Data and Privacy Breaches Fuel Cyber Insurance Claims Surge
Cyber insurance claims, particularly those related to data and privacy breaches, have seen a significant increase in the first half of 2024, with the U.S. accounting for 72% of large claims in H1 2024, according to Allianz Commercial’s annual cyber risk outlook.
The frequency of large cyber claims — those in excess of 1 million euros ($1.1 million) — in the first six months of 2024 was up 14% while severity increased by 17%, according to the insurer’s claims analysis, following just a 1% increase in severity during 2023.
The rise in ransomware attacks and a surge in class action litigation for alleged privacy violations, especially in the U.S., are key contributors to this trend.
Ransomware accounted for 58% of the value of large cyber claims in the first six months of 2024, according to the analysis by Allianz Commercial.
High-profile ransomware incidents this year included attacks against UnitedHealth Group’s Change Healthcare, which is expected to cost the company up to $1.6 billion, and U.K. blood testing firm Synnovis, which saw patient services disrupted and personal and health data published on the dark web.
Several factors are contributing to the rise in data and privacy breach incidents overall.
“A rise in ransomware attacks including data exfiltration is a consequence of changing attacker tactics and the growing interdependencies between organizations sharing ever more volumes of personal records,” explains Michael Daum, global head of cyber claims at Allianz Commercial. Weak cyber security within organizations and their supply chains is another key factor.
The United States is playing an outsized role in this trend, accounting for 72% of large cyber claims overall in the first half of 2024, up from 41% in 2023. The share of large claims in the U.S. with data privacy violations was 100% during this period, based on the value of claims analyzed by Allianz.
“We are seeing more data privacy breach claims in the U.S. where there is a growing trend for class action litigation against large U.S. and international corporations related to privacy violations, such as around consent and data usage,” says Tresa Stephens, head of cyber, North America for Allianz Commercial. “The cost of some of these claims can be even larger than a ransomware incident, in the hundreds of millions of dollars.”
Increase in Data Privacy Litigation and Regulatory Risks
Over 1,300 data privacy related class action lawsuits were filed in the U.S. in 2023, more than double the number filed in 2022 and four times that filed in 2021, according to law firm Duane Morris. Industries targeted by this litigation include health care, social media, gaming, and streaming services.
Several factors are fueling this litigation trend, according to Allianz Commercial. A developing and complex regulatory and legal landscape around data privacy has created a grey area ripe for class action lawsuits. The commercial value of personal data and use of tracking tools by companies to monitor consumer behavior have also come under scrutiny.
While the scale is not yet on par with the U.S., the potential for similar litigation risks to emerge in Europe exists, the insurer stated. Heightened awareness of data protection rights and the availability of third-party litigation funding are contributing to a more consumer-friendly litigation environment on the continent.
Mitigating Data Breach Risks in an AI-Driven Landscape
The widespread adoption of artificial intelligence (AI) across industries is having a significant impact on the cyber and privacy risk landscape, according to Allianz Commercial.
AI relies on collecting and processing vast amounts of data, including personal, health and biometric information, to train models and make predictions or recommendations. However, this creates potential privacy and security risks if not properly managed. There also are concerns around whether organizations have proper consent to process data through AI and if they are complying with privacy laws, the report noted.
To mitigate data breach risks, organizations should implement strong cyber hygiene measures. These include robust access controls, database segregation, regular backups, timely patching, and employee training. Having better oversight of any cyber weaknesses in supply chains is another area where many companies need to improve.
Investing in early breach detection and response capabilities is also critical, Allianz Commercial said.
“Cyber breaches that are not detected and contained early can end up being 1,000 times more expensive than those that are,” says Rishi Baviskar, global head of cyber risk consulting at Allianz Commercial. Around two-thirds of breaches are typically reported by a third party or the attackers themselves, underscoring the need for proactive monitoring.
View the full Allianz Commercial report here. &