theft.
- The average cost of a malware attack to a company is over $2.5 million, including damages and the time is taken to recover.
- Furthermore, in 2021, ransomware has become even more destructive than in previous years, up until 2017.
- Businesses are increasingly being targeted by malware and ransomware, resulting in over 4,500 victims in 2021.
- Among 1,500 claims from 2019 to 2021, 55% were due to ransomware.
- In 2022, there were 2,123 claims filed due to ransomware.
- 45% of these occurred in 2020 and 2021.
- Ransomware was the leading cause of loss for small and medium-sized enterprises, accounting for 51% of the total incident cost.
- Malicious hacking attacks followed ransomware attacks at 18%.
The cyber insurance market is a fast-growing market as large and small businesses face an increasing number of cyber threats. Standalone policies have become the preferred option, and more companies have started opting for them. Most claims are first-party claims related to data breaches and other incidents.
While ransomware attacks are on the rise, insurers are more frequently reimbursing clean-up costs rather than paying ransoms. As the global cyber insurance market continues to expand, it will be interesting to see how insurance companies adapt to the changing threat landscape and evolving cyber risks.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.