2019 Cyber Liability Landscape
2018 picked up where 2017 left off in terms of data breaches. Despite the number of reported data breaches decreasing (1,232 from 1,597), the number of overall records exposed increased 133% in 2018.
2018 Facts & Figures:
- $3.86 million – average cost of a data breach
- Average time to identify a breach: 197 days
- 27% – Average increase in cost of cyber crime in 2018
- $4 billion – current cost of the Equifax data breach
- 7 out of 10 organizations say their risk increased significantly in 2018
- Three largest data breaches of 2018:
> Marriot International – $500M
> Exactis – $340M
> Under Armour – $150M
What to Watch for in 2019:
- Ransomware continues to be the leading cause of data breaches in 2019. This year will see an estimated $11.5B in ransomware costs alone. However, the average cost of each attack is projected to decrease as criminals target volume in lieu of larger dollar amounts. Regulators and data breach professionals continue to struggle with determining if information encrypted in a ransomware attack constitutes an actual breach.
- Cryptojacking is emerging as one of the top cyber threats of 2019. Criminals aim to monetize data breaches by taking over computing power in order to mine valuable cryptocurrency like bitcoins. New IT detection tools will be necessary to monitor decreases in computing performance across multiple devices and platforms.
- Malware threats evolve as cyber criminals exploit vulnerabilities across various software platforms. As organizations diversify the software they use to conduct business, their vulnerability to malware increases. Malware puts steadily swelling pressure on the budgets and staffing of internal and external IT security teams.
- Increased regulatory scrutiny surrounding data breaches continues throughout 2019. The Office of Civil Rights (predominately under HIPAA Law) and the Federal Trade Commission are demonstrating federal authority in their respective divisions. Meanwhile, states are taking up the task of rewriting data breach laws to be more in line with the European Union General Data Protection Regulation (GDPR) and 2020 California Consumer Privacy Act (CCPA) legislation. Better armed with authority granted by their state laws, state attorney generals will be diligent in investigations and in exercising fines.
- The cyber liability market is responding to discord on whether a breach should be covered as peril or through a standalone insurance policy. Modifications to policy forms are under ongoing consideration to tackle gray areas like terrorism and physical hardware loss.
- The cyber liability market remains competitive with capacity increasing in excess of $600M. Renewal pricing is stable (between -5% and +3%) with an added underwriting emphasis on IT security controls and incident response. Low hazard industries (i.e., construction, manufacturing, etc.) are experiencing a very competitive market with below average pricing.
- Insurers and security professionals place ongoing emphasis on the need to create and maintain an IRP plan. An active Incident Response Plan (IRP) can reduce cyber losses by up to 20%, but 77% of organizations indicate that they do not have one in place. Timely incident response is critical in data breach remediation.