Skip to main content

Reported costs of cyberattacks are ‘tip of the iceberg’

By Scott Pidduck
Senior Underwriter - Professional Lines And Cyber

In a feature story with Insurance Business America, Cyber Underwriter Scott Pidduck explains that when it comes to cyber events, the costs reported in the media are just the tip of the iceberg.

The mass media only reports the tip of the iceberg when it comes to cyberattacks. The real cost of a cyber claim remains drastically underreported, according to Scott Pidduck, senior underwriter at QBE Insurance Group.

If a small to mid-sized company is exposed to a ransomware attack and is asked to cough up an extortion rate of $30,000, most companies would consider that a soft event. A $30,000 hit wouldn’t have a significant impact on the balance sheet of many well-established companies.

“What they don’t see are the hidden costs of a cyberattack, such as the forensic investigation, payment of lawyers to go through notification provisions, communication of the attack, the reputational harm and so forth,” Pidduck told Insurance Business.

“A $40,000 loss in the mainstream press could actually include $800,000 in unknown costs. Not many people are seeing that quantification directly, and it’s not until they get close to their insurers and their brokers that they’re starting to understand what they’re missing in the media.”

One of the main stumbling blocks to cyber insurance is that lots of companies think they’re immune. On average, a company spends about 8-12% of its IT budget on cyber security. That might sound like a significant amount, but not when you compare it to a hacker’s 100% commitment to the cyberattack cause.

“A company might focus 12% of their attention on cyber security but a hacker is going to spend 100% of its time and effort trying to disrupt that – so who’s going to win? If a cyber criminal really wants to get in, they’re going to get in,” said Pidduck.

“Insurers and brokers need to be proactive and collaborate as much as possible to educate clients about cyber security and the true costs of a cyber event. Brokers can reach out to forensics teams and speak to other people in the cyber security industry in order to better educate their clients.”

Insurance brokers should do their best to educate clients and stay on top of developing cyber risk as the courts become more interested in the market, according to Pidduck.

Cyber insurance is a new age market. It has become mainstream and the courts are starting to take that into account. Cyber insurance should be top of mind for brokers offering corporate solutions, or at least educating clients about cybersecurity. There’s a lot of opportunity in the cyber insurance space,” he said.