A further surge in data breach and other security failure insurance claims is expected when the EU General Data Protection Regulation (GDPR) comes into force tomorrow, after a record 2017 saw as many cyber claim notifications as in the previous four years combined.
AIG Europe’s new report on cyber claims, Cyber Insurance Claims: Ransomware Disrupts Business, revealed that more than a quarter of the European cyber claims (26%) received in 2017 had ransomware as the primary cause of loss—up from 16%.
Other breach types included data breach by hackers (12%), other security failure/unauthorised access (11%) and impersonation fraud (9%).
The proportion of claims caused by employee negligence fell marginally to 7% in 2017, but human error continues to be a significant factor in the majority of cyber claims, according to AIG.
Applying when the personal data of EU residents is collected, stored or otherwise processed, regardless of where the processing takes place, GDPR carries significant penalties for anyone found in breach, including fines of up to 4% of global turnover.
These penalties could incentivise cyber criminals to carry out further attacks at a time when insurers are still reeling from 2017’s NotPetya and WannaCry incidents, with the latter generating estimated losses of $8 billion (£5.98 billion), even though ransom payments only generated around $150,000 (£112,200).
Mark Camillo, head of cyber for Europe, the Middle East and Africa at AIG, said: “The arrival of GDPR will become another tool for negotiation by extortionists. They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime. Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit.”
AIG’s report showed that no sector is immune to cyber attack, with notifications made by insureds in eight sectors that had previously not featured at all in AIG’s cyber claims statistics.
Professional and financial services topped the list, with professional services showing a significant increase in its proportion of overall claims (up to 18% from 6% in 2013-2016).
Camillo commented: “There is a continuing trend, whereby a larger number of notifications each year are coming from an increasingly broad range of industry sectors and not just those traditionally associated with cyber risk. This reflects the fact that many of the recent ransomware attacks have been indiscriminate in terms of which industry they hit.
“Professional services have become more of a target. Solicitors and accountants with large databases of clients are attractive to cyber-criminals because of the quality of the data they hold, and are vulnerable to cybercrimes that target regular financial transactions.”
Camillo added: “However, whatever their size or sector, organisations operating in today’s interconnected and increasingly digital world are becoming more attuned to the risk and aware of how good cyber hygiene, combined with cyber insurance, can play an important part in mitigating potentially dire financial consequences. To become cyber-resilient, organisations need to prepare—practise their response, implement a robust cyber risk strategy and ensure they are indemnified for the full range of cyber exposures, including network interruption.”
In April, Jacqueline Cole, a member of the Forum of Insurance Lawyer’s directors and officers sector focus team, outlined important steps that insurance companies should take to comply with GDPR.