Interactive Cost Model (ICM)

INFORMATION PRIVACY

Covers all costs associated with the compromise of sensitive PII records including: forensic investigation of the compromise; legal cost including discovery of the records compromised and their owners; legal costs to respond to litigation; class action settlements; legal costs to respond to regulatory investigations; and, regulatory fines.

Sensitive PII Event Response and Management

Direct incident response costs to determine if sensitive PII records were compromised and, if so, determining the magnitude and ownership of the compromised records.

Forensic Investigation (PII Records Breached)

External forensic investigation costs to determine if PII was compromised and, if so, from where in the network and the extent of the compromise.

Legal (PII Records Breached)

External legal costs to the determine the nature of the PII stolen and the identity and residence of the recordholders of the PIII stolen. Also includes required notifications to recordholders as well as regulatory and government authorities.

Public Relations (PII Records Breached)

The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

Net Number of Sensitive PII Recordholders Compromised

The number of individual sensitive PII recordholders breached - can be different from the number of records breached since multiple records may belong to one recordholder.

Number of Sensitive PII Recordholders Compromised in non PCI-only Attacks

This refers to data compromise risk scenarios where no PCI records were compromised or where PCI records are not the only type of record compromised.

Number of PCI-only Recordholders Compromised

Refers to data compromise risk scenarios where only PCI records are stolen.

Customer Notification

Compromised recordholders must be notified of the breach - how the notification is made depends on the nature of the data stolen and the prior breach contact method approval given by the recordholder.

Notification by Email

Email notification is sufficient for certain types of records and if the recordholder has given prior authorization to be notified of a breach by email.

Notification by Postal Service

If the recordholder did not previously authorize breach notification by email or in the case of certain types or information compromised, the company is required to send a letter to the recordholder via postal service.

Call Center

For large breaches the breached company generally sets up one or more call centers to handle inquiries by all customers seeking to know if their information was breached and what they should do next.

Monitoring & ID Protection

Generally breached companies offer a year (sometimes more) of credit monitoring (and sometimes identity theft protection as well).

PCI-DSS Liability

Costs imposed by the card issuer members of PCI DSS for compromise of PCI information.

PCI-DSS Penalties

Penalties owed to card issuers that are in excess of pre-determined levels as per contract.

PCI Non-Compliance Fines

Fines owed to card issuers if organization was determined to be out of compliance when the compromise took place.

Operational Reimbursement Assessment - Card Replacement Fee

The cost incurred by card issuers to replace compromised payment cards.

Fraud Reimbursement Assessment

An assessment for the amount of fraud determined to be directly related to the compromise.

Case Management Assessment

Cost of the compromise Assessment by PCI DSS.

PCI-DSS Response Expenses

Cost of a PCI qualified independent forensic investigation.

Information Privacy Liability

Legal and Settlement costs of litigation surrounding the compromise of sensitive PII.

Claims Expenses - Attorneys' Fees + Discovery (outside counsel)

Outside legal costs associated with defense of sensitive PII data litigation only.

Class Action Recordholder Settlement

The final settlement cost of a class action lawsuit representing recordholders whose sensitive PII records were breached.

Class Action Recordholder Settlement Before Likelihood

Class action litigation after a data compromise is a third party liability cost and is often presented after the likelihood of a legal settlement since lawsuits generate costs outside of the company’s control.

Number of Settlement Members (CA-Recordholder)

The number of compromised sensitive PII recordholders who become official members of a class action lawsuit.

Members' Claims (CA-Recordholder)

The sum of the one or more types of financial claims agreed to as part of the final settlement of a class action lawsuit.

Total Fraudulent Tax Return Claims

The cost of claims related to the filing of fraudulent tax returns using stolen tax-related records (eg, W-4s in the US).

Total Extraordinary Documented Out-of-Pocket Claims

The cost of claims arising from members' documented unreimbursed identity theft fraudulent costs.

Total Documented Out-of-Pocket Claims

The cost of claims arising from members' documented unreimbursed costs incurred to respond to the breach.

