Cyber claims and losses are on the rise, and one of the most dangerous cybersecurity threats companies face comes from within. Although external attacks result in the most cyber insurance losses, employee mistakes and technical problems result in the most claims by number, according to a new report by Allianz Global Corporate & Speciality (AGCS).
Between 50 and 90 percent of data breaches are caused or abetted by employees, either through simple errors or falling victim to phishing or social engineering, according to the report. Meanwhile, companies are facing increasingly sophisticated and expensive cyber attacks, as hackers are now commercializing malware and selling it to other hackers to target companies and extort ransoms.
To make matters worse, the COVID-19 pandemic has exposed new vulnerabilities that hackers are learning to exploit as companies have been forced to transition their workforces to remote operations. Although the pandemic is not a direct cause of cyber-related claims, exposures have been rising this year, particularly ransomware and business email compromise (BEC) incidents, said AGCS.
Cyber risk is fast-changing and ever-evolving, making it difficult and expensive for companies and insurers to combat. AGCS outlined the following trends in cyber risk:
1. Remote work. The largest work-from-home situation in history is forcing companies to provide easier access to systems and software for newly remote workers amid COVID-19, and IT security standards are often being lowered or suspended. Cloud usage, personal device usage, and unvetted apps and platforms pose the biggest risk, said AGCS.
Bottom line: Malware and ransomware incidents have increased by more than one-third since the start of the pandemic.
2. Business disruption. Business disruption is the main cost driver in cyber claims, primarily in the form of downtime and data recovery costs. The situation is exacerbated by the increasing reliance on digital supply chains, which provide a variety of business benefits but also increase the risk that a chain reaction could impact entire sectors and multiple companies that rely on shared systems.
Bottom line: Cyber and business interruption now rank as the top two risks for companies on Allianz’s 2020 risk barometer.
3. Ransomware. Ransomware has now become the most prominent cyber-crime threat as incidents are becoming more frequent, sophisticated and financially damaging. Five years ago, ransomware demands were typically tens of thousands of dollars; today they can be in the millions, said AGCS.
Bottom line: There were nearly half a million ransomware infections reported worldwide last year, costing organizations at least $6.3 billion in ransom demands and more than $100 billion in costs to deal with such attacks.
4. Spoofing. Business email compromise, or spoofing, is surging and will likely continue to grow. BEC incidents typically involve phishing or social engineering to dupe employees into revealing login credentials or making fraudulent transactions. These attacks are becoming more sophisticated as hackers use compromised emails and spoofed accounts to imitate senior management, vendors and customers and are now attempting to steal not only money but also valuable data.
Bottom line: Spoofing has resulted in worldwide losses of at least $26 billion since 2016.
5. Lawsuits and fines. Technology advances, regulation and litigation are making dealing with data breaches more expensive. When companies are hit with a breach, lawsuits almost inevitably follow along with fines. When Capital One faced a data breach last year, the company was fined $80 million by bank regulators.
Bottom line: A mega breach now costs an average of $50 million, up 20 percent from last year.
6. Notification requirements. Increasing data protection and privacy regulation is creating more stringent requirements and higher penalties. All 50 states have now enacted data breach notification requirements, and several countries have followed suit. Some data protection regulations now require companies to gain consent before using data, explaining how data will be used, and erasing data upon request.
Bottom line: Companies face increased liability for data breaches and use of data along with stricter enforcement.
7. Regulatory changes. In addition to triggering regulatory action, large data breaches increasingly prompt a legal response from affected consumers, businesses, partners and investors. Statutory and regulatory changes could also pave the way for compensation for data breaches.
Bottom line: U.S. courts have been grappling with the question of whether claimants in data breach incidents have a right to sue, but the trend appears to favor plaintiffs.
8. Vulnerability from M&As. Merger and acquisition activity creates vulnerabilities. Even well-protected companies can acquire exposures when buying a company, and acquiring firms can be held responsible for damage from incidents that pre-date the merger.
Bottom line: Considering cyber vulnerabilities and exposures should be part of M&A due diligence.
9. Government-sponsored hackers. Nation states are joining the ranks of hackers. Companies are being targeted for intellectual property or by groups seeking to cause disruptions or physical damage for political gain.
Bottom line: Google said it has blocked more than 11,000 government-sponsored potential cyber attacks per quarter this year, ranging from phishing campaigns to distributed denial of service (DDoS) attacks.
Kristen Beckman is a freelance writer based in Colorado. She previously was a writer and editor for ALM’s Retirement Advisor magazine and LifeHealthPro online channel. She also was a reporter for Business Insurance magazine covering workers compensation topics. Kristen graduated from the University of Missouri with a degree in journalism.
READ MORE: