Data exfiltration, 'non-attack' privacy events fuel uptick in cyber claims: Allianz

By: Karla Tecson, Front Page News

Cyber insurance claims surged in the first half of 2024, driven by a spike in data and privacy breaches, according to Allianz Commercial’s Cyber Security Resilience 2024 report.

Large cyber claims, those exceeding €1 million, jumped14% in frequency and 17% in severity in the first six months of 2024. While large claims rose 41% in frequency in 2023, severity rose just 1%. Two-thirds of these large claims involved data and privacy breaches.

Data breaches have always been a key cyber risk, but they had fallen out of focus amid the rash of ransomware attacks since 2020, Allianz reported.

“The growing significance of data breach losses among cyber insurance claims is driven by a number of notable trends,” said Michael Daum, global head of cyber claims, Allianz Commercial, adding, “A rise in ransomware attacks including data exfiltration is a consequence of changing attacker tactics and the growing interdependencies between organizations sharing ever more volumes of personal records. At the same time, the evolving regulatory and legal environment has brought an uptick in so-called ‘non-attack’ data privacy-related class action litigation, resulting from incidents such as wrongful collection and processing of personal data – the share of these claims has tripled in value in two years alone.”

“Non-attack” and data privacy regulation and litigation-related claims expanded from 7% of claims in 2022 to 14% in 2023 and 21% in the first half of 2024, according to the report.

With regulators and litigants focused on data privacy, organizations must “redouble” efforts to safeguard the data they hold, Allianz said. For its part, the insurance industry “must also step up its focus on data privacy, replicating recent successes in ransomware, providing loss prevention and mitigation advice, such as early detection and response to this increasingly important area of cyber exposure,” Allianz noted.

Exfiltration expands data risk

As encryption-based ransomware attacks have become more challenging now that companies are backing up their data, cybercriminals increasingly exfiltrate data for added leverage.

“Data exfiltration has been a real game changer. The theft of personal and sensitive corporate data puts organizations in the public eye, and ratchets up the pressure, leading to more successful extortion attempts for cyber criminals as companies are more likely to pay ransom demands to protect customers’ personal data,” Daum said.

Allianz found data exfiltration to be the key loss driver in about a third of all ransomware-related claims. It also tends to result in higher ransom payments -- companies are two-and-a half times more likely to pay a ransom if data is exfiltrated, on top of the encryption, according to Allianz’s analysis of claims activity.

“The gap between business interruption (usually the most expensive cost driver of cyber-related losses) and data breach claims has been closing with the increase in data exfiltration,” said Marek Stanislawski, global cyber underwriting lead for Allianz, in the report. “Typically, what starts as a ransomware loss escalates into a data privacy event, once it is revealed that attackers have stolen personal data. This can lead to a large claim involving regulatory fines, notification costs and potentially third-party litigation, in addition to extortion demands, first party costs and any potential business interruption from the ransomware attack.”

The proverbial hydra

While the rise of non-attack claims has reduced ransomware’s share among large losses by around 15%, Allianz’s analysis showed that the latter remains a significant and persistent threat, accounting for 58% of the value of large cyber claims in the first six months of 2024.

“Ransomware is like the proverbial Hydra. Each time you cut off its head, another one grows back in its place. Each time a ransomware gang is taken down, you can be 100% sure that another will replace it, and that its members will reorganize and establish a new group,” Daum noted.

Allianz experts urged the cyber insurance industry to pay close attention to data privacy regulation and litigation trends and for organizations to boost their security.