Total Cash Payments for All Members - no Documentation

The cost of making a one time cash payment to all members or class of members to offset the time spent responding to the breach and hardship incurred by members. Or this can be a payment to members who have not filed valid claims for reimbursement under another type of claim in the settlement.

Members' Monitoring and ID Protection (CA-Recordholder)

Part of Class Action Recordholder - The cost of providing credit monitoring and identity theft protection to members, usually for 2 years.

Plaintiffs' Attorneys' Fees-Costs-Expenses (CA-Recordholder)

Part of Class Action Recordholder - The sum of the cost of plaintiffs' legal fees, expenses, court costs, and plaintiff awards.

Attorneys' Fees (Recordholder)

Part of Class Action Recordholder - Plaintiffs' attorneys' fees approved by the court for trying the case.

Court Costs and Expenses (Recordholder)

Part of Class Action Recordholder - The costs and expenses incurred by plaintiffs’s attorneys.

Service Awards

Part of Class Action Recordholder - service awards paid to class members who assisted plaintiffs' attorneys with the case.

Settlement Administration and Notification (CA-Recordholder)

Part of Class Action Recordholder - The costs of third party settlement administration and notification.

Class Action Biometrics Settlement

Class Action settlement for the improper collection and/or storage of PBI (personal biometric information), usually - but not always - as a result of using employees biometric information (fingerprints) for time clocks without obtaining their prior permission.

Class Action Biometrics Settlement Before Likelihood

The user has the option of including possible biometric settlement before or after likelihood of occurrence.

Number of Settlement Members (CA-Biometrics)

The number of people whose PBI was used improperly who choose to become part of the class action.

Members' Claims (CA-Biometrics)

The sum of all types of member claims awarded as part of the settlement.

California Residents

The California CCPA (California Consumer Protection Act of 2018) has special provisions requiring businesses to safeguard individuals' biometric data.

Illinois Residents

Illinois (IL BIPA) is one of the most stringent laws in the US covering biometric data. To date the majority of class action settlements were filed under BIPA.

Residents in Rest of US

There are other class action settlements that have awarded claims from biometric data misuse to residents of states other than CA and IL.

Plaintiffs' Attorneys' Fees-Costs-Expenses (CA-Biometrics)

Part of Class Action Biometrics - The sum of the cost of plaintiffs' legal fees, expenses, court costs, and plaintiff awards.

Attorneys' Fees (Biometrics)

Part of Class Action Biometrics - Plaintiffs' attorneys' fees approved by the court for trying the case.

Court Costs and Expenses (Biometrics)

Part of Class Action Biometrics - The costs and expenses incurred by plaintiffs’s attorneys.

Settlement Administration and Notification (CA-Biometrics)

Part of Class Action Biometrics - The costs of third party settlement administration and notification.

Class Action Financial Settlement

The final settlement of a class action lawsuit representing financial institutions who incurred costs related to compromised PCI records.

Regulatory Liability

All costs associated with regulatory investigations including external legal fees and discovery as well as fines.

Attorneys' Fees (outside counsel)

Outside legal costs associated with defense of proposed regulatory actions.

Privacy Violations from Data Breach only (theft or exposure)

Fines related to data breaches only. Generally fines are only levied on companies with multiple breaches or egregiously poor cyber controls.

HIPAA

HIPAA fines related to the breach of PHI records. Regulatory body is the US Department of Health and Human Services and protects US resident recordholders. Benchmark costs are based on all of the actual HIPAA fines levied by the OCR HHS.

SAG

Fines imposed by State Attorneys General. Each SAG represents compromised recordholders residing in their respective states.

FTC (Data Breach only)

Fines imposed by the U.S Federal Trade Commission. Generally these fines are only for very large breaches with very poor security. Often the FTC elects to impose a mandatory consent order in lieu of a fine that requires the company to improve its cybersecurity according to strict guidelines.

SEC

Fines imposed by the U.S. Securities and Exchange Commission. There have been only a handful of data breach-related fines issued by the SEC.

