While companies should fear cyberattacks from external bad actors, a new analysis by Allianz Global Corporate & Specialty (AGCS) has revealed that it’s employee mistakes and technical issues that are to blame for the majority of cyber claims.
The report, “Managing the Impact of Increasing Interconnectivity – Trends in Cyber Risk,” analysed 1,736 cyber-related insurance claims worth US$770 million involving AGCS as well as other insurers from 2015 to 2020. It found that external attacks on companies, such as “DDoS” attacks, resulted in the costliest cyber losses, but internal incidents, including human error and systems failure, happen more frequently, though they also have a less significant financial impact.
Specifically, external cyber incidents accounted for 85% of the value of claims analysed, according to the report, while accidental internal incidents accounted for over half of cyber claims analysed by number (54%). While the financial impact of the latter is limited compared to cyber crime, losses can climb quickly in the face of more serious incidents.
“Although cyber crime generates the headlines, everyday systems failures, IT outages and human error incidents can also cause problems for companies, even if their financial impact is not, on average as severe,” said Catharina Richter, global head of the Allianz Cyber Centre of Competence, which is embedded into AGCS. “Employers and employees must work together to raise awareness and increase cyber resilience.”
The AGCS report likewise discovered that business interruption is the main cost driver of cyber claims, since a company’s inability to access their data or services can take a toll on revenues, especially considering the growing reliance on online sales. At the same time, the COVID-19 remote work landscape, alongside a spike in ransomware attacks and the increasing cost of large data breaches are bringing additional cyber risks, as are state-sponsored attacks.
Notably, the number of cyber insurance claims that AGCS has been notified of has grown gradually over recent years, from 77 in 2016 to 809 in 2019. Meanwhile, in 2020, AGCS has already seen 770 claims in the first three quarters. The growth in the cyber insurance market is partly a driver of these claims, though AGCS also noted that there has been a more than 70% increase in the average cost of cyber crime for organisations over five years – that figure now stands at US$13 million – in addition to a more than 60% increase in the average number of security breaches.
Some of the report’s other key findings included the following:
- Last year, there were nearly half a million ransomware incidents reported globally, which cost organisations at least US$6.3 billion in ransom demands alone, while total costs associated with the fallout from these incidents were estimated to be in excess of US$100 billion.
- Business interruption incidents and digital supply chain vulnerabilities are growing.
- Data privacy regulation is another key factor driving costs in cyber claims, alongside growing third-party liability and the prospect of class action litigation.
- ‘Mega’ data breaches, which involve more than one million records, are more frequent and cost US$50 million on average in 2020 (a 20% jump from 2019).
“Whether due to ransomware, human error or a technical fault, the loss of critical systems or data can bring an organisation to its knees in today’s digitalised economy,” says Joerg Ahrens, global head of long-tail claims at AGCS. “The inability to access data for an extended period of time can have a significant impact on revenues – for example, if a company is unable to take orders. Similarly, if an online platform is unavailable due to a technical glitch or cyber event, it could bring large losses for companies that rely on it, particularly given today’s increasing reliance on online sales or digital supply chains.”