Data indicates that large-scale data breaches in 2015 alone resulted in the exposure of approximately 429 million personal records. However, these estimates are too low because many data breaches are not reported. In fact, the “real number” of exposed personal records is estimated to exceed more than a half billion. While the reasons for not reporting a data breach have been understood for some time (e.g. reputational harm), how the underreporting of cyber incidents impacts cyber security and cyber insurance is just starting to be discussed.
Reporting Cyber Incidents May Be Hazardous to Your Career
There is little dispute that disclosing cyber security incidents can be detrimental to the discloser. Target’s CEO resigned in 2014 after it suffered its historic data breach. The CEO of the adult website, Ashley Madison, was forced into early retirement after his company was hacked and breached the personal information of its users. In short, regardless of whether it is justified, the tendency to point the finger at the CEO after a data breach does not encourage CEOs to report cyber security incidents.
The Evidence Shows Cyber Incidents are Underreported
The report, “How Many Cyber-Heists go unreported?,” published in IT-Online, provides further evidence that a large number of cyber security incidents are not being reported. The report finds:
[t]he problem is that we don’t have transparency; few cyber heists are reported. Only the biggest data breaches capture enough attention to make headlines. The rest get to suffer quietly away from the public eye. We just don’t get to the facts, or the admissions, from banks.
The report is based on statements taken from cyber security specialists that financial institutions “do not want to let the public know about any security breaches” because “[i]t can have a profound impact on their reputations.” In essence, the report finds “there is little information for cyber journalists to work with to adequately report on these occurrences.” Without having information concerning breaches and the current methods used by hackers, the report concludes that cyber security measures are stunted when cyber security professionals cannot study the hackers’ methods.
The recent Symantec report, Internet Security Report 2016, echoes this finding:
The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend. Transparency is critical to security. While numerous data sharing initiative are underway in the security industry, helping us all improve our security products and postures, some of this data is getting harder to collect.
Other reports concerning the underreporting of cyber incidents indicate the many cyber security incidents may be deliberately withheld from the public:
…just under a fifth (19%) said they do have [formal processes in place to notify data protection authorities (within 72 hours) and the public] but deliberately avoid telling their customers. This percentage grows in industries such as financial services (22%) , large businesses (33%), and construction and engineering companies (50%).
Underreporting of Cyber Security Breaches Directly Impacts Cyber Insurance
Underreporting cyber security incidents makes determining the value of cyber insurance difficult for both insurers and insureds. From an insurers’ standpoint, they are not be able to provide a useful cyber insurance product if there is a lack of information concerning fundemental issues concerning number of breaches, number of victims, hackers’ successes/failures, type of targets and methods to attack those targets. Insurers also cannot properly assess their risk related to cyber insurance products without proper data. When only the largest cyber security incidents are reported, insurers cannot determine what types of businesses are being targeted by hackers and adjust the premium according to that risk.
From an insured’s standpoint, they may question the need for cyber insurance or may get less coverage than what is recommended if the company is considering not reporting the cyber incident in the first place. The value of cyber insurance may be undercut if a company enters the cyber insurance market while knowing that it will most-likely not make a claim on its cyber insurance policy even if it has a breach merely to avoid negative publicity or reputational harm.
At present, insurers and insureds must approach the cyber insurance marketplace with an understanding that there are a number of cyber events that never receive publicity. Hopefully at some point in the near future, underreporting cyber security issues becomes less of an issue as people accept cyber incidents as a cost of doing business.