The future of cyber insurance: Meeting the demand for non-attack coverage
In this Help Net Security interview, Michael Daum, Head of Global Cyber Claims for Allianz Commercial, discusses the significant rise in cyber claims in 2024, driven by an increase in data breaches and ransomware attacks.
Daum highlights the need for businesses to implement cyber hygiene practices and align their risk management strategies with insurers’ expectations to mitigate financial impacts and reduce premiums.
Cyber claims have risen significantly in both frequency and severity in 2024. What factors do you believe are contributing most to this increase, and how are insurers adapting to this changing risk environment?
Cyber claims have continued their upwards trend over the past year, driven in large part by a rise in data and privacy breach incidents.
Some notable trends include: A rise in ransomware attacks including data exfiltration is a consequence of changing attacker tactics and the growing interdependencies between organizations sharing ever more volumes of personal records. At the same time, the evolving regulatory and legal environment has brought an uptick in so-called ‘non-attack’ data privacy-related class action litigation, resulting from incidents such as wrongful collection and processing of personal data – the share of these claims has tripled in value in two years alone.
With today’s complex web of interconnectivity and reliance on service providers, modeling has become critical. When insurers assess our customers’ risks, we are not just modeling to the insured’s exposure. We are modeling to the extended network, their cloud, software, and digital service providers.
Ransomware accounts for a large percentage of cyber claims, but non-attack data privacy claims are rising. How are these two types of claims impacting the overall insurance market differently?
Ransomware continues to be the top cause of cyber insurance loss. During the first six months of 2024, it accounted for 58% of the value of large cyber claims (>€1mn). However, improved cyber security and backup strategies are helping insured companies better withstand attacks.
While there have been welcome successes for law enforcement and from increased international collaboration, the threat of ransomware will not go away though. The number of ransomware attacks increased by an average of 75% last year, according to Allianz Commercial analysis of cyber threat intelligence from tech providers.
The rise in ‘non-attack’ data privacy claims is the consequence of developments in technology, the growing commercial value of personal data, and a developing regulatory and legal landscape. We are seeing more data privacy breach claims in the US where there is a growing trend for class action litigation against large US and international corporations related to privacy violations, such as around consent and data usage. The cost of some of these claims can be even larger than a ransomware incident, in the hundreds of millions of dollars.
The cost of addressing data breaches, including regulatory fines and class action litigation, continues to climb. What strategies can companies implement to manage the financial impact of such claims better?
Data breach risks are best mitigated through good cyber hygiene, including strong access controls, database segregation, backups, patching and training. Having better oversight of any cyber weaknesses in their supply chains is an area where many companies need to improve.
Early detection and response capabilities are also key. Around two thirds of breaches are typically reported by a third party or by the attackers themselves. Cyber breaches that are not detected and contained early can end up being 1,000 times more expensive than those that are, the difference between a €20,000 loss turning into a €20mn one.
AI is also becoming an essential tool in the fight against cyber-attacks, as it can quickly identify a security breach and automatically isolate systems and databases, as well as having the potential to significantly reduce the cost and life cycle of a data breach claim by automating tasks, such as forensics and notifications, potentially saving companies millions of dollars.
With more organizations investing in cyber insurance, how can they better align their internal cyber risk management practices with insurers’ expectations to reduce their premiums and claim risks?
In addition to cyber security and data breach response capabilities, organizations must also focus more attention on preventing and mitigating data privacy breaches.
Organizations need to adopt a risk-based approach to protecting data, limit access to those people with a business requirement, and use encryption and monitoring for third parties. Data leak prevention tools and user behavior analytics can also help flag up any unusual access or movement of data.
More sensitive private data, like biometric, genetic or health data, should be held to the highest level of cyber security. Organizations that collect biometric data should hold it locally, keep it segregated and encrypted, with tightly controlled access rights, and not shared with third parties.
Allianz Commercial risk assessment already includes data processing elements today, but going forward the scope will increase further, with meaningful advice offered to insureds on how to best avoid data breach losses.
With the growing relevance of AI, risks around consent and unauthorized use of data are increasing. Companies need to make sure that data privacy governance is embedded going forward.
As the scope of cyber insurance evolves to include ‘non-attack’ events, how do you see the coverage needs of businesses changing over the next few years?
The insurance industry must also step up its focus on the data privacy side of cyber risk and has a key role to play in offering loss prevention and mitigation advice to businesses about this increasingly important area of exposure. The value of cyber insurance goes well beyond the payment of claims. Insurance helps companies make the business case for cyber security investment and to direct their resources towards the most effective measures.