The European Union’s (EU’s) General Data Protection Regulations (GDPR) are expected to result in a further surge in data breach and other security failure insurance claims, according to a new study by AIG Europe.
The cyber re/insurance industry already experienced a record-breaking year in 2017, receiving as many cyber claim notifications as in the previous four years combined.
AIG found that over a quarter of European cyber claims received in 2017 cited ransomware as the primary cause of loss (up from 16% in 2016), followed by data breach (12%), security failure or unauthorised access (11%), and impersonation fraud (9%).
Human error also continues to be a significant factor in most cyber claims, although the proportion of claims caused by employee negligence fell marginally to 7% in 2017.
Mark Camillo, Head of Cyber for EMEA at AIG, said: “The arrival of GDPR will become another tool for negotiation by extortionists. They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime.
“Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit.”
AIG’s report also concluded that no sector was immune to cyber attack, as insureds in eight previously unaffected sectors made cyber claim notifications over 2017.
Professional and financial services were found to be the most commonly affected sectors, with each accounting for 18% of overall claims, followed by retail (12%), business services (10%), manufacturing (10%).
Camillo explained: “There is a continuing trend, whereby a larger number of notifications each year are coming from an increasingly broad range of industry sectors and not just those traditionally associated with cyber risk. This reflects the fact that many of the recent ransomware attacks have been indiscriminate in terms of which industry they hit.
“Professional services have become more of a target. Solicitors and accountants with large databases of clients are attractive to cyber-criminals because of the quality of the data they hold, and are vulnerable to cybercrimes that target regular financial transactions.”
Camillo suggested that cyber insurance would continue play an increasingly important role in mitigating the financial consequences of operating in an interconnected and digital marketplace, even as companies become more aware of cyber risks and implement better cyber hygiene.
He recommended that, to become cyber resilient, organisations need to “prepare and practise their response, implement a robust cyber risk strategy and ensure they are indemnified for the full range of cyber exposures, including network interruption.”
