AGCS analysis of more than 1,700 cyber claims: External

events such as "DDoS" attacks result in the most costly cyber losses but internal

incidents like human error or systems failure occur more often, albeit with a

lower financial impact.

interruption is the main cost driver of cyber claims. Inability to access data or services can have a significant impact on

revenues, given growing reliance on online sales.

data breaches and the Covid-19 working landscape present significant future cyber

risks.

JOHANNESBURG/LONDON/MUNICH/NEW

YORK/PARIS/SAO PAULO/SINGAPORE – Media OutReach – 19 November 2020 – External

attacks on companies result in the most expensive cyber insurance losses but it

is employee mistakes and technical problems that are the most frequent generator

of claims by number, according to a new report from Allianz Global Corporate

& Specialty (AGCS), Managing The Impact Of Increasing

Interconnectivity — Trends In Cyber Risk. The study analyzes 1,736 cyber-related

insurance claims worth EUR 660mn (US$ 770mn) involving AGCS and other insurers from

2015 to 2020.

“Losses from incidents such as distributed

denial of service (DDoS) attacks or phishing and ransomware campaigns account

for a significant majority of the value of cyber claims today,” says Catharina

Richter, Global Head of the Allianz

Cyber Center of Competence, which is embedded into AGCS. “But although

cyber crime generates the headlines, everyday systems failures, IT outages and human

error incidents can also cause problems for companies, even if their financial

impact is not, on average as severe. Employers and employees must work together

to raise awareness and increase cyber resilience.”

The number of

cyber insurance claims AGCS has been notified of has steadily risen over the

last few years, up from 77 in 2016, when cyber was a relatively new line of

insurance, to 809 in 2019. In 2020, AGCS has already seen 770 claims in the

first three quarters. This steady increase in claims has been driven, in part,

by the growth of the global cyber insurance market which is currently estimated

to be worth $7bn according to Munich Re. AGCS started offering cyber

insurance in 2013 and, in 2019, generated more than EUR 100mn in gross written

premium in this segment. At the same time the report also highlights that there

has been a 70%+ increase in the average cost of cyber crime to an organization

over five years to $13mn and a 60%+ increase in the average number of security breaches.

Losses

resulting from external incidents, such as DDoS attacks or phishing and

malware/ransomware campaigns, account for the majority of the value of claims

analyzed (85%) according to the report, followed by malicious internal actions

(9%) — which are infrequent but can be costly. Accidental internal incidents,

such as employee errors while undertaking daily responsibilities, IT or

platform outages, systems and software migration problems or loss of data account

for over half of cyber claims analyzed by number (54%) but, often, the

financial impact of these is limited compared with cyber crime. However, losses

can quickly escalate in the case of more serious incidents.

Business

interruption is the main cost driver behind cyber losses, accounting for around

60% of the value of all claims analyzed in the report, followed by costs

involved with dealing with data breaches.

The cyber risk environment is not

expected to become any easier in future, the report notes. Businesses and

insurers are facing a number of challenges such as the prospect of more

expensive business interruptions, the rising frequency of ransomware incidents,

more costly consequences of larger data breaches given more robust regulation and

litigation, as well as the impact from the playing out of political differences

in cyber space through state-sponsored attacks. The impact of these trends is also

the subject of a new AGCS podcast.

The huge rise

in remote working due to the coronavirus pandemic is also an issue. Displaced

workforces create new opportunities for cyber criminals to gain access to

networks and sensitive information. Malware

and ransomware incidents are already reported to have increased by more than a

third since the start of 2020, while coronavirus-themed online scams and

phishing campaigns about the pandemic continue. At the same time the

potential impact from human error or technical failure incidents may also be

heightened.

While

exposures are rising, the Covid-19 outbreak cannot yet be said to be a direct

cause of cyber-related claims. AGCS has seen the first few cyber claims that can

be indirectly attributed to the Covid-19 landscape, including ransomware

attacks which can be linked to the shift to more remote working. However, it’s

too early to confirm a broader trend.

Ransomware threats

surge

Already high in frequency, ransomware incidents are

becoming more damaging, increasingly targeting large companies with

sophisticated attacks and hefty extortion demands. There were nearly half a

million ransomware incidents reported globally last year, costing organizations

at least $6.3bn in ransom demands alone. Total costs associated with dealing with these

incidents are estimated to be well in excess of $100bn.

“High-end hacking tools are more widely

available driven by the growing

‘commercialization of cyber-hacks’. Increasingly, criminals are selling malware

to other attackers who then target businesses demanding ransom payments,” says Marek Stanislawski, Global Cyber Underwriting

Lead at AGCS. “However, extortion demands are just one part of the picture.

Business interruption can bring the most severe losses — with downtimes

becoming longer — while systems and data restoration costs can quickly escalate.”

Business

interruption and digital supply chain vulnerability growing

“Whether due to ransomware, human error or a

technical fault, the loss of critical systems or data can bring an organization

to its knees in today’s digitalized economy,” says Joerg Ahrens, Global Head of

Long-Tail Claims at AGCS. “The inability to access data for an extended period

of time can have a significant impact on revenues — for example, if a company

is unable to take orders. Similarly, if an online platform is unavailable due

to a technical glitch or cyber event, it could bring large losses for companies

that rely on it, particularly given today’s increasing reliance on online sales

or digital supply chains.”

Data breaches and state-sponsored attacks

The cost of dealing with a large data breach is

rising as IT systems and cyber events become more complex, and with the growth

in cloud and third-party services. Data privacy regulation, which has recently

been tightened in many countries, is also a key factor driving cost, as is

growing third-party liability and the prospect of class action litigation. So-called

mega data breaches (involving more than one million records) are more frequent

and expensive, now costing $50mn on average, up 20% over 2019.

In addition, the impact of the increasing

involvement of nation states in cyber-attacks is a growing concern. Major

events like elections and Covid-19 present significant opportunities. During 2020

Google said it has had to block over 11,000 government-sponsored potential

cyber-attacks per quarter. Recent years have seen critical infrastructure, such

as ports and terminals and oil and gas installations hit by cyber-attacks and

ransomware campaigns.

Prepare, practice and prevent

Preparation and training of employees can significantly reduce the consequences

of a cyber event, especially in phishing and business email compromise schemes,

which can often involve human error. It can also help mitigate ransomware

attacks, although maintaining secure backups can limit damage. Cross-sector exchange

and cooperation among companies — such as what has been established by the Charter of Trust — is

also key when it comes to defying highly commercially-organized cyber crime,

developing joint security standards and improving cyber resilience.

The Covid-19 landscape brings new challenges. With home-working

widespread, security around access and authentication points is critical but

organizations should also ensure there is sufficient network capacity as this

can have a significant impact on lost income if there is an outage.

