The rise of ‘non-attack’ data claims in a changing cyber landscape

Posted on

The rise in “non-attack” data claims as privacy litigation ramps up globally has been listed as the top trend in Allianz Commercial’s annual cyber risk outlook, underscoring the urgent need for companies to reassess their data governance standards, improve transparency regarding consumer data usage, and strengthen vendor cybersecurity practices.

According to the Allianz Commercial Cyber Security Resilience 2024 report, the frequency of large cyber claims exceeding €1 million (about R19.1m) rose by 14% in the first half of 2024, with severity increasing by 17%. Notably, data and privacy breaches are present in two-thirds of these large losses. Following a 30% increase in claims during 2023, the total number of cyber claims is expected to stabilise in 2024, with more than 700 claims already reported.

The report indicates that breaches of data privacy regulations have significantly influenced cyber insurance claims in the past two years. The share of “non-attack” (privacy) data breaches, including wrongful data collection, surged from 7% in 2022 to 14% in 2023, further climbing to 21% in the first half of 2024.

“In the past, these claims were rare, but now they make up a significant proportion of claims,” said Michael Daum, global head of cyber claims at Allianz Commercial.

He noted that the costs of some data privacy breach claims can rival or exceed those of ransomware incidents: “A major data privacy breach can generate losses of a magnitude we are not used to in the cyber insurance market.”

“Non-attack” data breaches can include consumer behaviour tracking, improper data collection, and sharing data without user consent. The report attributes the rise in these claims to technological advancements, the increasing commercial value of personal data, and a complex regulatory environment.

In the United States, less prescriptive privacy regulations compared to the European Union’s General Data Protection Regulation (GDPR) create a fertile ground for class action litigation. “Data has become extremely valuable, and companies can be tempted to push boundaries in pursuit of their commercial interests,” Daum said.

Data breaches have become a leading cause of class action litigation in the US, with more than 1 300 cases filed in 2023 – more than double the number from 2022.

Industries such as healthcare and social media have faced lawsuits for using tracking tools, while the top 10 data breach class action settlements last year totalled $516m (about R9.64 billion), a significant rise from $350m (about R6.54bn) in 2022.

The risk of data breach litigation is also increasing in Europe, driven by heightened awareness of data protection rights and more accessible third-party litigation funding. Although mass data privacy claims in Europe may not match the scale of those in the US, the potential exists, the report stated.

Tresa Stephens, head of cyber for North America at Allianz Commercial, emphasised the need for insurers to adapt: “In discussions with clients, it is critical we understand their data governance standards and how transparent they are when it comes to their use of consumers’ data.”

Marek Stanislawski, global cyber underwriting lead at Allianz Commercial, added: “We need to replicate the success we have had in addressing ransomware in the data privacy space.”

Ransomware: slaying the Hydra

Ransomware continues to be the top cause of cyber insurance loss. During the first six months of 2024, it accounted for 58% of the value of large cyber claims. However, improved cyber security and backup strategies are helping insured companies better withstand attacks, the report stated.

Daum described ransomware as like the proverbial Hydra. “Each time you cut off its head, another one grows back in its place. Each time a ransomware gang is taken down, you can be 100% sure that another will replace it, and that its members will reorganise and establish a new group,” he said.

Attacks are also becoming more sophisticated and targeted, with cybercriminals using artificial intelligence (AI) to automate attacks and encryption to avoid detection. Mirroring the wider digital economy, cybercriminals are also becoming more interconnected, outsourcing and sharing specialist skills and services.

The number of ransomware attacks increased by an average of 75% in 2023, according to Allianz Commercial’s analysis of cyber threat intelligence from tech providers.

For the first time, total ransomware payments exceeded $1bn (about R18.67bn) in 2023, according to Chainalysis.

Allianz Commercial has observed a stabilisation of ransomware claims in 2024, after several years of increases. According to Daum, the positive trend is an indicator that insurers’ recommendations and insureds’ cyber security are working,

“During the first half of 2024, the impact of ransomware activity was quite stable. Due to the increase of ‘non-attack’ claims, the ransomware share among large losses has decreased by about 15%,” said Daum. “This positive trend in our portfolio reflects investments in cyber security, supported by risk assessments and our recommendations. So, while the ransomware threat persists, we appear to have stopped the upward trend of recent years.”

Analysis of Allianz claims data shows that insured companies fared better than businesses as a whole, demonstrating the value of informed investment in cyber security.

From data breaches to data security

Despite a general trend for increased investment in cyber security in recent years, the report stated that many data breaches, including some of the largest mass data exfiltration cyber-attacks over the past 18 months, were the result of weak cyber security within organisations and/or their supply chains.

Such incidents can lead to a large claim involving regulatory fines, notification costs, and third-party litigation, in addition to extortion demands, first-party costs and business interruption.

Vanessa Maxwell, global head of cyber and financial lines at Allianz Commercial, said the insurance industry needs to step up its focus on the data privacy side of cyber risk and has a key role to play in offering loss prevention and mitigation advice to businesses about this increasingly important area of exposure.

“The value of cyber insurance goes well beyond the payment of claims. Insurance helps companies make the business case for cyber security investment and to direct their resources towards the most effective measures,” said Maxwell.

The report noted that data breach risks are best mitigated through good cyber hygiene, including strong access controls, database segregation, backups, patching, and training. Having better oversight of any cyber weaknesses in their supply chains is an area where many companies need to improve.

Rishi Baviskar, global head of cyber risk consulting at Allianz Commercial, said early detection and response capabilities are also key.

“Around two-thirds of breaches are typically reported by a third party or by the attackers themselves,” he said. “Cyber breaches that are not detected and contained early can end up being 1 000 times more expensive than those that are, the difference between a €20 000 loss turning into a €20m one.”

Baviskar said AI is becoming an essential tool in the fight against cyber-attacks, because it can quickly identify a security breach and automatically isolate systems and databases.

“As well as having the potential to significantly reduce the cost and life cycle of a data breach claim by automating tasks, such as forensics and notifications, potentially saving companies millions of dollars.”