OCC

Fines imposed by the U.S. Treasury Department’s Office of the Comptroller of the Currency. These fines apply to financial services companies and only to very large breaches where security measures were deemed to be unacceptable.

NYDFS

New York Department of Financial Services has expanded its oversight of all companies with financial service offerings in the state of New York. This is a fairly recent type of fine and potential transgressions are being actively investigated by the NYDFS. Fines are not limited to data breaches but also are imposed for lack of mandatory controls like multi factor authentication.

UK ICO

After Brexit the UK Information Commissioner’s Office issues fines related to data breaches and misuse of PII instead of GDPR.

GDPR (Data Breach only)

The General Data Protection Regulation protects EU resident recordholders. Benchmark costs are based on all of the actual GDPR fines imposed for data breaches.

Privacy Violations from Unauthorized Use of PII

Fines related to management’s misuse of customer or employee PII. This includes all PII, not just “sensitive” PII.

GDPR (Unauthorized Use of PII)

Most GDPR fines have been for management misuse of PII or not providing an individual access to their PII.

HIPAA (Unauthorized Use of PII)

Most of the HIPAA fines imposed have been for data compromises but there are also quite a number of fines for management misuse of data or not providing an individual access to their PHI.

FTC (Unauthorized Use of PII)

The FTC has issued many fines relating to improper use of PII for advertising - robocalls, blast emails, etc. without first obtaining permission for such use by the recordholder.

BUSINESS INTERRUPTION

Covers all costs associated with revenues or net profits lost and operating expenses paid during a business interruption due to a cyber attack on your network or a network in your supply chain.

Direct Business Interruption

Direct Business Interruption refers to revenue and net profit losses related to downtime from an attack on the user’s own network.

Revenue Lost (Direct BI)

The amount of revenue lost as a result of direct business interruption and not believed to be recoverable in the future.

Revenue Deferred (Direct BI)

The amount of revenue that is deferred as a result of business interruption but is believed to be recoverable in the future.

Public Relations (Direct BI Revenue)

The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

Direct Business Interruption for Cyber Insurance Coverage

Replaces revenue lost (direct) with net profits lost + unavoidable operating expenses (direct)to account for cyber insurance coverage calculations.

Pre-tax Net Profit Lost - EBITDA (direct BI)

Pre-tax Net Profit Lost (direct) for insurance calculations is assumed to be EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization).

Expenses Incurred during BI

Those unavoidable operating expense (direct)s incurred during business interruption (eg, salaries, rents, subscriptions, etc.)

Forensic Accounting Firm (for cyber insurance coverage)

Forensic accountants help determine and substantiate business interruption costs for cyber insurers.

Public Relations (Direct BI Net Profit)

The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

Contingent Business Interruption (Supply Chain Attack Victim - 3P failure to provide IT services)

Contingent Business Interruption refers to revenue and net profit losses related to downtime from an attack on the network of a third party from the user’s supply chain (eg, a supply chain (victim) cyber risk).

Revenue Lost (contingent BI)

The amount of revenue lost as a result of a contingent business interruption and not believed to be recoverable in the future.

Public Relations (Contingent BI Revenue)

The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

Contingent Business Interruption for Cyber Insurance Coverage

Replaces revenue lost (contingent) with net profits lost + unavoidable operating expenses (contingent) to account for cyber insurance coverage calculations.

Pre-tax Net Profit Lost - EBITDA (contingent BI)

Pre-tax Net Profit Lost (contingent) for insurance calculations is assumed to be EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization).

Expenses Incurred during BI (contingent BI)

Those unavoidable operating expense (contingent)s incurred during business interruption (eg, salaries, rents, subscriptions, etc.)

Forensic Accounting Firm (contingent BI)

Forensic accountants help determine and substantiate business interruption costs for cyber insurers.

Public Relations (Contingent BI Net Profit)

The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

CYBER EXTORTION

Covers the ransom and associated negotiation and transaction costs.

