Some Thoughts and Numbers on Cyber Risk
A lot has been written about cyber attacks, much by vendors who are selling cyber risk assessment, crisis management services, insurance, or all three. In this opinion piece on cyber risk, I will attempt to bring a rationalist risk management perspective to cyber risk. I promise to avoid any bias and to keep it as simple as possible, no simpler.
I’ll discuss the most common insurable types of losses and then their likelihoods and loss costs. I’ll not talk about industrial control system cyber risk, which I don’t believe is generally insurable under cyber insurance but may be under property insurance.
In a later companion piece, I’ll be discussing how and where cyber insurance covers the various loss components. But before discussing insurance, let’s get a handle on the likelihood and financial consequences.
I’ll start with the basic types of losses.
Types of Events
There are three basic types of cyber loss events:
- Ransomware or Malware: a virus or malware is embedded on a server that encrypts the data on that server and/or prevents the server from working (Denial of Service). Nothing is stolen but a ransom is demanded by the perpetrator for the decryption key. This is the most common type of loss. Less frequently, malware will shut down a server without ransom (denial of service) or even maliciously manipulate data.
- Business Email Compromise (including “social engineering”): a phony invoice is submitted from an imposter email address and paid. Alternatively, a CFO or other senior officer is scammed by imposter email into authorizing a fund transfer to the imposter’s bank account (often covered by crime insurance).
- Data Breaches: unauthorized entry (hacking) into a database and theft of its information. Liability may result for compromise of Personal Identifiable Information (PII). For health care firms, for Personal Health Information (PHI). Fraud may also result, particularly to the Payment Card Industry (PCI).
For all three types of cyber losses, extra expenses can be incurred in the form of ransoms, consulting advice, notification costs and credit monitoring costs. Infrequently, there are legal fees and fine. There are a few other less common types, for instance theft of intellectual data.
Next let’s examine the typical severity of each type of event.
- Ransomware (total global losses: $1 billion): these events are not particularly severe to an organization if its data and emails are backed up. The ransom itself is generally less than $20,000, often in the $500-$5,000 range. Recovery usually only takes a few days and a modest amount of technical work in reloading servers and rebooting email accounts (unless there are legacy systems with poor backup). If crisis management services are used, however, these costs could be significant. For instance, in a well-publicized 2016 ransomware event, the University of Calgary paid $20,000 CAD in ransom but an order of magnitude more than in the cost of event response advisory services from Deloitte. The cure is worse than the cold.
- Business Email Compromise (total global losses: $3 billion): depending on the size of the target and the sophistication of the scheme, fraud losses are mostly in the $10-$250,000 range (FBI average: ~$65,000). However, very sophisticated scams on large companies can be much much larger. There are several such rare but extreme outlier BEC scams. In 2016, a European manufacturer (Leoni) was swindled out of €40 million by one email. Ubiquity Networks lost $47 million in a single wire transfer scam. Outliers aside, the BEC MFL is for most firms probably $250,000 unless the firm’s internal controls on large wire transfers or cheques are virtually non-existent. Insurers routinely deny these as insurance claims.
- Data Breaches (total global losses: $500 billion): for firms with PII (Personal Identifiable Information), PHI (Personal Health Information), and PCI (Payment Card Information), expected loss costs from data breaches are much larger than from the ransom and BEC events. Substantial loss data on data breach loss costs is available, making quantum assessment of data breaches much more interesting.
Data Breach Loss Data: Ponemon
An interesting and widely quoted source of cyber security breaches and data breach losses is the Ponemon Institute’s Cost of Data Breach Study, most recently published in 2016. Here are a few observations from the report which might provide useful perspective:
- The study looked at some 61 data breaches, each of between 5,000 and 100,000 lost or stolen records.
- The average breach involved about 30,000 records and had an average loss cost of about $6 million.
- Hence the average cost per lost or stolen record was calculated by Ponemon to be about $250. (This unit cost has been recorded by Ponemon since 2009 and doesn’t seem to vary by more than +/-15% from year to year).
- The unit record cost varies from breach to breach, but according to Ponemon is not significantly affected by the size of the breach (i.e. whether its 5,000 or 100,000 records).
- According to the Ponemon report, the breakdown of data breach costs is roughly as follows:
The Post Incident Costs include consulting fees, defence costs, legal liability and identity protection and credit monitoring services to victims. The business loss aspects were estimated indirectly using “churn rate statistics”. For instance for financial institutions, the churn rate (i.e. the customer attrition rate) was about 7% higher on average after a data breach.
The Ponemon report also measures the frequency of the causes of a data breach, i.e.
The Ponemon data reveals that data breaches that had quick notification and/or used external consultants had higher costs than those without. Counterintuitive but that’s what the data says.
From its data, Ponemon estimates that the annual probability of a record breach of 5,000 records or more at a financial firm is about 8.5%, as follows.
Ponemon noted that the frequency in financial organizations was lower than some other higher risk sectors, such as public, retail and educational organizations.
Another relatively robust data breach analysis was done by Verizon in 2015. Its cost data is presented graphically below.
As can be derived from the graphs, the Verizon unit costs are very much lower than Ponemon’s:
The Verizon unit costs are considerably lower than Ponemon’s partially because Verizon’s data may understate business interruption loss (recall that Ponemon found that business interruption was more than half of all loss). But the considerable size difference in the two unit costs per data breach is both strange and unexplained.
