AIG Europe is expecting a surge in data breach and other security failure claims following the recent enforcement of the EU’s General Data Protection Regulation (GDPR), as the carrier found that ransomware accounted for over a quarter of its cyber claims in 2017.
In a report on the cyber claims market, AIG head of cyber for EMEA Mark Camillo that the fines facing firms that breach GDPR could provide leverage to hackers using ransomware, stating that the new law is likely to become “another tool for negotiation by extortionists”.
“They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime,” he said.
“Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit,” he added.
Ransomware accounted for 26 percent of cyber claims at AIG Europe in 2017, a significant rise from the 16 percent of claims it accounted for between 2013 and 2016, reflecting an increased incidence of such attacks worldwide.
Data breaches by hackers caused a further 12 percent of cyber losses, with security failures or unauthorised access accounting for 11 percent of claims.
AIG said that while the proportion of claims caused by employee negligence declined slightly to 7 percent in 2017, human error “continues to be a significant factor in the majority of cyber claims”.
The carrier also warned that no industry is immune to cyberattack, as insureds in eight previously unaffected sectors made cyber claim notifications for the first time in 2017.
Nonetheless, professional and financial services were found to be largest contributors to cyber claims, with each accounting for 18 percent of overall losses, followed by retail (12 percent), business services (10 percent), manufacturing (10 percent).
Camillo explained: “There is a continuing trend, whereby a larger number of notifications each year are coming from an increasingly broad range of industry sectors and not just those traditionally associated with cyber risk. This reflects the fact that many of the recent ransomware attacks have been indiscriminate in terms of which industry they hit”.
He added that professional services have become more of a target, with the proportion of claims emanating from these types of firms tripling since 2013-2016.
“Solicitors and accountants with large databases of clients are attractive to cyber-criminals because of the quality of the data they hold and are vulnerable to cybercrimes that target regular financial transactions,” he said.