Ransom

Total cost of the ransom paid.

Ransom Paid

The amount of any ransom paid to the attacker and the cost of negotiators if used.

NETWORK SECURITY

Includes the costs associated with identifying, responding to and recovering from any type of attack at the network level including investigation, remediation, restoration and data recovery.

Network Event Response and Recovery

Incident response cost directly related to investigation, remediation, and restoration of network equipment and systems (including OS, applications and data)

Forensic Investigation (Network Incident Response)

Fees associated with external forensic investigators who analyze the security incident, contain the attack if necessary, collect evidence and advise on remediation measures.

Legal (Network Incident Response)

Fees associated with outside legal counsel specializing in security incidents and their aftermath.

System Restoration

The cost of re-imaging a system after it was compromised (re-installing the operating system and all applicable applications).

Restore Servers

The cost of restoring operating systems and applications on servers.

Restore Computers/Laptops

The cost of restoring operating systems and applications on computers/laptops

Data Recovery

The cost of restoration of data to encrypted systems.

Restore Data to Servers

The cost of restoring data to servers from backups.

Restore Data to Computers/Laptops

The cost of restoring data to computers/laptops from backups - is generally limited to the C-suite and specific systems.

Restore Data (from hard drives) - no backup available

The cost of restoring data from hard drives (much more difficult and problematic than restoring data from backups).

FINANCIAL FRAUD

In ICM v2 includes the estimated cash lost from a simple Business Email Compromise (BEC) attack on vendor wire transfers caused by social engineering.

BEC

The amount of money fraudulently wired as a result of social engineering employed upon an employee.

Number of hours (PII forensics) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII forensics)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (PII forensics)

The cost per hour for an action - is used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (PII legal) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII legal)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (PII legal)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (PII PR) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested BCP) - percent reduction in number of hours (PII PR)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (PII PR)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of total sensitive PII recordholders in US, Canada, and Australia

Percent of the sum of sensitive PII recordholders in the US, Canada and Australia divided into the total number of sensitive PII recordholders [worldwide].

Percent of total sensitive PII recordholders compromised

The estimated percent of sensitive PII recordholders compromised (Benchmark percent is a function of total revenue).

IC - percent of customer sensitive PII recordholders compromised if PII encrypted at rest

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of PCI recordholders in US, Canada, or Australia

lInferred number of PCI recordholders that are located in US, Canada and Australia.

Percent of PCI recordholders compromised

The inferred percent of PCI recordholders compromised (Benchmark percent is a function of total revenue).

IC - percent of PCI recordholders compromised if PII encrypted at rest

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per recordholder (notification email)

Estimated cost per recordholder is a function of the number of recordholders compromised.

Setup Fee (notification email)

Fixed fee amount.

Percent of sensitive PII recordholders required to be notified by postal service

Customer input to question. [Some records require notification of a breach by postal service according to regulatory requirements, except that in some circumstances a customer may formally agree to be notified by email instead of postal service.

Cost per recordholder (notification postal service)

Estimated cost per recordholder is a function of the number of recordholders compromised.

Setup Fee (notification postal service)

Fixed fee amount.

Cost per recordholder (call center)

Estimated cost per recordholder is a function of the number of recordholders compromised.

Setup Fee (call center)

Fixed fee amount.

Cost per recordholder per month (IR)

The cost to provide credit monitoring & identity theft protection for one recordholder for a month.

Number of months (IR)

The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of compromised recordholders that accept monitoring (IR)

Percent of recordholders that accept the monitoring & ID protection offered. The legend in () at the end of the name defines the cost category the driver belongs to.

Per month fine

The number of months that an organization was found PCI-DSS noncompliant before the data compromise.

Number of months non-compliant

The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

Per card replacement fee

The cost of replacing payment cards after a PCI compromise.

Percent of compromised cards replaced

Percent of payment cards needing to be replaced after a PCI compromise.

Fraud reimbursement assessment threshold

The contractual threshold amount of fraud set by card issuers.

