As cyberattacks become an increasingly existential threat affecting industries across the board, the financial burden attached to this crime in 2024 is also expected to rise as threat actors deploy more sophisticated campaigns.
“History shows data breach costs increase year-over-year,” said John Farley (pictured), Gallagher’s managing director of cyber.
“We’ve had occasional years where they’ve dipped down a bit, but overall, they tend to go up.”
Farley does not believe there is any reason why these costs will decrease anytime soon, especially as these threat actors have various reasons to perpetrate the attacks.
“Hackers, many times, are well funded. Sometimes nation states are funding armies of hackers and they’re not slowing down,” he said.
“This is a fairly lucrative business for them. And there’s lots of motivation behind hacking, whether that’s geopolitical or financial.”
There is also the threat of leveraging AI to create and deploy cyberattacks more efficiently and deceptively.
“Hackers are going to be able to craft very believable phishing emails through the use of AI - they’re going to have copy that doesn’t have the telltale signs of suspicion, such as spelling and grammar mistakes,” Farley said.
“Additionally, they’re going to have very targeted phishing campaigns by pulling information from public platforms, such as LinkedIn and others, where you could target a particular person.”
According to Gallagher’s 2024 Cyber Insurance Market Conditions Outlook, authored by Farley, the healthcare system, once again, was the top industry for the costs associated with cyberattacks in 2023, with the cost of a data breach escalating to US$10.93 million, up from US$10.10 million the previous year.
Additionally, the average cost of a data breach soared to US$4.35 million in 2023, a figure that the author expects to increase over the course of the year.
In an interview with Insurance Business, Farley spoke about some industry trends he foresees in 2024 and why increased competition in the cyber market may not be as optimistic as it seems.
Within the 2024 Outlook report, Farley predicts this year is going to be dominated by a tried-and-true hacking campaign.
“We’re going to see ransomware continue to be an issue for insurance and underwriters that are writing cyber policies,” he said.
“These losses tend to involve significant extortion amounts, typically in the six figures. And they’re also involving significant loss of business income — sometimes this loss is even greater than the extortion that’s paid.”
The report states how, in Q3 2023, ransomware activity increased by 95% from the previous year and 11% from the previous quarter. Farley cautioned industry personnel to not take these numbers lightly.
There is also the expectation that hackers will continue to attack technology companies who deal with and hold sensitive data from multiple clients.
“I think what we’re also going to see is a continued attack on key suppliers in the supply chain, such as software providers. We saw hackers go after them last year in hope that once successfully attacked, they can launch attacks to all of their clients,” Farley said.
“This has been a fairly successful hacking technique.”
Elsewhere, outside of the realm of hackers, non-compliance with privacy law and wrongful data collection claims will also be a hot button issue in 2024.
“Non-compliance to privacy law that leads to increased regulatory risk, and sometimes private rights of action in the form of class actions against those organizations,” Farley explained, “we’ve seen them pile up over the last couple of years, and there’s no sign that they’re going to slow down.”
Farley also noted how, across the globe, there are more privacy laws being passed that businesses are expected to comply with — this will lead to more vulnerabilities.
“Sometimes these laws allow a regulator to pursue an issue with an organization, while also allowing for private rights of action sometimes, which opens the litigation floodgates in the form of multiple class actions that can be filed for those organizations that are found to be non-compliant,” he explained.
Farley stated how while there is increased claim activity across the board, there is a lot of capacity in the market right now, with rates stabilizing or beginning to fall.
“However, I don’t want to lose sight of the fact that sometimes carriers are constricting coverage in certain areas of the policy,” he said.
One example of this is in respect to wrongful data collection.
“Will a policy respond to a regulatory inquiry, or settlement? That’s an open question,” Farley said.
Elsewhere, Farley questioned whether or not supplements will be imposed as ransomware ramps up again, especially if a client experiences what is deemed a widespread event.
“I really want to stress is that you can’t measure the hardness or softness of a market just based on rates, you need to look at the whole picture, you need to look at what’s covered and what isn’t,” he added.
“Us, as brokers, will have to focus on whether or not a client is subject to exclusionary terms. We will have to review that with a fine-tooth comb. One word can change coverage significantly, and that’s something we’re laser focused on.”
