With identity theft causing tens of billions of dollars in extra business expenses annually, organizations face an array of direct and indirect costs from data breaches, according to a new white paper from Business Insurance.

Risk managers at all organizations should work to minimize their exposure to cyber risks by “expecting the unexpected” and adopting various strategies, both organizational and technological, according to the white paper by cyber risk and insurance expert Mark Greisiger, president of Philadelphia-based Network Standard Corp., which does business as NetDiligence.

Identity theft affects about 10 million U.S. residents a year and causes an estimated $50 billion in unnecessary business expenses, according to the Federal Trade Commission.

The theft of personal information costs organizations an average of about $710,000 per incident, according to an annual FBI study. And the sources of those extra expenses are numerous, according to the white paper, “Cyber Risks: How to ProtectYour Business in the Digital Age.”

Extra expenses can result from:

• Managing a lengthy forensic computer system investigation. Depending on the type of data (personal health information, images, audio files, etc.), the volume of information and other factors, such as centralization of systems, such costs can range from tens of thousands to millions of dollars.
• Hiring a security consultant to assist with remediation and hardening—or increasing security—of vulnerable systems and processes.
• Notifying and assisting victims. A mailer alone can cost $1 to $3 per person.
• Expert legal support to interpret federal privacy law, ascertain which state laws may have been triggered and help craft notice letters. Expanding call-center support and website FAQs in response to a breach.
• Credit monitoring. If identity theft or fraud is possible due to a breach, many organizations offer free credit monitoring for as long as three years. Annual costs can range from $20 to $100 per person.
• Dealing with U.S. agencies and state attorneys general with authority to mount investigations and seek enforcement of privacy laws.
• Defending class action lawsuits.
• Recovering from damage done to the organization’s reputation and trust by customers or business partners, which is difficult to quantify.

The white paper argues that organizations should develop a layered approach to cyber risk management and includes practical advice on how risk managers can achieve that goal. Strategies discussed include technological defenses, such as firewalls and encryption, and system management changes, such as effective password-protection policies.

Specialty insurance protection against cyber risks first was offered more than 10 years ago and is becoming more readily available, which is reflected in the directory of cyber insurers included in white paper, with about 20 insurers offering coverage.

To purchase the white paper, please visit www.businessinsurance.com/whitepapers.