Percent of cards stolen used fraudulently

Estimated number of compromised payment cards used fraudulently after their compromise.

Median fraudulent charge per card

The estimated median fraudulent charges per compromised payment card.

Flat fee

Fixed fee amount for a PCI Case Management Assessment.

Qualified PCI-DSS 3P forensic firm investigation

A second forensic investigation by a qualified PCI-DS 3P is required after a PCI data compromise.

QSA PCI-DSS audit

After the qualified 3P forensic investigation, an audit by a qualified 3P PCI auditor is required.

Number of hours (PII liability legal) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII liability legal)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (PII liability legal)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (PII liability legal)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Litigation costs are before applying likelihood (CA-recordholder)

This is a cost driver to replace the question, “Do you want to account for litigation costs before applying likelihood of occurrence?” This driver can only be 0% or 100%. If the driver is 100%, it means the answer to the question is YES, show 100% of costs without apply likelihood of occurrence. If 0%, this means the litigation costs are multiplied by likelihood of occurrence.

Percent likelihood of a lawsuit (CA-recordholder)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Maximum historical settlement (CA-recordholder)

A maximum settlement amount is established for each class action lawsuit based on historical maximum settlements approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

Settlement subtotal (pre-improvements) (CA-recordholder)

Subtotal formula.

Percent of recordholders that become members

The percent of compromised recordholders that become members of a class action lawsuit.

Per claim (tax)

The per recordholder claim amount for recordholders whose stolen PFI was used to file a fraudulent tax return claim with the governing tax authority.

Percent of members with valid claims (tax)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Per claim (extra)

The per recordholder claim amount for recordholders who suffered unreimbursed extraordinary out-of-pocket losses as a result of identity theft.

Percent of members with valid claims (extra)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Per claim (documented)

The per recordholder claim amount for recordholders who suffered unreimbursed out-of-pocket expenses responding to the breach.

Percent of members with valid claims (documented)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Cash payment

The per recordholder amount offered by the breached company to all members with no documented out-of-pocket expenses required.

Percent of members qualifying for another type of claim

Unless the only claim type is a fixed cash payment for all members, this claims type is reserved for those members who did not qualify for a potentially larger type of cash claim.

Percent of members participating

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per employee per month (CA-recordholder)

The cost to provide credit monitoring & identity theft protection for one recordholder for a month.

Number of months (CA-recordholder)

The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of members that accept monitoring (CA-recordholder)

Percent of recordholders that accept the monitoring & ID protection offered. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of total settlement cost (excluding injunctive relief) (CA-recordholder)

The percent of the total settlement that can be comprised of plaintiffs' attorneys fees. Usually the courts allow 25%.

Court costs as a percent of attorneys' fees (CA-recordholder)

Court costs and litigation expenses incurred by plaintiffs' attorneys.

Number of service awards (CA-recordholder)

The number of plaintiffs' representatives eligible for a service award for helping their attorneys.

Cost per service award (CA-recordholder)

The cost per service award (paid to settlement members who assisted plaintiffs’ attorneys).

Maximum administration costs by revenue range (CA-recordholder)

A maximum amount is established based on historical maximum administration costs approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

Subtotal administration and notification costs (CA-recordholder)

Subtotal formula.

Average administration and notification cost per record (CA-recordholder)

The average cost per breached recordholder. The administrator needs to send official notification to every breached recordholder who may be qualified to be a member of the lawsuit. The administrator then needs to validate all claims and disperse funds according to the terms of the settlement.

Litigation costs are after applying likelihood (CA-biometrics)

This is a cost driver to replace the question, “Do you want to account for litigation costs before applying likelihood of occurrence?” This driver can only be 0% or 100%. If the driver is 100%, it means the answer to the question is YES, show 100% of costs without apply likelihood of occurrence. If 0%, this means the litigation costs are multiplied by likelihood of occurrence.

Percent likelihood of a lawsuit (CA-biometrics)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Maximum historical settlement (CA-biometrics)

A maximum settlement amount is established for each class action lawsuit based on historical maximum settlements approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

Settlement subtotal (pre-improvements) (CA-biometrics)

Subtotal formula.

