Cyber claims: Stabilization trend threatened by mass attacks and data exfiltration

Ransomware and extortion-based attacks account for more than 80% of claims against standalone cyber policies.

In addition to extortion claims, there has also been an uptick in the number of data privacy claims in the U.S. related to biometric information, such as voice or fingerprint data, as organizations increasingly capture this information to improve online security. Credit: NicoElNino/Adobe Stock

Improvements in cybersecurity and business continuity are helping to combat encryption-based ransomware attacks, yet the cyberthreat landscape is continually evolving. This year has seen a worrying resurgence in ransomware and extortion claims, resulting in an uptick in costly incidents. Although progress is being made, this spike in attacks demonstrates that the threat posed by ransomware shows little sign of abating.

Reports note that the number of ransomware victims surged by as much as 143% globally during the first quarter of 2023 with January and February seeing the highest number of hack and leak cases in three years. Ransomware alone is projected to cost its victims approximately $265 billion annually by 2031.

Hackers are increasingly targeting IT and physical supply chains, launching mass cyberattacks and finding new ways to extort money from companies large and small. Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, adding further cost and complexity, as well as the increased potential for reputational damage and third-party liability. Allianz analysis of a number of large insurance industry cyber losses shows that the proportion of cases in which data is exfiltrated is increasing every year — from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass last year’s total.

Cyber claims trends

Following a significant spike in ransomware losses in 2020 and 2021, the frequency of cyber insurance claims stabilized last year, reflecting improved cybersecurity and risk management actions among insured companies — such as the use of multifactor authentication or more effective backup strategies which made encryption-based ransomware less effective and reduced the business interruption impact. At the same time, law enforcement agencies targeting gangs, together with the Ukraine-Russia conflict, also helped curtail ransomware activity.

However, ransomware groups have changed tactics, with an increase in data exfiltration, and mass cyberattacks that have exploited weaknesses in IT supply chains. In just one example, the MOVEit mass cyberattack affected over a thousand companies earlier this year and contributed to the increase in the frequency of claims in 2023.

Ultimately, ransomware and extortion-based attacks remain the largest source of cyber insurance claims by volume and frequency, accounting for more than 80% of claims from standalone cyber policies alone.

Privacy and liability risks on watch

In addition to extortion claims, there has also been an uptick in the number of data privacy claims in the U.S. related to biometric information, such as voice or fingerprint data, as organizations increasingly capture this information to improve online security. At the same time, many track personal information such as location, health or behavior, as part of their product and service offering, or to aid sales and marketing.

The U.S. does not have federal law covering data privacy, but a number of states have implemented strict laws, such as the California Privacy Rights Act and the Illinois Biometric Information Privacy Act. Meanwhile, the number of data privacy and data breach class action lawsuits continues to rise as plaintiffs see this as a potentially lucrative and expanding area of litigation.

Privacy laws, court judgements and awards are still a work in progress, making it difficult for companies and insurers to assess data privacy liability exposures, which are less predictable than more established casualty lines.

Data exfiltration and inflation drive up claims costs

Marisa Anthony of Allianz Commercial. Credit: Courtesy photo

More sophisticated attacks and inflation are increasing the cost of large cyber losses. The size and complexity of an organization and its IT infrastructure are key factors contributing to the cost of large cyber claims. Once a cyberattack progresses past a certain point, the combination of first-party restoration costs, business interruption and third-party liability easily result in a large loss. Business interruption remains the key loss driver for ransomware attacks, as it does for many forms of cyberattack — Allianz analysis shows that it accounts for 50% of all cyber-related losses by value.

Managing cybersecurity throughout a large organization is very challenging, with different business units, suppliers and locations around the world as well as mergers and acquisitions. You might be 99% cyber-safe, but if there is one open door, it’s likely that attackers will find it. That is a scenario we have seen quite frequently, and once a large organization is hit, it often results in a large loss.

Michael Daum of Allianz Commercial. Credit: Johannes Geyer

Alongside an increase in data exfiltration, first-party recovery and response expenses are rising, while the cost of notification and third-party liability can also be significant. The average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years, according to the IBM Cost of a Data Breach 2023 report.

Exfiltration incidents carry higher reputational risks and are a bigger drain on the resources of the company and leadership, making effective data breach response critical. In the past, the ratio of claims that went public was much lower. With data exfiltration, hackers threaten to publish stolen data on dark forums, so the stress level is much higher. With the increased level of public scrutiny and pressure, preparation is more important than ever before. It’s also why you need legal and PR experts working on this. We are seeing more claims where this support is needed, because cyberattacks are playing out more in the public sphere.

Indeed, Allianz analysis of a number of larger insurance industry cyber losses (>$1.06 million) between 2019 and the end of the first half of 2023 shows that the proportion of cases becoming public increases from year to year. In 2019 this totaled 60%, rising to 85% in 2022, with 2023’s total on course to surpass this.

The importance of detection and response

Preventing a cyberattack is becoming harder and the stakes higher. As a result, early detection and response capabilities are becoming ever more important. An intrusion can quickly escalate, and once data is encrypted and/or stolen, the consequences and costs snowball. Allianz analysis of claims notifications shows that breaches that were not detected and contained early, and therefore ultimately involve data exfiltration, can be as much as, or even more than, 1,000 times more expensive than those that were.

Ultimately, developing early detection and effective response capabilities will be key to mitigating the impact of cyberattacks and ensuring a sustainable insurance market going forward.

Michael Daum is global head of cyber claims at Allianz Commercial based in Munich.

Marisa Anthony is senior complex claims analyst, cyber in North America for Allianz Commercial based in Florida

Opinions expressed here are the authors’ own. 

Download the Allianz Commercial Cyber Security Trends 2023 report.

Related: