Key Findings of the Ponemon-2015 Data Breach Study…3
(In continuation of the earlier article..)
The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.
In the earlier articles we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.
We had also seen the industry wise distribution of losses and the factors that decrease or increase the loss.
In this article we shall explore the results of the study on components of cost and other issues.
According to the study, there are four important components of the cost of data breach as identified by the study. They are
a) Cost of Detection and Escalation
b) Cost of Notification
c) Cost of Ex-Post response
d) Cost of lost business.
The biggest component of cost of data breach is the value of “Lost Business”. This is estimated at an average of $1.57 million. The next biggest component is the Ex-Post response at $1.07 million followed by cost of detection and escalation of $0.99 million and $0.17 million in terms of notification costs. In terms of percentages the four components mentioned above seem to constitute 26%, 4%, 28% and 41% respectively.
In the Indian context where the average loss is Rs 9.49 crores, the components of the cost appear to suggest that the loss of business amounts to Rs 3.8 crores, Ex Post expense amounts to Rs 2.6 crores, cost of detection and escalation amounts to Rs 2.46 crores and cost of notification amounts to Rs 38 lakhs.
The study therefore clearly indicates that there is a significant loss of business that the business may expect if hit by a data breach incident.
In terms of the probability of a data breach, the study does try to throw some light in terms of how the probability may increase or decrease with the availability or otherwise of comprehensive information security measures. It comes to the conclusion that large scale data breach incidents can be significantly reduced with good BCM measures.
While some of the statistics may be debated whether they can be applied directly to the Indian context or not, we can say that the study is one of the best available indicators of the financial risks that an organization may face on account of data breach. This is extremely significant to the India Cyber Insurance Survey 2015 that is being undertaken.
The Ponemon study indicates that there is a good reverse correlation between Information Security and data breach loss. Better the information security, lower is the cost. This should reflect also in the cost of insurance in the same manner. Better the information security, less should be the insurance cost. Whether such a correlation actually exists or not in practice when the Indian companies underwrite cyber insurance, is what the Cyber Insurance study may reveal.
However, what is clear in the Ponemon study is that the Information Security Industry has a high stake in the Cyber Insurance industry.
Unfortunately this aspect does not seem to have been appreciated fully either by the company managements nor the information security professionals. Both seem to think that Cyber Insurance decisions are decisions taken by the Finance department and the Information Security professionals are not often part of the decision making process and hence donot influence the decisions regarding insurability or fixation of premium. Probably the India Cyber Insurance study will throw some light on who are normally involved in the decision making process when a company is contemplating a Cyber Insurance cover.
Naavi