Percent of recordholders that become members (CA-biometrics)

The percent of compromised recordholders that become members of a class action lawsuit.

Per claim (CA-biometrics-CA)

The per recordholder claim amount for California residents whose biometric data was used without their prior authorization.

Percent of members with valid claims (CA-biometrics-CA)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Per claim (CA-biometrics-IL)

The per recordholder claim amount for Illinois residents whose biometric data was used without their prior authorization.

Percent of members with valid claims (CA-biometrics-IL)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Per claim (CA-biometrics-rest of US)

The per recordholder claim amount for US residents not residing in either California or Illinois whose biometric data was used without their prior authorization.

Percent of members with valid claims (CA-biometrics-rest of US)

Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of total settlement cost (excluding injunctive relief) (CA-biometrics)

The percent of the total settlement that can be comprised of plaintiffs' attorneys fees. Usually the courts allow 33% for biometric lawsuits.

Court costs as a percent of attorneys' fees (CA-biometrics)

Court costs and litigation expenses incurred by plaintiffs' attorneys.

Maximum administration costs by revenue range (CA-biometrics)

A maximum amount is established based on historical maximum administration costs approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

Subtotal administration and notification costs (CA-biometrics)

Subtotal formula.

Average administration and notification cost per record (CA-biometrics)

The average cost per breached recordholder. The administrator needs to send official notification to every breached recordholder who may be qualified to be a member of the lawsuit. The administrator then needs to validate all claims and disperse funds according to the terms of the settlement.

Average settlement (CA-financial)

The average class action financial historical settlement.

Average plaintiffs' attorneys fees (CA-financial)

The average plaintiffs' attorneys' fees for class action financial settlements.

Percent likelihood of a lawsuit (CA-financial)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (regulatory legal) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested IR plan) - Percent reduction in number of hours (regulatory legal)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (regulatory legal)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (regulatory legal)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

HIPAA fines (actual)

US regulatory fine - protects US resident recordholders. Based on all of the actual HIPAA fines levied by the OCR HHS for data compromise of PHI.

IC - (encryption/tokenization) percent likelihood (HIPAA) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (HIPAA)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

SAG fines (actual)

US regulatory fine - protects US resident (by state) recordholders. Based on actual SAG fines levied by one or more of the 51 SAGs (includes the District of Columbia).

IC - (encryption/tokenization) percent likelihood (SAG) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (SAG)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

FTC fines (actual)

US regulatory fine - protects US resident recordholders. Based on all of the actual FTC fines imposed for data breaches.

IC - (encryption/tokenization) percent likelihood (FTC) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (FTC)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

SEC fines (actual)

US regulatory fine - applies to US public companies. Based on all of the actual SEC fines imposed for data breaches.

IC - (encryption/tokenization) percent likelihood (SEC) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (SEC)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

OCC fines (actual)

US regulatory fine - applies to US financial companies. Based on all of the actual OCC fines imposed for data breaches.

IC - (encryption/tokenization) percent likelihood (OCC) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (OCC)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

NYDFS fines (actual)

US regulatory fine - applies to US financial companies operating in NY state. Based on all of the actual NYDFS fines imposed for data breaches.

IC - (encryption/tokenization) percent likelihood (NYDFS) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (NYDFS)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

UK ICO (Data Breach only) fines (actual)

UK regulatory fine - protects UK resident recordholders. Based on all of the actual UK ICO fines imposed for data breaches. [Since Brexit the UK is no longer part of the EU’s GDPR.)

IC - (encryption/tokenization) percent likelihood (UK ICO) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (UK ICO)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

GDPR (Data Breach only) fines (actual)

EU regulatory fine - protects EU resident recordholders. Based on all of the actual GDPR fines imposed for data breaches.

adjustment for revenue size (GDPR data breach)

Used for calculating Benchmark values.

