Cyber extortionists, who are aware of the repercussions of falling foul of the new EU General Data Protection Regulations (GDPR), are forecast to take advantage of the situation.
“The arrival of GDPR will become another tool for negotiation by extortionists,” said AIG’s head of cyber for Europe, Middle East, and Africa (EMEA) Mark Camillo. “They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime.
“Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims. This was seen in the US after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit.”
Releasing its latest cyber claims report, the insurer reported receiving the same volume for EMEA in 2017 as that in 2013-2016 combined. And, yes, even more cyber claim notifications are expected once GDPR comes into force.
“In 2017 we saw a series of sophisticated, systemic malware and ransomware attacks, including WannaCry and NotPetya,” noted Camillo. “The resulting business interruption was a significant issue for many European organisations – much of the financial impact was a balance sheet loss.
“While ransom payments only generated around $150,000, total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to direct costs and indirect business disruption. The majority of these losses were underinsured.”
The professional services sector, which posted a significant increase in its proportion of overall claims last year compared to the 2013-2016 period, better brace itself for further breaches. Camillo said the likes of solicitors and accountants have become more of a target, given the quality and size of their client databases.
Financial services were found to be equally vulnerable.
“However, whatever their size or sector, organisations operating in today’s interconnected and increasingly digital world are becoming more attuned to the risk and aware of how good cyber hygiene, combined with cyber insurance, can play an important part in mitigating potentially dire financial consequences,” said the cyber head.
Camillo believes organisations must practise their response, implement a robust cyber risk strategy, and ensure they are indemnified for the full range of cyber exposures in order to be resilient.
In 2017 more than a quarter of the European cyber claims received had ransomware as the primary cause of loss. AIG said other main types include data breach by hackers, other security failure or unauthorised access, and impersonation fraud.