Ask anyone who’s been hacked and they’ll tell you: Cyber claims are expensive. In the advisory space, overall costs regularly exceed $250 per exposed record. With the volume of records involved, these costs quickly add up. Many claims cost over $1 million today.
But many professionals still wonder where all these costs come from. What makes hacks, data breaches and other cyber claims cost so much? The answer is that it’s a lot of things.
Like many challenges firms face, cyber claims are complex. Initially, the primary concern may be damaged computer systems. But soon, a hacked firm’s liability to third parties become a concern. Law firms, technical experts and PR professionals enter the picture, and the costs began to add up.
This article offers a look at what some of those costs might be. For this example, we’ll use a hypothetical claim that costs $1 million. Here’s why such a claim might cost so much today.
Cyber Forensic Analysis
When a cyber incident occurs there are a few immediate things that have to happen. You and the team of experts around you must figure out exactly what happened, stop it from happening, figure out how it happened and then make changes so that it can’t happen again.
There are different names for this process, but usually this work falls under the term of forensic analysis. Cyber incidents are always technical, so it takes highly trained experts to answer these questions. Plus, there’s high demand for their expertise due to a high volume of hacks.
All told, if you were to experience a cyber incident costing your firm $1 million, you could expect the cost of figuring out what happened to be 16% or more of the total claim ($160,000 in a $1 million claim). That’s according to a 11-year study of data by the Ponemon Institute, now part of IBM, released a few years back.
A more recent study conducted by Ponemon put the number even higher. The IBM Ponemon 2023 report uses a consolidated initial-event category that includes more categories of costs lumped together. These costs add up to $1.58 million out of a study incident total of $4.45 million, or over 35% of the entire cyber incident’s expense.
Other Cyber Consulting Services
A response to a cyber incident will start with the technical team inside your firm, or those you regularly contract with for computer management. But when a serious event happens, outside experts are usually brought in.
These services can include cyber audits, monitoring and other consulting services. The point is usually to look closely at how your systems are set up and offer recommendations to mitigate the ongoing risks.
Continuing with our $1 million cyber claim, it’s possible these costs alone could total $40,000 or more, according to Ponemon’s 11-year study.
Incident Communications
A cyber incident can raise many questions, and not just inside your firm. Partners, vendors, clients, government regulators and the public at large can have questions about a significant cyber event. Part of the cost of dealing with an incident involves addressing these concerns.
Some internal resources are usually diverted to manning the phones. But proactive communications about what has happened are also needed. A public relations firm is also usually involved to make sure the appropriate information is shared in the best way.
Ponemon reported inbound and outbound communications each account for about 4% of the total incident costs, while PR can consume another 1%. For a $1 million claim, that comes out to about $90,000. Yet another study by NetDiligence found that just notifying clients that an incident had occurred cost an average of about $53,000.
Legal Services
Incurring unexpected legal expenses is one of the most common outcomes of a cyber incident, reported by 59% of companies surveyed by Kroll. Lawyers are needed, not for their computer knowhow, but to ensure an organization takes the right steps following an incident.
Legal services can be a significant cost upfront, because a legal mistake can be more costly down the road. Experts are needed to review contracts and communications, advise companies on their legal obligations and assist in mounting a defense if a civil suit or regulatory action arises from the cyber event.
According to Ponemon, legal services may account for as much as a fifth of the cost of a claim. That would be $200,000 in our hypothetical $1 million claim example.
Discounts and Incentives
Some consequences of a cyber incident are less obvious than others. Take the need to repair client and customer relationships damaged by the incident. After a cyber attack, many companies will offer either discounts or other incentives in an attempt to bring back lost business or show appreciation for client and customer loyalty.
The benefit offered varies from business to business. Some may offer a discount for orders delayed by the cyber incident. Others may offer discounts or incentives on new business. The rollout of added or enhanced services may also be offered.
These initiatives create hidden business expenses that can add to the true cost of a cyber claim. In Ponemon’s long-term study, the costs ranged from 1% to 2% of the total claim. In our $1 million claim, this amounts to $10,000 to $20,000, a not insignificant added expense.
Identity Theft Protection
Another common cost incurred after a cyber incident involves fees for identity theft protection. Many cyber incidents result in the exposure or theft of personally identifiable information of the business’s clients, customers or employees. If those individuals then sustain financial damages on account of the hack, the business may be held liable.
Third party vendors typically offer identity theft protection services that may be able to prevent such losses from occurring, or include insurance coverage to make victims whole if there is a loss.
The cost to provide such services as a benefit to hundreds or thousands of clients, customers or employees can be substantial. Businesses told Ponemon researchers that these costs typically amounted to about 2% of the cost of their cyber claim, which would account for about $20,000 of a $1 million claim.
Lost Business
When a cyber event happens, it can impact a business greatly. New initiatives are put on hold, current projects are delayed, existing business relationships suffer and potential clients and customers consider other options. Such challenges can impact a company’s bottom line and lead to big losses.
The Ponemon Institute tracked these costs for 11 years and came to startling conclusion. Lost business is one of the largest expenses firms dealing with a cyber incident have to contend with. Not only that, but the size of its financial impact remained quite consistent over the course of a decade.
If included as part of the whole cost of a cyber event, lost business can amount to perhaps 40% of the cost. For a $1 million claim, this would be a sum of approximately $400,000, a very significant loss for many businesses. In a broader context, a survey by Fastly found businesses impacted by a cyber attack lost almost 10% of their annual revenue as a direct result of the incident.
Ransom Payments
Cyber incidents come in all shapes and sizes and can range from minor intrusions by hacker hobbyists all the way to system takedowns by state-level actors. Between these extremes are ransomware attacks, one of the most popular types of incidents now reported.
Ransomware attacks involve the installation of malicious software on a computer or network to lock up its files and display a screen with instructions for paying a ransom to regain access to the files. Paying the ransom offers no guarantee the files will be returned, and many attacks now end with the data being publicly exposed.
If you decide to pay a cyber criminal a ransom, even though many experts recommend you don’t, you may have quite a bill. NetDiligence reported the average ransom in 2022 was $555,000 for small- to mid-sized businesses hit by ransomware, while the price was around $2.3 million for larger businesses.
Other Costs
The fallout of a cyber incident can be wide-ranging. Not all firms will have all the same expenses, and the cost of an expense impacting one company may be more or less than it is for another. These costs can be difficult to quantify before an incident happens.
A report from Deloitte found that the expense of such hidden costs can often be greater than direct incident expenses. Costs such as loss of intellectual property, devalued trade names, lost contracts, increased borrowing costs and insurance premium increases were cited.
Protecting Your Firm
Today, cyber claim costs continue to grow. With the many expenses involved, it doesn’t take long for a claim to reach or exceed $1 million. To protect yourself, it’s really important to have the right kind of insurance. A dedicated cyber policy is a must.
Lockton Affinity Advisor Cyber Liability coverage addresses many of the deficiencies in the current marketplace, where sparse coverage, hidden fees and no available coverage are common.
Coverage provides protection against mistakes, breaches, hacks and more. Cyber Liability Insurance is available to add to your Lockton Affinity Advisor E&O policy for better protection and better peace of mind.
Learn more about how our coverage meets ERISA standards, including services performed as an ERISA 3(21) and 3(38) advisor, at LocktonAffinityAdvisor.com.