IC - (encryption/tokenization) percent likelihood (GDPR data breach only) if all sensitive PxI is encrypted

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent likelihood (GDPR data breach)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

GDPR (Unauthorized Use of PII) fines (actual)

EU regulatory fine - protects EU resident recordholders. Based on all of the actual GDPR fines imposed for data misuse by management.

Percent likelihood (GDPR - Unauthorized Use of PII)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

HIPAA (Unauthorized Use of PII) fines (actual)

US regulatory fine - protects US resident recordholders. Based on all of the actual HIPAA fines levied by the OCR HHS for misuse of PHI by management.

Percent likelihood (HIPAA-Unauthorized Use of PII)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

FTC (Unauthorized Use of PII) fines (actual)

US regulatory fine - protects US resident recordholders. Based on all of the actual FTC fines imposed for misuse of PII data such as robocalling.

Percent likelihood (FTC-Unauthorized Use of PII)

The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of days (direct BI revenue lost) - [selected cyber risk]

The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI revenue lost)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily total annual revenue (direct BI revenue lost)

Total revenue divided by number of days in a year to determine the daily revenue rate.

Deferred revenue not recoverable (direct BI revenue lost)

Subtotal formula.

Percent of deferred revenue not recoverable (direct BI revenue lost)

Sometimes a portion of deferred revenue is not recoverable and that unrecoverable amount should be added to revenue lost.

Percent of revenue impacted (direct BI revenue lost) - [selected cyber risk]

The percent of total revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of days (direct BI revenue deferred) - [selected cyber risk]

The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI revenue deferred)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily total annual deferred revenue (direct BI revenue deferred)

Total deferred revenue divided by number of days in a year to determine the daily revenue rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of deferred revenue impacted (direct BI revenue deferred) - [selected cyber risk]

The percent of deferred revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (direct BI PR revenue) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI PR revenue)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (direct BI PR revenue)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Waiting period number of hours (direct BI)

The period of time (generally hours) that must elapse after a business interruption starts before insurance coverage begins. The legend in () at the end of the name defines the cost category the driver belongs to.

Restoration period number of days (direct BI)

The length of time that insurance will cover a business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of days (direct BI net profit) - [selected cyber risk]

The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI net profit)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily pre-tax annual net profit (direct BI net profit)

Total net profit divided by number of days in a year to determine the daily net profit rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of net profit impacted (direct BI net profit) - [selected cyber risk]

The percent of net profit that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in subtotal cost (direct BI expenses)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily normal operating expenses (direct BI expenses)

Total normal operating expenses divided by number of days in a year to determine the daily operating expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily extra expenses (direct BI expenses)

Total extra expenses divided by number of days in a year to determine the daily extra expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (direct BI forensic accounting) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour (direct BI forensic accounting)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (Direct BI PR net profit) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI PR net profit)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (direct BI PR net profit)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of days (contingent BI revenue lost) - [selected cyber risk]

The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in number of days (contingent BI revenue lost)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily contingent annual revenue (contingent BI revenue lost)

Total contingent revenue divided by number of days in a year to determine the daily contingent revenue rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of contingent revenue impacted (contingent BI revenue lost) - [selected cyber risk]

The percent of contingent revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (contingent BI PR revenue) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested BCP) - percent reduction in number of hours (contingent BI PR revenue)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (contingent BI PR revenue)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Waiting period number of hours (contingent BI)

The period of time (generally hours) that must elapse after a business interruption starts before insurance coverage begins. The legend in () at the end of the name defines the cost category the driver belongs to.

