Some Thoughts and Numbers on Cyber Risk
A lot has been written about cyber attacks, much by vendors who are selling cyber risk assessment, crisis management services, insurance, or all three. In this opinion piece on cyber risk, I will attempt to bring a rationalist risk management perspective to cyber risk. I promise to avoid any bias and to keep it as simple as possible, no simpler.
I’ll discuss the most common insurable types of losses and then their likelihoods and loss costs. I’ll not talk about industrial control system cyber risk, which I don’t believe is generally insurable under cyber insurance but may be under property insurance.
I’ll start with the basic types of losses.
Types of Events
There are three basic types of cyber loss events:
Ransomware or Malware: a virus or malware is embedded on a server that encrypts the data on that server and/or prevents the server from working. Nothing is stolen but a ransom is demanded by the perpetrator for the decryption key. This is the most common type of cyber loss. Less frequently, malware will shut down a server without ransom or even maliciously manipulate data.
Denial of Services: servers are bombarded/saturated with incoming requests from the internet, overwhelming communication and web servers.
Business Email Compromise (including “social engineering”): a phony invoice is submitted from an imposter email address and paid. A CFO or other senior officer is scammed by imposter email into authorizing a fund transfer to the imposter’s bank account. By clicking on a link in an email, the user is tricked into revealing credentials.
Data Breaches: unauthorized entry (hacking) into a database and theft of its information. A thumb drive or laptop is stolen and the information stored on it is exposed. Liability may result for compromise of Personal Identifiable Information (PII). For health care firms, for Personal Health Information (PHI). Fraud may also result, particularly to the Payment Card Industry (PCI).
For all three types of cyber losses, extra expenses can be incurred in the form of ransoms, consulting advice, notification costs and credit monitoring costs. Infrequently, there are legal fees and fines. There are a few other less common types of cyber crime, for instance theft of intellectual data.
Event Impact
Next let’s examine the typical severity of each type of event. All of these values are in USD except where indicated.
Ransomware (total global losses: $8 billion): these events are not particularly severe to an organisation if its data and emails are backed up. The ransom itself is generally less than $20,000, but sometimes up to$50,000. According to the Ponemon Data, the average ransom payment in 2019 was $36,000. Recovery averages on 10 days days and a modest amount of technical work in reloading servers and rebooting email accounts (unless there are legacy systems with poor backup). If crisis management services are used however, these costs could be significant. For instance, in a well-publicised 2016 ransomware event, the University of Calgary paid $20,000 CAD in ransom but an order of magnitude more than that in the cost of event response advisory services from Deloitte. The cure can be worse than the cold.
Business Email Compromise (total global losses: $10.2 billion from 2016 to 2018): depending on the size of the target and the sophistication of the scheme, fraud losses are mostly in the $10-$250,000 range (FBI average: ~$130,000). However, very sophisticated scams on large companies can be much much larger. There are several such rare but extreme outlier BEC scams. In 2016, a European manufacturer (Leoni) was swindled out of €40 million by one email. Ubiquity Networks lost $47 million in a single wire transfer scam. Outliers aside, the BEC MFL is for most firms probably $250,000 unless the firm’s internal controls on large wire transfers or cheques are virtually non-existent. Insurers routinely deny these as insurance claims. Successful email scams are becoming less frequent as awareness of them increases.
Data Breaches (total global losses estimated for 2019: $2.1 trillion): most often perpetrated on firms with PII (Personal Identifiable Information), PHI (Personal Health Information), and PCI (Payment Card Information). Expected loss costs from data breaches are much larger than from the ransom and BEC events. Substantial loss data on data breach loss costs is available, making quantum assessment of data breaches much more interesting.
Data Breach Loss Data: Ponemon
A widely quoted source of cyber security breaches and data breach losses is the Ponemon Institute’s Cost of Data Breach Study, most recently published in 2019. Here are a few observations from the report which might provide useful perspective:
The study looked at some 507 data breaches, each of between 2,000 and 100,000 lost or stolen records.
The average breach involved about 26,000 records and had an average loss cost of about $8 million.
Hence the average cost per lost or stolen record was calculated by Ponemon to be about $150. (This unit cost has been recorded by Ponemon since 2009 and has gradually decreased over time)
The unit record cost varies from breach to breach, but according to Ponemon is not significantly affected by the size of the breach (i.e. whether its 5,000 or 100,000 records).
The breakdown of Ponemon data breach costs is roughly as follows:
The Post Incident Costs include consulting fees, defence costs, legal liability and identity protection and credit monitoring services to victims. The business loss aspects were estimated indirectly using “churn rate statistics”. For instance for financial institutions, the churn rate (i.e. the customer attrition rate) was about 4% higher on average after a data breach.
The Ponemon report also measures the frequency of the causes of a data breach, i.e.
The Ponemon data reveals that data breaches that had quick notification and/or used external consultants had higher costs than those without. Counterintuitive but that’s what the data says.
From its data, Ponemon estimates that the probability of a record breach of 10,000 records or more in the next two years is about 30%, as follows.
IDENTITY THEFT RESOURCE CENTER DATA
Another source of loss and risk data is the Identity Theft Resource Center, which collects data on data breaches in the US. It recorded 1,244 data breaches in 2018, with an average number of exposed records at 310,000. This average is almost ten times Ponemon. To be honest, the credibility of the Identity Theft Center is uncertain.
