The latest research report from insurer AIG Europe makes for sober reading. 2017 was a record breaking year in terms of cyber insurance claims.
The total number of claims during the year was the equivalent of the previous four years combined. This is a significant rise and one that was dominated by ransomware as the primary cause.
However, it is not ransomware that is expected to drive claims in 2018. With GDPR now in force, AIG Europe expects the legislation to result in high cyber insurance claims.
Mark Camillo, head of cyber for EMEA at AIG said: “In 2017 we saw a series of sophisticated, systemic malware and ransomware attacks, including WannaCry and NotPetya. The resulting business interruption was a significant issue for many European organisations – much of the financial impact was a balance sheet loss.
“While ransom payments only generated around $150,000, total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to direct costs and indirect business disruption. The majority of these losses were underinsured.”
What were the top five cyber insurance claims?
Ransomware, data breaches and unauthorised access topped 2017 cyber insurance claims. The increase in claims means that AIG received the equivalent of one claim per working day throughout the year.
The top five attacks were:
- 26% – Ransomware
- 12% – Data breach by hackers
- 11% – Other security failures/unauthorised access
- 9% – Impersonation fraud
- 8% – Other virus/malware infections
Ransomware tops the chart for many reasons. It is an effective attack that often leaves victims with no choice but to pay if they want their data back. It has also seen a significant growth in the number of variants as new attack groups take advantage of it. The introduction of malware-as-a-service and the growth of affiliate programmes has made access to it much easier.
However, AIG reports that this is changing. The professionalism that marked earlier attacks has gone. There is no guarantee that data will be recoverable when ransoms are paid. Researchers have also discovered flaws in several ransomware families that allows users to recover their data. In addition, companies have been doing much more to protect their data and improved backup and recovery processes.
The rise in Distributed Denial of Service (DDoS) attacks in 2017 accounted for just 2% of claims. This will surprise many observers but it could be that it is masked by other claims. DDoS is not just about stopping businesses working. It is also used as a distraction technique allowing hackers to carry out more intrusive attacks while security teams are trying to restore connectivity.
GDPR expected to drive the next rise in claims
According to Camillo: “The arrival of GDPR will become another tool for negotiation by extortionists. They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime.”
In 2017 legal/regulatory proceeding based on violations of data privacy regulations accounted for just 4% of claims. However, this is likely to change. GDPR makes it a requirement for companies to report breaches. The report draws parallels with the US when mandatory breach reporting was introduced.
Camillo said: “Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit.”
This is not just about the costs likely to be imposed by regulators. AIG believes that GDPR will create new types of cases not generally seen in Europe at the moment. The report cites the Morrisons employee class-action lawsuit over the leaking of payroll data. While Morrisons lost the case, it has gone to appeal. If it loses that appeal it could lead to similar cases.
The report also states: “There is some anticipation the introduction of GDPR could see more shareholder lawsuits against companies and their directors in the future. The US has had strict notification requirements for a number of years and nearly every high-profile cyber breach is met with at least one class action lawsuit.”
It will be interesting to see if this risk leads to a corresponding increase in Directors and Office (D&O) liability insurance.
What does this mean
Although AIG Europe is reporting a huge rise in claims, cyber insurance is still not widely used by organisations. GDPR may well be the trigger point for organisations investing in it. If that is the case, expect claim reports to jump again and again over the next few years. However, like all insurance policies, businesses need to read the policy carefully to see what they are covered for.
According to Ilia Kolochenko, CEO, High-Tech Bridge: “At first glance, it may sound like good news that companies care about cybersecurity and invest in related insurance products. However, in many cases, it simply means that the organizations have given up on securing their premises and data, and are instead preparing themselves to pay premiums to cover inevitable breaches rather than investing in information security solutions and services. In the long term, it may simply mean a decline for cybersecurity companies whose offerings will become economically impractical.
“For companies who consider buying the insurance, I’d recommend carefully reading every single line of the contract to ascertain that it covers pertinent and relevant risks. All companies have their own unique cyber risks and threat models, and thus a one-size-fits-all insurance may simply be useless at the end of the day.”