CFC 2018 cyber claims data

Here are some of our observations from our look back at 2018:  

1. Data breaches still pose a major risk, but they don’t tell the whole storyOver the course of 2018, we saw a number of pieces of data breach legislation come into play, from the GDPR in Europe to the Digital Privacy Act in Canada. In some territories, like Australia where they introduced the Notifiable Data Breaches scheme, this led to a spike in privacy breach claims as overly-cautious businesses notified more breaches than was probably necessary.
   
   While these pieces of legislation are important, we should avoid seeing cyber insurance exclusively through this lens. It’s important to stress that while notification laws might prompt consideration of cyber amongst businesses and seem to be driving claims, cyber insurance is not just about covering the losses associated with a data breach. It’s much broader than that and our data shows it provides cover for a whole host of cyber-related risks, ranging from theft of funds and cyber extortion to system damage and business interruption.
2. Human error still plays a part in the majority of the claims we seeWhether a business suffers a data breach, a ransomware attack, or accidentally sends money to a fraudulent bank account, human error plays a part in the vast majority of the claims we see. 
   
   For example, non-malicious data breaches refer entirely to those caused by lost laptops and other devices or doing things like inadvertently sharing sensitive data. In addition, many funds transfer fraud requests are due to employees failing to follow-up urgent wire transfer requests with a phone call. Even malicious data breaches, ransomware and extortion claims often begin with hackers gaining system access through phishing links, which employees unwittingly click on.
   
   This highlights the importance of employee training on cyber risks, particularly phishing emails which can lead to a whole range of issues.
3. Cyber risks still vary according to where you are, but trends show us that they will become more similar over timeThere are several things which are levelling the playing field when it comes to cyber claims. The first is the aforementioned breach notification laws. Previously, claims in the US slanted heavily towards data breaches because notification laws have long been in effect. As cybercrime grows in the US and breach notification laws drive privacy claims in other territories, this should even out.
   
   The second is also something briefly touched upon already – real-time payment facilities. The UK’s funds transfer fraud rates are noticeably higher than other regions, and the main driver of this difference is the UK’s implementation of the Faster Payments Service (FPS), which allows businesses and consumers to transfer funds instantaneously instead of it taking the day or two it might take in other territories. While convenient, this also means that in the time it takes to spot a fraud, the funds are often irretrievable. As real-time payment facilities are taken up in other places, we expect this to lead to higher levels of funds transfer fraud in those territories in the coming years.

The year ahead

This is a good backward look but does 2019 have anything new in store for us?

Firstly, as explained above, we believe theft of funds claims rates, particularly those stemming from Office 365 attacks, will continue to grow in every territory until either more secure banking practices come into play, or the issue is well-known enough amongst organizations that levels plateau.

Secondly, when it comes to data breaches, there's a misconception that a large part of the costs stem from notifying individuals, but we're finding this to be one of the cheapest aspects of these types of claims. Instead, consequential reputational harm from data breaches is proving very costly and these types of claims are amongst our most severe. 

Thirdly, scattergun approach ransomware attacks are happening less and less. We're now seeing more targeted extortion attacks taking down whole companies and their back-ups. Although these types of claims make up a smaller piece of the pie in terms of frequency, they are again some of the most devastating in terms of financial fallout.  

And finally, with the potential for costly business interruption events on the rise, we believe that more industries will consider cyber insurance, such as manufacturing. After all, it’s not just businesses that hold sensitive data who are exposed anymore – it’s every business.