Beazley Breach Insights | page 1

Beazley Breach Insights March 8, 2016

On this occasion, the headlines don’t lie. The hackers are getting smarter and more effective. Data from Beazley Breach Response Services, the dedicated business unit established by specialist insurer Beazley to help clients handle data breaches effectively, shows a sharp year-on-year increase in breaches caused by hacking and malware attacks.

Beazley is a pioneer in data breach insurance and its business has been growing rapidly, at around 30% annually. In 2014, BBR Services helped clients handle 777 breaches; last year that rose to 1,249. But the proportion of breaches triggered by hacking or malware has also grown dramatically, from 18% in 2014 to 32% in 2015.

Ransomware attacks (a particular form of the malware threat) have recently hit the headlines, due largely to the well publicized attack against Hollywood Presbyterian Medical Centre in February, which resulted in the payment of a $17,000 ransom in Bitcoin. Beazley’s data shows such attacks have been edging up over the past two years. BBR Services helped clients handle 14 ransomware attacks in 2014 and 43 in 2015. In the first two months of 2016 alone the tally was 19, which if projected to the full year would suggest an increase in ransomware attacks of 250% over 2015.

Ransomware attacks: 2014 through end February 2016

A weak link for many companies is their supplier or vendor relationships. Vendor-related data breaches affecting Beazley clients tripled as a percentage of total braches between 2014 and 2015, rising from 6% to 18%. The problem was particularly acute for higher education clients, where vendor related breaches rose from 1% of breaches in 2014 to 14% in 2015, and retailers (8% to 31%).

Beazley Breach Insights

Beazley’s data shows hacking and malware attacks increasing sharply.

Projected Ransomware attacks

0

20

40

60

80

100

120

2014 2015 2016 EST

Source: BBR Services

Beazley Breach Insights | page 2

Beazley Breach Insights March 8, 2016

CBSL

441_

US_0

3/16

About Beazley Breach Response (BBR)Beazley has helped clients handle more than 3,300 data breaches since the launch of Beazley Breach Response in 2009 and is the only insurer with a dedicated in-house team focusing exclusively on helping clients handle data breaches. Beazley’s BBR Services team coordinates the expert forensic, legal, notification and credit monitoring services that clients need to satisfy all legal requirements and maintain customer confidence. In addition to coordinating data breach response, BBR Services maintains and develops Beazley’s suite of risk management services, designed to minimize the risk of a data breach occurring.

Hack or malware 35% Insider 8%

Other 3% Payment card fraud 1%

Physical loss 12% Portable device 14%

Stationary device 1% Unintended disclosure 22% Unknown 4%

Most vulnerable industriesApproximately 80% of the breaches handled by BBR Services in 2014 and 2015 were in three industries: healthcare, higher education and financial services. In all three industries, hacking and malware breaches increased as a proportion of the total – from 11% to 27% in healthcare; from 26% to 35% in higher education; and from 23% to 27% in financial services. (See charts for the industry breakdown of data breaches by cause).

Higher Education Incidents, 2015

Financial Services Incidents, 2015

Healthcare Incidents, 2015

Hack or malware 27% Insider 7%

Other 8% Payment card fraud 9%

Physical loss 15% Portable device 5%

Stationary device 2% Unintended disclosure 24% Unknown 3%

Hack or malware 27% Insider 11%

Other 2% Payment card fraud 0%

Physical loss 20% Portable device 9%

Stationary device 0% Unintended disclosure 30% Unknown 1%

Five steps organizations can take to help protect their dataBeazley’s experience suggests that a data breach can occur at the best protected company. Attacks often succeed by exploiting misconfigured systems or human error. But there are still prudent steps that organizations can take to help protect their data. Here are five:

• Train employees to be aware of the information they need to protect – personally identifiable information (PII) and protected health information (PHI) – and to avoid falling for phishing attacks and other forms of social engineering.

• Develop a robust incident response plan. Data breaches cannot be well handled on the fly. Advance planning can help avert serious reputational or financial harm. A well thought out and practiced incident response plan should guide management through the life cycle of a breach – from the initial suspicion that something is amiss to full-blown forensic analysis, legal advice, customer communications and PR assistance.

• Categorize potential data risks by threat level. Over-reacting to a breach can be as damaging as under-reacting.

• Review supplier contracts carefully to ensure that your customers’ data is well protected when it is in the hands of suppliers or vendors.

• Encrypt data, particularly mobile devices, laptops, and thumb drives, which are most likely to be lost.

www.beazley.com/bbr