Key Findings of the Ponemon-2015 Data Breach Study-1
The 2015 IBM sponsored Benchmark study by Ponemon Institute LLC on the cost of Data Breach has now been published and makes some interesting observations which we summarise below.
This findings of the previous (2013) study were discussed in this site earlier and the current study helps us track the changes.
The 2015 Ponemon study is a collection of data across 11 different countries over a period of 10 months. Around 350 companies have particiapted in the study. India was part of the study. To be more relevant, we have tried to presnt most of the data in INR terms using Rs 65 as conversion rate.
In the context the undersigned along with a few other IS professionals has undertaken a “India Cyber Insurance Study”, the findings of this data breach cost study is extremely useful.
What is the cost of Data Breach?
The first parameter to observe is the the cost of a data breach per record and for an organization on an average. The consolidated average cost of breach per data was $154 or Rs 10000. However, there was a significant difference from country to country in this respect. While the loss in US was $217, in Germany it was $211 and Canada it was $207.
On the other hand the loss in India was only $56 or Rs 3640.
It is obvious that in India where the data owners donot have proper legal options to pursue data breach related losses and also that culturally we donot value Privacy as much as in the west, the Indian Companies may have a lighter burden of the data breach losses. This is not an indication that India has better Information Security nor that cyber attacks here are lower.
It can be observed that the data breach losses in India have increased from Rs 2405 in FY 2013 ($37) to Rs 3315 ($51) in 2014 and to Rs 3640(56) in 2015. This represents a near 50% increase in the two year period between 2013 to 2015 and a 10% increase in the last year.
The total organizational cost of data breach on the other hand was an average of $3.79 million on a global scale. Even here, the US topped the list with a loss of $6.53 million while in India the loss was $1.46 million (Rs 9.49 crores).
In India the total organizational loss was Rs 6.5 crores ($1 million) in 2013, Rs 8.9 crores in 2014 and now it has grown to Rs 9.49 crores.
Average number of data records lost was around 28000 in US and around 18983 in India.
Implications on Cyber Insurance-Problem of Under Insurance
In the Cyber Insurance Context, the findings of the Ponemon study indicates that
a) Companies in India are exposed to the risk of loss on account of data breach to the extent of Rs 10 crores on an average.
b) The per record cost which a Cyber Insurance policy should cover is around Rs 3640.
c) The Cyber Insurance policy cover which an organization should aim for is therefore the number of data records multiplied by the expected average loss on account of a breach. This will be the “insurable value of the data”.
The availability of data such as what has been published by Ponemon would introduce some elements of uncertainty to companies which take Cyber Insurance unless they properly clarify the terms of the insurance with the Insurance company.
If an organization fails to value the data assets properly at the time of obtaining the insurance and get a confirmation from the insurance company, there may be a charge of under insurance.
For example, if any organization insures for less than the estimated value of the asset insured, then it would amount to “Under insurance” and in the event of a loss, it would get covered only for a proportionate value of the loss.
To be more specific, if an organization has 1 lakh data records, the insurable value would be Rs 36.40 crores . If it takes an insurance of say Rs 10 crore, (30%) then it would be considered as a co-insurer for the balance value of the insurable asset. Hence if this company suffers a loss of say Rs 1 crore, the insurance company may cover only 30 % of the loss and pay out Rs 30 lakhs/-
The premium charged therefore should be calculated with only such expectation and not with the expectation that the entire loss of Rs 1 crore would be covered.
It is necessary for the Insured and the Insurer therefore to define and record how the data assets would be insured and claim settled.
Perhaps a clarification is required from the Cyber Insurance Industry in India in this regard………(To Be Continued)
Naavi