Every record compromised in a data breach ends up costing almost$1,000 — and that's probably on the low end, according to a newstudy by Gladwyne, Penn.-based risk assessment companyNetDiligence.

The study of 160 insurance claims related to data breaches that occurred between 2012 and 2015 found theaverage breach compromises 3.2 million records, and each recordcosts $964.31 on average for everything from notifications to legalfees. The report also said financial services was the second-mostfrequently breached sector (health care was the first).

The average insuranceclaim for a breach is $673,767, according to the study, and thevast majority of total claims (78%) was spent on crisis servicessuch as forensics, ransoms, card replacement, public relations and credit monitoring.

The study also looked at the type of data exposed, the cause ofloss, the business sector in which the incident occurred and the sizeof the affected organization. Personally identifiable informationwas the leader in type of data exposed, occurring in 45% of thesample. Payment card information was second at 27%, followed byprivate health information at 14%, it said. About seven out ofevery 10 incidents occurred in organizations with less than $2billion in revenue.

Breaches don't always hit organizations directly – one in fourare attributable to third parties such as vendors, according to thesurvey. It's especially a problem in the financial services sector,where 30% of all third-party breaches occur, it said. The averagenumber of lost records was about three times higher when thirdparties were involved, the study added.

Hackers and malware or viruses get most of the blame forbreaches, but the NetDiligence study found they are actually theculprit less than half the time (45%); the rest are due to lost orstolen laptops or other devices, compromised paper records, systemglitches, wrongful data collection and other reasons, according tothe study. Notably, one third of all breaches had insider involvement.

“The financial services sector also has cause to be concernedabout insider threats,” the report said. “While only 17% of theclaims in our dataset occurred in financial services, that sectoraccounted for 22% of insider incidents.”

Breaches in the sector cost an average of $141,249 per incidentand exposed about 35,000 records on average.

NetDiligence also noted many of the 160 claims in its study arestill open, meaning the reported costs only reflect payouts todate. Additional payouts on the claims are virtually certain, itsaid.

The data does suggest, however, that many organizations fileclaims for relatively small breaches. For example, the average costfor legal defense was $434,354 in the study, but a few large claimscould be driving that, because the median – the point at which halfthe sample is above the number and half is below the number – was$73,600. Similarly, the average legal settlement was $880,839 butthe median was just $50,000, the study found. Just 4% of the 160claims included costs for PCI fines, which ranged from $21,229 to$600,000.

NetDiligence said its sample probably represents only about 5%of all cyber claims from 2012 to 2015. Nevertheless, it thinksbreach costs are likely much higher for uninsured organizations.

“Insurers are putting in place 'preferred vendor panels' withpre-negotiated rates for crisis services costs, which we believesignificantly reduces the cost of breach response for policyholdersof those insurance carriers,” it said. “We estimate data breachresponse costs for an uninsured organization could be up to 30%higher than costs for an insured organization.”