Cyber breach expenses rise due to recovery costs

PHILADELPHIA – Cyber incidents are becoming more expensive due to higher recovery costs, experts say.

Increased regulatory scrutiny also adds costs as regulators seek more detailed information regarding cyber incidents, they said discussing the 2024 NetDiligence Cyber Claims Study at the cyber security organization’s annual conference in Philadelphia.

The study is based on a statistical analysis of about 10,500 claims between 2019 and 2023. 98% of the claims submitted for the study came from small and medium-sized enterprises.

The average claims cost ballooned from $211,000 in 2019 to a “pretty staggering” $636,000 in 2022, said Alyssa Watzman, a Denver-based partner and vice chair of the cyber team at law firm Constangy, Brooks, Smith & Prophete LLP.

The complex nature of each policyholder’s system is “requiring a lot of time and attention from various vendors,” including forensics and restoration services, which adds to costs,” said Jaime Palumbo, New York-based vice president, claims for Corvus Insurance, a unit of Travelers Cos. Inc.

Obtaining quotes from multiple response vendors can help manage escalating costs, said Diane Fazzolari, New York-based senior claims specialist, cyber, technology and media claims Axa XL, a unit of Axa SA.

“What we’re trying to do is match the vendor to the claim,” she said.

Increased attention from regulators is also adding legal fees and other costs as organizations are pressed for more information about cyber incidents, said Carolyn Purwin Ryan, Philadelphia-based partner at Mullen Coughlin LLC.

“The regulators are getting out there, and they’re asking a lot more substantive questions,” she said.

“We’ve seen a huge increase in data mining cost,” said Katherine Heaton, Denver-based claims focus group leader – cyber services and information security claims at Beazley PLC. The increase is partly driven by regulators’ questions about organizations’ cyber procedures.

“You can’t just always do blanket notices,” she said.