Key Findings of the Ponemon-2015 Data Breach Study…2
(In continuation of the earlier article..)
The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.
In the earlier article we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.
In this article we shall explore the results of the study on the industry wise distribution of data breach loss.
Health Sector Suffers the highest loss:
The highest loss was suffered in the Health Sector industry where the average loss was $363 mllion. This was followed by Education at $300 million, Pharmaceuticals at $220 million, Financial at $25 million, Communications at $179 milion and Retail at $165 million. Technology industry suffered a loss of $127 million
It may be observed that the health care and pharmaceuticals which are well regulated under laws such as HIPAA have recorded the highest loss. This only indicates that the regulation has created greater awareness which has led to greater claims being made. But what is surprising is that the Financial industry has shown a relatively lower level of loss compared to health sector. This perhaps indicates the positive impact of better information security management.
Root causes for data breach:
An analysis of the root causes of data breach indicate that 47% of the data breach incidents occurred due to malicious or criminal attack while 29% was due to system glitches and 25% due to human error.
In terms of the losses, the malicious attacks resulted in an average loss of $170 per record, while system glitch cost $142 and Human error, $137 per record.
What Corporates need to understand in this observation is that there are attackers who are targeting them with malicious intentions and there is no room for complacency. Also, losses in 43% of cases due to system glitches and human error is also a matter of concern for the management since these are considered “Avoidable”. In other words, this loss can to some extent be attributed to the “negligence” of the companies themselves.
Speaking specially in terms of India, the cost on account of malicious attacks was Rs 4615 ($71) per record, while on System glitches, it was Rs 2925 ($45) and on human error, it was Rs 3185 ($49). This constituted 38%, 30% and 32% respectively.
Factors that impact the data breach cost
The study indicates that the following factors may have a positive impact and reduce the data breach cost per document.
i) Incident Response Team : $12.6
ii) Use of Encryption: $12.0
iii) Employee training :$8.0
iv) BCM involvement :$7.1
v)CISO appointment::$5.6
vi) Board level involvement: $5.5
vii) Insurance Protection: $4.4
The study also indicates that losses increase on account of the following factors.
i) Third-party involvement : $16
ii) Lost or stolen devices: $9.0
iii) Rush to notify:$8.9
iv) Consultants engaged:$4.5
Impact on Cyber Insurance
The observations recorded in the study may impact the Cyber Insurance Industry in India in the following manner.
a) Industries such as may be charged a higher premium than other industries.
b) Losses on account of human errors and system glitches could be scrutinized in a forensic analysis and rejected if any negligence is found in the survey.
c) Companies which have taken special measures to reduce human error through apparently effective training may get a rebate measured against the expenses incurred for training.
d) Outsourcing of operations may increase the cost of insurance
P.S: An interesting offshoot of the study is an indication that appointment of a CISO reduces the organizational cost of data breach by an average of Rs 67 lakhs. May be this is an indication of the remuneration package an average CISO should enjoy? …
(..to be continued)
Naavi
