NetDiligence’s 2016 Cyber Claims Study Shows Data Breach Risks Concern Organizations Large and Small


By: Melissa A. Santalone

NetDiligence’s 2016 study of cyber insurance claims made during the year show that data breaches are not just problems for retail giants or Fortune 500 companies.  Huge breaches, including those with over 1 million records lost, occurred in all sizes of organizations, from “mega-revenue” companies with over $100 billion in revenue per year down to so-called “nano-revenue” organizations, which NetDiligence defines for purposes of its study as those businesses with less than $50 million per year in revenue.  Indeed, nano-revenue companies made up the largest subsection of organizations making cyber claims, with 49% of the claims submitted for the study, followed by “micro-revenue” companies ($50-300 million) with 25% and “small-revenue” organizations ($300 million – 2 billion) with 13%.  The study indicates this may be simply the result of the fact that there are more smaller companies overall.  However, this finding may also be related, the study hypothesizes, to less awareness of cyber security risks and fewer resources available for employee training and protective measures.

The study also analyzed causes of breaches in relation to their costliness, finding that malicious activity leads to higher average costs per claim.  Hackers, malware/viruses, and “rogue employees” caused 51% of data breaches in the claims submitted.  These claims, the study theorizes, were likely more costly due to the larger amounts of records affected.  While the average claim for a large organization costs ten times that of small organizations, some of the largest claims in this year’s data set came from nano-, micro-, and small-revenue companies.  Specifically, 21 claims in excess of $1 million came from these smaller organizations with 86% of those 21 claims having been caused by hackers and malware/viruses.  However, a not-insignificant portion of claims had insider involvement – 30% to be exact –  and most of claims with insider involvement resulted from inadvertent exposure of the data.

NetDiligence’s study indicates that small businesses are far from safe from data breaches and actually make the lion’s share of cyber claims.  While these claims are generally less costly on average, the risk of a breach of significant cost is real, and threats to cyber security come from both inside and outside organizations.  This is why we have consistently stressed the importance of all organizations making the investment to be proactive by conducting regular data security assessments and preparing for the possibility of a data breach by implementing an incident response plan.  Please contact one of the attorneys from our Cyber Liability, Data Security & Privacy team to discuss how to best prepare and protect your organization.