Allianz Risk Barometer 2023 -
Rank 1: Cyber incidents

Given cyber crime incidents are now estimated to cost the world economy in excess of $1trn a year [1] – around 1% of global GDP – it perhaps should come as no surprise that cyber risk is the top customer concern in this year’s Allianz Risk Barometer, selected by more than a third of all respondents. In addition to being voted the top risk globally, cyber incidents also ranks as the top peril in 19 different countries. It is the risk small companies are most concerned about, is the cause of business interruption companies fear most, while cyber security resilience ranks as the most concerning environmental, social, and governance (ESG) risk trend.

“For many companies the threat in cyber space is still higher than ever,” says Scott Sayce, Global Head of Cyber at AGCS and Group Head of the Cyber Center of Competence. “The conflict in Ukraine and wider geopolitical tensions are reshaping the cyber risk landscape, heightening the risk of a large-scale cyber-attack, according to respondents. The frequency of ransomware attacks remains high, with losses increasing as criminals hone their tactics to extort more money, while the average cost of a data-breach is at an all-time high. At the same time, attacks are not just restricted to large companies, increasingly we see more small and mid-size businesses impacted. Then, there is also a growing shortage of cyber security professionals, which bring challenges when it comes to improving security.“

According to Allianz Risk Barometer respondents, a data breach is the exposure which concerns companies most (53%), given data privacy and protection is one of the key cyber risks and related legislation has toughened globally in recent years. Such incidents can result in significant notification costs, fines and penalties, and also lead to litigation or demands for compensation from affected customers, suppliers and data breach victims, notwithstanding any reputational damage to the impacted company. The average cost of a data breach reached an all-time high in 2022 of $4.35mn [2], according to IBM’s annual cost of a data breach report, and is expected to surpass $5mn in 2023, although these numbers constitute small change compared to the costs that can be involved in ‘mega breach’ events. An increase in data breaches is expected this year, cyber security firm Norton Labs predicts [3], as criminals are finding ways to breach standard multi-factor authentication technologies. An increase in ransomware attacks ranks as the second most important concern (50%).

Around the world, the frequency of attacks remains high, as do related claims costs. The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure – in April 2022 an attack impacted around 30 institutions of the government of Costa Rica, crippling the territory for two months [4]. Double and triple extortion attacks are now the norm – besides the encryption of systems, sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers or customers.

Top four answers

ecent years have seen more large businesses and corporations boosting their investment in cyber security tools as awareness has increased and cyber risk has become a boardroom topic and a management responsibility. An unexpected consequence of this trend is that the number of small and mid-size businesses being impacted by a cyber incident is growing as those with weak controls are easily hit by hackers in search of ‘low hanging fruit’ – bringing financial rewards for little effort, according to Sabrina Sexton, Head of Global Cyber SME and Mid-Corporate, Cyber Center of Competence at Allianz.

The consequences for these firms are often much more severe given the lack of financial and employee resources that they have access to compared with large corporations. During 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints regarding cyber-attacks and malicious cyber activity with nearly $7bn in losses [5], the majority of which had targeted small businesses.

“Most cyber incidents in the SME sector are ransomware attacks but increasingly we also see social engineering scams and ‘deep fake’ attacks,” explains Sexton. “Smaller companies can also be highly exposed to supply chain attacks as they often purchase software program licenses of much larger organizations or vendors.” Failure of digital supply chains or cloud service platforms (35%) is the third most important cyber risk concern for Allianz Risk Barometer respondents.

With all these challenges it is unsurprising that demand for cyber security experts is growing. More and more companies are looking to employ cyber security specialists, but supply is not keeping up with demand. According to Cybersecurity Ventures the number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021 to 3.5 million [6] – enough to fill 50 large football stadiums.

At the same time, IT service providers and consulting firms that conduct forensic examinations of cyber incidents and restore systems are running out of capacity. In Germany, The Federal Office for Information Security (BSI) [7] has warned of a “fundamental shortage” of personnel for incident response services. For those who are available to help, surging inflation is increasing their cost. Ultimately, such conditions will affect the ability of some companies to make improvements to cyber security or respond effectively to an incident.

“At AGCS our risk assessment experience shows that a number of companies still need to improve areas of cyber hygiene such as frequency of IT security training, cyber incident response plans and cyber security governance,” says Sayce. “Incident response is critical as the cost of a claim quickly escalates once business interruption kicks in.“ 

It is clear that organizations with good cyber maturity are better equipped to deal with incidents. It is not typical to see companies with strong cyber maturity and security mechanisms suffer a high frequency of ‘successful’ attacks. Even where they are attacked, losses are usually less severe.”

The good news is that insurers are now having very different conversations with firms on the quality of cyber risk compared to just a couple of years ago. This means they are gaining much better insights which can, in turn, help to provide more value through offering useful information and advice to customers and companies of all sizes, such as which controls are most effective or where to further improve risk management and response approaches. 

Today’s insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels. The net result should be fewer – or less significant – cyber events for companies and fewer claims for insurers.

Cyber incidents are also the cause of business interruption (BI) that Allianz Risk Barometerrespondents fear most (45%), reflecting ongoing concern for disruption caused by ransomware attacks, IT system and cloud outages and the threat of cyber war. Severe BI can result from a wide range of cyber-related triggers, including malicious attacks by criminals or state-backed hackers, human error or technical glitches. According to Allianz analysis of cyber-related insurance industry claims that it has been involved with over the past five years, BI is the main cost driver for 57% of claims globally and is a significant driver for the rising severity of claims, including from ransomware attacks, which have proliferated in recent years. Hackers increasingly target both digital and physical supply chains providing opportunities to simultaneously attack multiple companies and gain additional leverage for extortion.

Cyber BI exposures are also growing with the trend for digitalization, as companies introduce new technology, as well as live with the legacy of aging IT infrastructure and software. Fast-pace technology transformation can introduce new risks to business models without appropriate protections, says Marianna Grammatika, a Regional Head of Risk Consulting at AGCS: “Digital risks are intangible, often not well understood and can be difficult to quantify. While the drive to have more efficient processes is positive, companies need to implement technology with the right balance of protection against cost.”

Top five answers