A new report from German financial services giant Allianz that examines over 1,700 cyber claims has found that cyber crime causes the most expensive cyber insurance losses, but that internal failures are the most frequent overall reasons for claims.
The report specifically named distributed denial of service (DDoS) attacks and business interruption issues as the most costly types of cyber claims. The number of ransomware claims and their average costs are also up substantially. Internal failures tend to cause low financial impact but are quite frequent, with the most common cyber risks being systems failure and various types of human error.
Results from study of $770 million worth of cyber claims
The study incorporated 1,736 cyber-related insurance claims filed with Allianz Global Corporate Specialty (AGCS) and several other insurers from 2015 to 2020, at a total value of €660 million (about $770 million).
Cyber insurance was a new concept in 2015, remaining relatively rare through 2016 with only 77 claims filed that year. That number increased to 809 in 2019, and there are already 770 through the first three quarters of 2020. A confluence of factors are driving the uptick in customers: more frequent and more competent cyber attacks (such as online scams and phishing), a greater degree of high-level state-sponsored hacking, the introduction of government regulations that create a wider variety of liability scenarios, and the greater availability of “out-of-the-box” hacking tools acting as a catalyst for all of the above. But in spite of this, the primary source of cyber claims continues to be accidental internal incidents caused by an employee making a mistake or the unexpected and untimely failure of some network component or another.
The collection of cyber claims indicates that attacks from the outside of the organization (85%) are much more common than employees “going rogue” (9%). However, the total number of claims for accidental employee or hardware mishaps (54%) is a little over 10% greater than claims filed due to an external attack. It remains to be seen if mistakes and technical problems will continue to be the cyber claims category leader given the great shift to remote work, which is expected to last beyond the pandemic; mistakes made by those working at home are more often tied to allowing unauthorized access that leads to a data breach of some sort. The amount of data involving claims made during the pandemic is very small compared to the rest of the entries in this particular study.
Regardless of the root cause, 60% of the cyber claims cite “business interruption” as the main need for compensation. Interruptions due to technical issues (whether caused by hacking or employee error) have become both longer and more expensive on average. Organizations now fear cyber incidents (55%) as the primary source of business interruption more than they do the potential financial impact of natural disasters and fires.
Cyber attacks are up and DDoS still most expensive cyber claims
All types of cyber attacks are up during the coronavirus pandemic, due primarily to a massive shift to remote work and the plethora of vulnerabilities that creates. The Allianz report finds that cyber security is not keeping pace with this need. Cited research by Arceo finds that nearly all of 250 CISOs at companies with over $250 million in annual revenue believe that remote work security practices will be more lax than those at the office.
Though DDoS attacks still tend to be the most expensive of the cyber claims, ransomware is now the most prominent threat and the most costly outside of the narrow scope of insurance payments. The total costs ($100 billion globally) are greater, organizational downtime is longer, and criminals are now incorporating the theft of sensitive documents and blackmail into these attacks. However, based on claim reviews Allianz sees business email compromise as the area with the greatest potential for growth in the near future. Major data breaches (those that involve over one million records) of all types are also now costing companies an average of $50 million, an increase of 20% from 2019. Organizations also need to be wary of an increasing amount of state-sponsored hacking, though this tends to be directed at specific industries of interest for espionage and sabotage purposes.
Rise in claims linked to GDPR
In terms of regulation, Allianz ties the implementation of the General Data Protection Regulation (GDPR) in the EU to a rise in claims between March 2019 and May 2020. This is not just in terms of fines, but also class action lawsuits provided for by both the GDPR and the California Consumer Privacy Act. This segment of cyber claims is also expected to grow as new laws of this nature continue to come online around the world.
The report suggests implementing “desktop exercises” (also sometimes called “tabletop exercises”) into incident response training. These fictional scenarios test business continuity by imagining business interruption risks (such as malware and ransomware incidents) and the response to them, including resources on hand and how to respond to each situation. Some insurers will participate in these scenarios, walking customers through an expected cyber claim process so that they have realistic expectations to work from.