Dollars on keyboard showing cyber claims from data and privacy breaches

Allianz: Big Jump in Large Cyber Claims Due to Data and Privacy Breaches

A new report from insurer Allianz indicates that large cyber claims (over €1 million in value) rose significantly in the first half of 2024, with about two-thirds involving data and privacy breaches.

Those numbers, drawn from Allianz internal customer data, show a 17% increase in the value of cyber claims and a 14% increase in frequency during this period. The central driver is class action lawsuits connected to data and privacy breaches, which have at least doubled in quantity every year since 2021.

Significant jump in cyber claims tied to MOVEit, other privacy lawsuits

One of the central drivers of this jump is what Allianz calls “hyperlitigation” in response to major data and privacy breaches. This is essentially the inevitable consequence of an upstream services provider being breached, triggering multiple lawsuits involving downstream clients. The primary example they give is last year’s MOVEit breach, which sparked over 240 lawsuits that were collected into a massive class action in October 2023.

Class action suits related to data and privacy breaches have been growing precipitously in recent years, at least doubling each year from 2021 to 2023. Over 1,300 were filed last year, four times the amount filed just two years prior. But while this steady and quick rise in suits is a factor, there has also been a major recent spike in the severity of cyber claims. Allianz says that it saw only a 1% increase in severity over the course of 2023, with a 17% increase notched in just the first half of this year. Partially driving this spike is the increasing proportion of ransomware attackers that use “double extortion” techniques involving stolen data, something that was at one time only done by the largest of these threat groups.

Costs are also increasing for reasons other than cyber attacks. There has also been a spike in cyber claims involving “non-attack” litigation that is tied to stronger regulations coming online around the world, as companies face suits for violations in collection, processing and transfer of personal data.

Allianz anticipates stabilization of data and privacy breaches

While we are coming out of a substantial spike, Allianz sees cyber claims stabilizing in the second half of 2024. However, the company warns of substantial risks going forward that could cause more surges in data and privacy breaches.

One of these risks is the already widespread adoption of AI. Allianz sees potential for new data and privacy breaches as the result of mishandling of AI chatbots and the reams of information they take in. There are multiple angles of risk here: accidental exposure, the possibility of hackers cracking into AI training data, and emerging regulation that still requires decisions from data protection authorities and the outcome of court cases to firm up.

The report also notes that there are still common and widespread issues with cyber security, pointing to the methods by which some of the recent major data and privacy breaches occurred. Allianz does not get into particulars in the report, but some recent examples would be the compromise of Microsoft by a password spray that hit upon an unusually powerful legacy account, or the phishing of help desks that kicked off the MGM and Caesars breaches (among others). The majority of cyber claims, 58%, continue to be due to a ransomware attack. These are very frequently initiated by some sort of preventable mistake, whether it be an insufficiently trained employee or a failure to patch a critical vulnerability in a timely manner.

Surprisingly, though it completely lacks a federal-level privacy law comparable to the EU’s GDPR, lawsuits over data and privacy breaches are becoming more expensive in the US than anywhere else. Allianz chalks this up to the legal system’s focus on interpretation of more general rules and the ability to turn to judicial precedent when an existing law is unclear on a specific situation, ultimately creating decisions that can cost companies hundreds of millions of dollars in the most expensive cases. The US is the decided leader in large cyber claims thus far in 2024, accounting for 72% of those tallied in the report.

Allianz warns that the data breach risk is not about to abate any time soon, and that companies can avoid cyber claims entirely by combing their security postures for updates that are long overdue: things like access control, network segmentation, staff training, tools to assist with prioritizing critical patches, and proper backup systems. The report also notes that about two-thirds of all data and privacy breaches are reported either by the attackers themselves or a third party such as a security firm, and that late discovery of breaches can spike the total cost by up to a thousand times something that had been detected immediately.