An insurer says it expects a surge in data breach and other security failure insurance claims after the EU General Data Protection Regulations (GDPR) come into force on May 25. The year 2017 had as many cyber claim notifications as in the previous four years combined, says AIG. Its latest cyber claims report found that over a quarter of European cyber claims (26pc) received in 2017 had ransomware as the primary cause of loss; up from 16pc the previous year. Other main breach types were: data breach by hackers (12pc); other security failure/unauthorised access (11pc); impersonation fraud, 9pc.
While the proportion of claims caused by employee negligence fell marginally to 7pc in 2017, human error continues to be a significant factor in the majority of cyber claims. Mark Camillo, head of cyber for EMEA at AIG said: “In 2017 we saw a series of sophisticated, systemic malware and ransomware attacks, including WannaCry and NotPetya. The resulting business interruption was a significant issue for many European organisations – much of the financial impact was a balance sheet loss. While ransom payments only generated around $150,000, total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to direct costs and indirect business disruption. The majority of these losses were underinsured.
“The arrival of GDPR will become another tool for negotiation by extortionists. They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime. Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit.”
While professional services by sector topped the claims, the insurance firm says no sector is immune. Camillo added: “There is a continuing trend, whereby a larger number of notifications each year are coming from an increasingly broad range of industry sectors and not just those traditionally associated with cyber risk. This reflects the fact that many of the recent ransomware attacks have been indiscriminate in terms of which industry they hit.
“Professional services have become more of a target. Solicitors and accountants with large databases of clients are attractive to cyber – criminals because of the quality of the data they hold, and are vulnerable to cybercrimes that target regular financial transactions. However, whatever their size or sector, organisations operating in today’s interconnected and increasingly digital world are becoming more attuned to the risk and aware of how good cyber hygiene, combined with cyber insurance, can play an important part in mitigating potentially dire financial consequences. To become cyber-resilient, organisations need to prepare – practise their response, implement a robust cyber risk strategy and ensure they are indemnified for the full range of cyber exposures, including network interruption.”
Comment
Andy Norton, director of threat intelligence at cyber product firm Lastline said: “This is the tip of the iceberg for cyber insurance companies. Ransomware and data breaches have driven the increase in claims in 2017. Cyber insurance companies are hugely exposed to the silent threats in cyber, and most organisations lack behavioural analysis technologies to prevent cyber threats from getting a foothold in internal networks from which they are able to disrupt operational capability, steal intellectual property, or leak sensitive information.
Cyber insurance companies will need to start mandating certain hygiene technologies to reduce the exposure they face from a more sophisticated threat and a tougher regulatory environment.”
