Allianz Risk Barometer 2020 - Cyber incidents 

“More and more events – from leaving a laptop with confidential data on a train to losing a customer list – can constitute a data breach,” says Marek Stanislawski, Deputy Global Head of Cyber at AGCS.

“It is estimated that anywhere between 50% and 90% of breaches are caused or abetted by employees, be it by simple error or by falling victim of phishing or social engineering.

Welltrained and vigilant employees can become an extension of a company’s cyber security team and help form a much firmer perimeter around the company’s assets.”

As companies collect and use ever greater volumes of personal data, data breaches are becoming larger and costlier. In particular, so-called mega data breaches (involving more than one million records) are more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach is by no means the largest in recent years.

Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to have involved the personal data of over 300 million and 140 million customers respectively. Both companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data protection regulator intends to fine Marriott £100mn ($130mn) for the breach, among the earliest and largest fines under the EU’s new privacy laws to date.

In the same month – July 2019 – British Airways was provisionally fined £183mn ($240mn) for a data breach impacting 500,000 customers in 2018. 

According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime threat. Already high in frequency, incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. “Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions,” says Stanislawski.

The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services. Extortion demands are just one part of the picture. Business interruption brings the most severe losses from ransomware attacks and in some cases ransomware is a smoke screen for the real target, such as the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to be highest for law firms, consultants and architects, for which IT systems and data are their life blood.

Incidents such as those featuring the Ryuk malware have emerged as a key driver for cyber insurance claims in recent years. Named after a fictional manga character, it was first reported in August 2018 and has been responsible for multiple attacks against large companies, hospitals and local governments globally.

Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.

Such attacks typically involve social engineering and phishing emails to dupe employees or senior management into revealing login credentials or to make fraudulent transactions.

Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected consumers, business partners and investors. When they do, legal expenses can add substantially to the cost.

Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors – in July 2019, Equifax reached a $700mn settlement for its 2017 mega breach. US courts have been battling the questions of “legal standing” – whether claimants have the right to sue – but the trend appears to be favoring plaintiffs. Statutory and regulatory changes could also facilitate compensation for data breaches. The California Consumer Privacy Act, for example, provides a mechanism for consumers to sue businesses and – in a first for the US – sets statutory damages for data breaches.

Outside the US, a number of countries have expanded group action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy breach to seek legal redress. In addition, claimant law firms and litigation funders are actively looking to bring class actions for data breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach was recently given the goahead in the UK courts. Consumer groups are also looking to test the GDPR and challenge some organizations’ interpretation of the new law.

Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel group it acquired in 2016. Even the best protected companies will be exposed if they acquire a company with weak cyber security or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which pre-date the merger.

Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority for businesses during M&A, as many companies are not doing enough due diligence in this area. At the same time, once a deal has been completed many companies do not address any weaknesses in acquired systems quickly enough.

The involvement of nation states in cyber-attacks is increasing risk for companies, which are being targeted for intellectual property or by groups intent on causing disruption or physical damage. For example, growing tensions in the Middle East have seen international shipping targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns.

Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation state involvement is providing increased funding to hackers. Even where companies are not directly targeted, statebacked cyber-attacks can cause collateral damage. In 2017 the NotPetya malware attack primarily targeted the Ukraine but quickly spread around the world.