Released in January, Kroll’s Data Breach Outlook report for 2023 reveals emerging trends in the ways cyberattackers operate — including which industries they target most frequently — and suggests areas of particular concern to insurers in the cyber sector.

Kroll, a risk and financial advisory solutions provider, handles thousands of data breach cases each year, and the report’s findings are based on the firm’s own data.

“Having seen market data, the number of breaches seems to be steady,” said David White, the report’s author and Kroll’s global head of breach notification, cyber risk.

But while the volume may be steady, the pattern of breaches is constantly changing: “The industry has seen an increase in third-party breaches, where a company is impacted by a breach suffered by one of its suppliers,” White explained. “This is very common when software companies suffer a breach, for example.”

Although ransomware attacks demanding millions in cryptocurrency tend to dominate headlines, data breaches remain a serious threat. “There are two threats from a data breach,” White said. “Firstly for the company, and secondly for the individual. For the company, the loss of data has a financial and reputational impact which may last years and could include regulatory fines and potential litigation.”

And for the individual, White said, “their confidential information may be used by criminals for nefarious purposes. Personally identifiable information (PII) such as names, addresses and social security numbers can be sold on the dark web to cybercriminals and have been used to impersonate victims to set up bank accounts and take out credit, among other fraudulent activities.”

Changing Targets

According to the report, health care overtook finance as the most breached industry in 2022, accounting for 22% of the breaches Kroll handled — a 38% year-over-year increase.

While the causes for this shift are as arcane as they are complex, the ongoing stress the pandemic has inflicted on the health care industry is a likely factor. “There are many reasons why data breaches can occur,” White said, “ranging from poor processes, system failures and human error to cyberattacks.”

David White, global head of breach notification, cyber risk, Kroll

Thanks to the concentration of breaches in health care, the finance industry accounted for a smaller fraction of cases than in previous years, despite the fact that reports in the finance industry remain high, though these figures may be bolstered by new regulations that obligate companies to disclose when a data breach has occurred.

Insurance, meanwhile, dropped out of the top five most breached industries in 2022. “Given the nature of data breaches, we will see industries move in and out of the top five,” White explained. “That said, insurance is still an industry impacted by data breaches. Insurance still accounted for 2% of all data breaches seen by Kroll (compared to 6% in 2021), and is likely still facing similar challenges in protecting data to the other industries.”

Opinions May Vary

In addition to the total number of incidents reported, the Data Breach Outlook also captures the level of concern that surrounds them. Perhaps unsurprisingly, consumers who experience a breach of their financial data were more likely to respond proactively, while those affected by breaches of their health care data were more nonchalant.

As a result, the health care industry accounted for the largest fraction of data breaches but not the largest fraction of incoming calls.

In fact, health care and finance represented 22% and 19% of all data breaches, respectively, but accounted for 32% and 49% of incoming calls following a breach.

Even while health care became the most affected sector, calls increased by only 19% year over year; in finance, meanwhile, calls increased by 127%.

“There are many factors that influence whether an individual wants to engage about a breach,” White explained. “Factors such as whether the breach was in the media and if there has been any potential class action started to contribute to individuals calling the call center.

“Anecdotal evidence from our investigators shows that individuals fear loss of financial data, as the impact or potential impact is much more tangible and real — for example, if someone’s credit card data is stolen, an individual understands that it can be used. The same cannot be said about loss of health data.”

Neither were health care consumers the most likely to alter their behavior: Among consumers who took up new security measures like identity and credit monitoring after a breach, only 20% had had their health care data compromised, compared to the 69% who had been affected by a breach of finance data.

While affected consumers’ move toward adopting better security represents a noteworthy 66% year-over-year increase in health care, it’s far outpaced by finance’s 126% year-over-year jump.

This is despite the fact that data breaches in all forms can lead to increased risk of identity theft and ultimately fraud.

“There are some very simple and tried and tested methods to stay safe if you think that your personal data has been compromised,” White said. “Changing your passwords and using multifactor authorization, especially for financial and email accounts, are recommended. Reviewing your credit files regularly for suspicious activity is also important. Consumers are also often offered identity and credit monitoring from the company that has been breached. It is wise to take up this offer.”

Different Expectations Lead to Different Reactions

Consumers are demonstrably more concerned with protecting their financial data than they are their personal health care data — perhaps due to the misconception that because cybercriminals are looking for financial gain, financial data is more valuable than health care data.

As a result, consumers tend to judge their financial institutions much more harshly after a data breach than they do their health care providers.

“As data privacy regulations and expectations evolve, so do individual expectations of how a company protects and processes that information,” White said. “It’s easier for an individual to see a tangible impact to themselves with the loss of financial data, whereas it is less obvious with other data.”

But as the report notes, “much of the data gathered from health care organizations — for example, social security numbers — could be used to set up fraudulent accounts and transactions.”

What’s more, White added, “criminals now use data mining and AI to agitate data from various data breaches to then package it up into fuller data sets to be used for nefarious purposes.”

Consumers’ feelings of disappointment following a breach can do more than just reputational damage. “Perhaps the high number of calls and the uptake of identity monitoring from the financial industry indicates that consumers are not only concerned about their data but potentially unhappy about how it has been managed,” the report notes. “It may be wise for those organizations in the finance industry which suffer a breach to get prepared for litigation.”

These patterns in both the incidence of data breaches and consumers’ reactions to them are of direct concern to cyber insurers, and give them “an understanding as to the consumer interaction and likelihood of wanting to be part of mitigation schemes, such as credit or identity monitoring,” White concluded. “This can be directly translated into the insurance cost of an event.” &