Restoration period number of days (contingent BI)

The length of time that insurance will cover a business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of days (contingent BI net profit) - [selected cyber risk]

The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in number of days (contingent BI net profit)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily contingent net profit [customer input]

Total contingent net profit divided by number of days in a year to determine the daily contingent net profit rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of net profit impacted (contingent BI net profit) - [selected cyber risk]

The percent of contingent net profit that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested BCP) - percent reduction in subtotal cost (contingent BI expenses)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily normal operating expenses (contingent BI expenses)

Total operating expenses divided by number of days in a year to determine the daily operating expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Daily extra expenses (contingent BI expenses)

Total extra expenses divided by number of days in a year to determine the daily extra expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (contingent BI forensic accounting) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour (contingent BI forensic accounting)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (contingent BI PR net profit) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

IC - (comprehensive, tested BCP) - percent reduction in number of hours (contingent BI PR net profit)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (contingent BI PR net profit)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Ransom demanded as a percent of revenue

Attackers increasingly determine the initial ransom demanded as a percentage of the revenues of the victim.

Ransom discount factor

Depending on the revenue size and industry of the victim, attackers discount the initial ransom demanded in an effort to come up with a reasonable number most likely to be accepted by the victim.

Ransom negotiator fees

Ransom negotiators have become increasingly common, bringing their expertise to negotiations between the attackers and the victims. The cost of the negotiator can be a flat fee or a percent of the total ransom.

Ransom transaction fees

The cost to purchase and hold bitcoin for paying a ransom.

IC (offsite-immutable data backup) - percent likelihood ransom IS paid

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (IR forensic) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested IR plan) - percent reduction in number of hours (IR forensic)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (IR forensic)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours (Network IR legal) - [selected cyber risk]

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

IC - (comprehensive, tested IR plan) - percent reduction in number of hours (Network IR legal)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cost per hour (Network IR legal)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of servers (restoration)

The number of servers in the attack surface.

Cost per server (restoration)

Subtotal formula.

IC (offsite-immutable data backup) - percent reduction in number of hours to restore a systems

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours to restore a server (restoration)

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour per server (restoration)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of servers breached (restoration) - [selected cyber risk]

The percent of servers compromised in a given cyber risk scenario.

Number of computers including laptops (restoration)

The number of computers including laptops in the attack surface.

Cost per computer/laptop (restoration)

Subtotal formula.

IC (offsite-immutable data backup) - percent reduction in overall cost to restore systems

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours to restore a computer/laptop (restoration)

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour per computer/laptop (restoration)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of computers/laptops breached (restoration) - [selected cyber risk]

The percent of computers/laptops compromised in a given cyber risk scenario.

Number of servers (data backup)

The number of servers in the attack surface.

Cost per server (data backup)

Subtotal formula.

IC (offsite-immutable data backup) - percent reduction in overall cost to restore data (servers)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours to restore a server (data backup)

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour (server data backup)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of servers (data backup) - [selected cyber risk]

The percent of servers to receive data backup in a given cyber risk scenario.

Number of computers/laptops (restore data)

The number of computers including laptops in the attack surface.

Cost per computer/laptop (restore data)

Subtotal formula.

IC (offsite-immutable data backup) - percent reduction in overall cost to restore data (computers/laptops)

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours forensics to restore data on computer/laptop

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour - forensics to restore data on computer/laptop

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Number of hours to restore a computer/laptop (data backup)

The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

Cost per hour (computer/laptop data backup)

The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

Percent of computers/laptops (restore data) - [selected cyber risk]

The percent of computers/laptops compromised in a given cyber risk scenario.

Cost per system (no data backup)

Fixed rate to restore data from the hard drive.

Number of servers (no data backup)

The number of servers in the attack surface.

Percent of servers (no data backup) - [selected cyber risk]

The percent of servers to receive data backup in a given cyber risk scenario.

Number of computers/laptops (no data backup)

The number of computers including laptops in the attack surface.

Percent of computers/laptops (no data backup) - [selected cyber risk]

The percent of computers/laptops to receive data backup in a given cyber risk scenario.

IC - Maximum wire transfer per protocol

IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

Cash stolen

Subtotal formula.

Maximum wire fraud per revenue bucket

Used for calculating Benchmark values.

Subtotal cash stolen

Subtotal formula.

Cash stolen as function of revenue

Used for calculating Benchmark values.

Percent adjustment for industry

Used for calculating Benchmark values.