NET DILIGENCE 2018 CYBER CLAIMS STUDY
And finally another 2018 study of 1,201 cyber claims by a number of sponsors added the following perspectives.
The median cost per breaches record was $45 (lower than Ponemon).
Crises services (investigation, notification and monitoring) represented approximated 50% of the loss.
MEGA BREACHES
There have only been a handful of recorded “mega breaches” (>1 million exposed records). Here are a few:
Ponemon (2019) estimates the average cost of a data breach of 1 million records or more is $42 million, an increase of 8% from 2018.
Liability for Data Breaches
In the US, the majority of courts have dismissed suits for negligent releases of information unless the plaintiff can prove actual damages. There are exceptions to this, for instance a 2004 case involving Choicepoint and 163,000 exposed records, for which liability of about $60 per record was found even though there was no identity theft. In the 2009 Heartland case (130 million records), $110 million in liability to banks and credit card companies was imposed upon Heartland, but no liability to individuals. In 2016, Uber tried to cover up a data breach. In 2018 they agreed to a $148 million settlement.
However, if identity theft is established and actual damages are proven, liability for data breach is nevertheless imposed in the US.
In Canada, there are a number of data breach cases where claims have been made and, in a few cases, litigated.
At the end of 2019, a class action lawsuit was filed against LifeLabs, who had a data breach of 15 million Canadian patients. Compensation has been requested at $1.13 billion CAD.
In 2017, Equifax had a data breach that affected 19,000 Canadians. A $300 million fund was established to compensate those affected in the US. This figure does not compensate Equifax’s Canadian customers.
A 2011 $40 million CAD class action suit against Durham Regional Health settled for $500,000 CAD plus allowance for more payments to individuals who could prove actual financial loss.
In a 2014 decision involving the Bank of Nova Scotia (Evans), a class action against the Bank was certified arising out of a release of 643 customers’ information (138 of whom had actually become identity theft victims). Costs were not released but have been estimated by some at less than $1 million CAD.
Other Canadian class actions include:
Condon v. HRSD Canada (2014): 583,000 student loan files
Hopkins v. Kay (2014): 280 patient records (based solely on the tort of “intrusion upon seclusion”; no actual identity theft apparently)
Wong v. TJ Maxx (2006): settled for costs of credit monitoring, identity theft insurance and $30-60 for each class member
Speevak v. CIBC (2005): reportedly settled for less than $150,000
Jackson v. Canada (Correctional Services): release of 360 employee records; reportedly settled at about $500,000
IIROC: release of information on 52,000 investment clients on which $52 million in damages ($1,000 per client) is sought. Thus far IIROC has spent $5.2 million. No fraud or identity theft has been reported, but the case is ongoing.
Obviously the IIROC case stands out as the MFL, at somewhere between $5 million (incurred) and $50 million (reserved).
Note that, unlike US courts, some Canadian courts appear willing in some instances to award for liability where no actual financial loss has occurred under the tort of intrusion upon seclusion (maximum $20,000 per person), presumably for psychological and aggravated damages. However, other Canadian courts have declined to award these damages for what they term “mild disruption”.
What are the takeaways on liability?
An organization that suffers a data breach would almost certainly be liable for any actual fraudulent use of released records and costs to third persons directly associated therewith. Court awards are more or less as predicted by Ponemon/Verizon.
Liability for released records in the absence of any fraudulent use of them may still be imposed in Canada (intrusion upon seclusion) but outside of credit monitoring costs, this liability is likely to be nominal. For instance, based on losses to date in Canada, the MFL liability loss for a mega breach could be subjectively set at $42 million.
Interestingly, many US courts have found for insurance coverage for data breach liability under a CGL policy (“liability for damage to tangible intellectual property not physically injured” or “publication that violates a person’s right of privacy”).
Event Likelihoods
The likelihood that any given organization will actually suffer one of the three types of cyber losses is, of course, of uncertain probability. According to the loss data, that probability will depend primarily upon the following factors:
size of organization
business sector
amount and nature of personal identifiable information (if any)
cyber security controls (firewalls, procedures, internal controls, ani-virus software, training)
However, even rough estimates of individual likelihoods are difficult from the loss data. From my research and reading, the likelihoods for most firms (other than financial or health care) seem to be in the following probability ranges (note these are not likelihoods of attack, but the likelihood of a successful attack).
Information Overload! What Does It All Mean?
Risk assessment is speculative and can be misleading, particularly if you miss the black swan. That said, what have we learned from all the loss data? Allow me to stick my neck out for you, the average, typical large company (John Doe Corporation). If you are not this company, please make adjustments. If you do not deal in PII, PHI or PCI, ignore the data breach event.
The general order of magnitude of the cyber risks facing John Doe Corporation can be summarized as follows:
There are, of course, more than a few missing metrics in the above table, amongst them the Maximum Foreseeable Loss (MFL) for each of the three events.
For any firm that does not keep PII, PHI or PCI data, the MFLs are likely less than $1 million. For a firm with PII, the MFL is almost certainly based on a data breach.
How many PII records can be stolen in a single attack? If one can develop a worst case estimate for that, one can estimate the data breach MFL for insurance purposes.