We've all read or heard about the many data breaches and cyber“incidents” in the news, including Sony, the U.S. government'sOffice of Personnel Management, and several airlines. To put thosedata breaches—a more accurate term than cyber attacks—inperspective, Tim Francis, Enterprise Cyber Lead at Travelers,provided an overview of the threat landscape at a recent cybermedia event in Washington, D.C. He explained that according to theSymantec Internet Security Report, there are34,529 known computer security penetration incidents perday. Not all the incidents result in the theft of personallyidentifiable information but the huge numbers are troublesome.

The panel, moderated by Joan K. Woodward, president of TravelersInstitute and executive vice president of public policy, alsoincluded

• Tom Finan, senior cybersecurity strategist and counsel, U.S.Department of Homeland Security
• Chris Hauser, 2nd vice president for cyber fraud at TravelersInvestigative Services and former FBI agent responsible for cyberinvestigations
• John Mullen, a managing partner at Lewis Brisbois Bisgaard& Smith and chair of its U.S. data privacy and network securitypractice
• Melanie Dougherty-Thomas, managing director of crisiscommunications management at Inform

The panelists agreed that small to mid-sized businesses are themost vulnerable, and one successful attack can shut thosebusinesses down completely. But what types of claims are the mostcommon and what do they really cost?

Travelers' cybersecurity experts have developed common cyberclaims scenarios across five industries, as shown in the followingpages. The costs add up quickly, often reaching more than $1million.

[Related: What keeps Americans up at night? TravelersConsumer Risk Index]

(Photo: Thinkstock/Monkey Business Images)

1. Hack in the retail industry

Company Profile: A local retailer, $30 million inrevenue

A credit card company identified 50,000 credit cards that wereused legitimately at a retailer and then were subsequentlycompromised. The retailer also needed to hire a law firm to serveas counsel and breach coach. Costs included required notificationsto the 50,000 victims as well as on-going credit monitoring. As aresult of this incident a class action lawsuit was filed.

According to the NetDiligence® Data Breach Cost Calculator theestimated costs for this event for the retailercould be:

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $5,920,000 for a business.

Risk Management Tips:

• Maintain and frequently review complianceobligations under the Payment Card Industry (PCI) Agreement.
• Consider implementing end-to-end encryption ofcredit card transactions.
• Employ a chief information security officer(CISO) to develop and implement your business-wide data privacyprocedures.

Editor's Note: The NetDiligence® DataBreach Cost Calculator and other tools are available to insurers onthe Travelers' eRisk Hub®. eRisk Hub isa registered trademark of NetDiligence.

(Photo: Thinkstock/peterspiro)

2. Hack in the healthcare industry

Company Profile: A nonprofit hospital, $100 million inannual revenue

An employed physician of the hospital accidently left hishospital-issued laptop on a train. The laptop contained anunencrypted database of current patient records that includedprotected health information with the name, Social Security number,credit card, insurance ID and limited medical information of 550patients. The data stored on that laptop was completely unsecuredas it did not contain remote take-down capabilities nor was itpassword protected.

According to the NetDiligence® Data Breach Cost Calculator theestimated costs of the 550 lost records for theNonprofit Hospital could be:

According to the Ponemon 2015 Cost of Data Breach Study, an average event ofthis type impacts 28,000 records driving theaverage cost to a business to $3,149,000.

Risk Management Tips:

• Implement procedures for using effectivepasswords and mandate periodic changes.
• Consider implementing security measuresincluding encrypting protected health information (PHI) that may bestored on the laptops and having remote disablingcapabilities.
• Consider storing PHI on acentral server and accessing the information via a secureconnection.

(Photo: Thinkstock/ayo888)

3. Hack in the financial industry

Company Profile: A community bank, $350 million inassets

Computer hackers commenced a distributed denial-of-serviceattack (DDoS) to the bank's website as a smoke screen to hack intoits network. This malicious attack shut down the bank's onlinebanking for three days.

According to the NetDiligence® Data Breach Cost Calculator theestimated costs for this event for the CommunityBank could be:

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $2,810,000 for a business.

Risk Management Tips:

• Create, implement and test a businesscontinuity plan and disaster recovery plan.
• Implement an intrusion detection system onyour network.
• Have a secondary system available for onlineaccess, and ensure this system is regularly tested forfunctionality.

(Photo: Thinkstock/Ablestock.com)

4. Hack in the technology industry

Company Profile: Software as a service (SAAS) provider of humanresources and membership management software for gymnasiumscountrywide

An employee opened up a phishing e-mail that infiltrated thecompany's centralized network. Anti-virus software failed to keepout the malicious code, exposing names, addresses, dates of birth,Social Security numbers and financial information, such as creditcard and bank account numbers. A computer forensics investigatorwas hired, who determined that personally identifiable informationhad been compromised. This included information related to thecustomers' employees as well as the company's ownemployees.

According to the NetDiligence® Data Breach Cost Calculator* theestimated costs for this event for the softwareservice provider could be:

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type could drive the averagecosts up to $2,810,000 for a business.

Risk Management Tips:

• Implement vendor security into yourInformation Security policies and procedures.
• Add provisions that address cybersecurity intoyour vendor contracts.
• Practice cyber-attack response drills withyour vendors.

[Related: Cyber security precautions needed with insurer-TPArelationships]

(Photo: Thinkstock/Felipe Dupouy)

5. Hack in the manufacturing industry

Company Profile: A manufacturer with 400 employees

The Internal Revenue Service discovered that hundreds offraudulent tax returns were filed on behalf of employees that workfor the same manufacturing company. They notified the FBI, and theFBI alerted the manufacturer. The investigation determined that thepersonnel files of 298 past and current employees had beenaccessed.

According to the NetDiligence® Data Breach Cost Calculator theestimated costs of the 298 lost records for themanufacturer could be:

According to the Ponemon 2015 Cost of Data Breach Study, anaverage event of this type impacts 28,000 records, driving theaverage cost to a business to $1,728,000.

Risk Management Tips:

• Establish an information retention policy andinclude guidance on what types of information should be retained,how long it should be retained and procedures for destruction ofunneeded data.
• Establish new hire training and regularlyscheduled refresher training courses in order to instill the datasecurity culture of your organization.
• Create, implement and test an incidentresponse plan.

As Tim Francis likes to remind business owners and riskmanagers, all businesses are vulnerable: “It's not a matter ofif, but when.” Be sure to review your insurancecoverage with your agent, broker or carrier to understand whatcyber coverage you have and what you might need.

PropertyCasualty360