Identity Theft Resource Center Data
Another source of loss and risk data is the Identity Theft Resource Center, which collects data on data breaches in the US. It recorded 781 data breaches in 2015, with an average number of exposed records at 200,000. This average is almost ten times Ponemon and Verizon. To be honest, the credibility of the Identity Theft Centre is uncertain.
Net Diligence 2016 Cyber Claims Study
And finally another 2016 study of 176 cyber claims by a number of sponsors (including Symantec, a leader cyber security software firm) added the following perspectives:
- The median cost per breached record was $40 (higher than Ponemon but lower than Verizon).
- The average data breach was about 2 million records, way higher than either Ponemon, Verizon or Identity Theft (what the dickens is going on?!).
- Crises services (investigation, notification and monitoring) represented more than 90% of the loss.
- Only 10% of data breaches resulted in any actual lawsuits or liabilities.
Despite what two of the less credible data studies have said about the frequency of mega breaches, there have only been a handful of recorded “mega breaches” (>100,000 exposed records). Here are a few:
The frequency of mega breaches seems to be relatively constant over time, i.e. one a year somewhere in the world, as attack frequency increases but security technology improves.
Liability for Data Breaches
In the US, the majority of courts have dismissed suits for negligent releases of information unless the plaintiff can prove actual damages. There are exceptions to this, for instance a 2004 case involving Choicepoint and 163,000 exposed records, for which liability of about $60 per record was found even though there was no identity theft. In the 2009 Heartland case (130 million records), $110 million in liability to banks and credit card companies was imposed upon Heartland, but no liability to individuals.
However, if identity theft is established and actual damages are proven, liability for data breach is nevertheless imposed in the US.
In Canada, there are a number of data breach cases where claims have been made and, in a few cases, litigated.
A 2011 $40 million class action suit against Durham Regional Health settled for $500,000 plus allowance for more payments to individuals who could prove actual financial loss.
In a 2014 decision involving the Bank of Nova Scotia (Evans), a class action against the Bank was certified arising out of a release of 643 customers’ information (138 of whom had actually become identity theft victims). Costs were not released but have been estimated by some at less than $1 million.
Other Canadian class actions include:
- Condon v. HRSD Canada (2014): 583,000 student loan files
- Hopkins v. Kay (2014): 280 patient records (based solely on the tort of “intrusion upon seclusion”; no actual identity theft apparently)
- Wong v. TJ Maxx (2006): settled for costs of credit monitoring, identity theft insurance and $30-60 for each class member
- Speevak v. CIBC (2005): reportedly settled for less than $150,000
- Jackson v. Canada (Correctional Services): release of 360 employee records; reportedly settled at about $500,000
- IIROC: release of information on 52,000 investment clients on which $52 million in damages ($1,000 per client) is sought. Thus far IIROC has spent $5.2 million. No fraud or identity theft has been reported, but the case is ongoing.
Obviously the IIROC case stands out as the MFL at somewhere between $5 million (incurred) and $50 million (reserved).
Note that, unlike US courts, some Canadian courts appear willing in some instances to award for liability where no actual financial loss has occurred under the tort of intrusion upon seclusion (maximum $20,000 per person), presumably for psychological and aggravated damages. However, other Canadian courts have declined to award these damages for what they term “mild disruption”.
What are the takeaways on liability?
- An organization that suffers a data breach would almost certainly be liable for any actual fraudulent use of released records and costs to third persons directly associated therewith. Court awards are more or less as predicted by Ponemon/Verizon.
- Liability for released records in the absence of any fraudulent use of them may still be imposed in Canada (intrusion upon seclusion) but outside of credit monitoring costs, this liability is likely to be nominal. For instance, based on losses to date in Canada, the MFL liability loss for a mega breach could be subjectively set at $20 million.
- Interestingly, many US courts have found insurance coverage for data breach liability under a CGL policy (“liability for damage to tangible property not physically injured” or “publication that violates a person’s right of privacy”).
The likelihood that any given organization will actually suffer one of the three types of cyber losses is, of course, of uncertain probability. According to the loss data, that probability will depend primarily upon the following factors:
- size of organization
- business sector
- amount and nature of personal identifiable information (if any)
- cyber security controls (firewalls, procedures, internal controls, ani-virus software, training)
However, even rough estimates of individual likelihoods are difficult from the loss data. From my research and reading, the likelihoods for most firms (other than financial or health care) seem to be in the following probability ranges (note these are not likelihoods of attack, but the likelihood of a successful attack).
Information Overload! What Does It All Mean?
Risk assessment is speculative and can be misleading, particularly if you miss the black swan. That said, what have we learned from all the loss data? Allow me to stick my neck out for you, the average, typical large company (John Doe Corporation). If you are not this company, please make adjustments. If you do not deal in PII, PHI or PCI, ignore the data breach event.
The general order of magnitude of the cyber risks facing John Doe Corporation can be summarized as follows:
There are, of course, more than a few missing metrics in the above table, amongst them the Maximum Foreseeable Loss (MFL) for each of the three events.
For any firm that does not keep PII, PHI or PCI data, the MFLs are likely less than $1 million. For a firm with PII, the MFL is almost certainly based on a data breach.
How many PII records can be stolen in a single attack? If one can develop a worst case estimate for that, one can estimate the data breach MFL for insurance purposes.