Data breaches can be costly, no matter how large or small an organization may be.
That’s a key takeaway of the latest NetDiligence study on cyber claims costs that analyzed 176 data breach claims submitted by insurers.
While the average claim for a large organization—at $6 million—was 10 times the average claim for a small organization, some of the largest claims in this year’s study came from smaller organizations with revenues of $2 billion or less.
This year’s dataset included 21 claims in excess of $1 million (12 percent) of which 81 percent (17 out of 21) involved nano-, micro- and small-revenue organizations that were victims either of hackers or malware.
The largest legal costs (defense and settlements) in this year’s study were from two micro-organizations (revenues of $50 million to $300 million). One lost valuable trade secrets to a hacker, while the other exposed protected health information due to a lost laptop.
The combined legal costs for these two organizations ranged from $1.5 million to more than $4.5 million, NetDiligence said.
Interestingly, the average claim payout across the dataset was $495,000, while the median claim payout was $49,000
The highest average claim payout—$1.3 million—was in the financial services sector.
The majority of claims (87 percent) submitted for analysis in this year’s study came from smaller organizations with revenues of $2 billion or less.
NetDiligence said this is in line with previous findings that smaller organizations experience most of the incidents. This is likely due to the fact that there are simply more small organizations, than large ones.
Other contributing factors may be that smaller organizations are less aware of their exposure or they have fewer resources to provide appropriate data protection and/or security awareness training for employees, NetDiligence said.
A point that underscores the growing need for smaller companies to purchase cyber insurance.
While many leading cyber liability insurers are participating in the study, NetDiligence noted that there are many insurers that have not yet processed enough cyber claims to be able to participate.