Banks are on the hook for millions in the wake of data breaches, according to a study on cyber insurance the Ponemon Institute released Wednesday.
The survey — which is broad and covers industries outside of financial services — outlines some of tremors banks could feel after being victimized by digital thieves.
In all, 56% of surveyed companies suffered data breaches in the past 24 months. The average cost of these incidents was $9.4 million. That’s a significant amount of money per incident, but it pales against the perception companies have about their potential exposure. Among the 638 businesses that took part in the survey, respondents on average estimated that they could lose upwards of $163 million in such incidents.
"The whole idea of data protection and security in the financial services universe is different" than in other industries, says Larry Ponemon, chairman and founder of the Ponemon Institute, who conducted the study for Experian. "It's more painful when people bring down your system and take over your accounts and maybe even steal money. A lot of financial services organizations realize that having a policy in place may be a good thing."
He is referring to the concept of cyber insurance, which can help banks deal with potential legal and communications expenses in the aftermath of a breach.
The idea is more than 15 years old, Ponemon says, but has only really taken hold in the past several years.
"For a long time, it was more theoretical. You could always go to a Lloyd's of London and find a policy, but in the last four or five years we have really started to see more interest in this," he says.
He adds that roughly 31% of the companies surveyed already had cyber insurance and about 39% of those businesses are considering the service.
There are, however, still skeptics among those that were surveyed. Thirty percent noted they do not plan on purchasing cyber insurance. Those without a policy noted that price is a roadblock for purchasing. Respondents also said that policy conditions that include excessive exclusions, restrictions and uninsurable risks inhibit their organization from purchasing a policy.
However, for banks, the insurance seems indispensable, especially given the risks.
Regions Bank was a recent victim of cyberattackers; its website went down and customers' debit card service was interrupted.
"The real insight out of this survey, for me, is the fact that cyber security risk ranked greater than or equal to natural disasters," says Michael Bruemmer, a vice president at Experian Data Breach Resolution. "People are starting to get it when it comes to cyber security."