In 2023, there were 1,300 cases of class action suits related to data breaches — more than a twofold increase from 2022 and a fourfold increase compared to 2021. (Credit: Hein/Adobe Stock)

Cyber risk is now ranked as the number one business risk globally, well ahead of risks such as supply chain disruptions, natural catastrophes, changes in legislation, and other macroeconomic factors.

Insights from three leading insurance providers, Allianz, Coalition and Netdiligence, offer a clear understanding of the evolving threat landscape:

Claim severity increasing every year

According to Allianz, the severity of cyber claims (by dollar value) increased by 17% in 2024, compared to just a one percent increase in 2023. Coalition witnessed a similar trend in 2024 — claims severity increased by 14% across businesses of all sizes. In businesses that have revenues exceeding $100 million, severity spiked by a whopping 140%. Moreover, when ransomware attacks led to data exfiltration, they rapidly escalated into data privacy violations, triggering more substantial insurance claims.

Ransomware, BEC, dominating insurance claims

Ransomware and business email compromise (BEC) attacks aren’t just dominating headlines, they’re also dominating insurance claims. At Allianz, ransomware accounted for 58% of the value of large cyber claims (claims exceeding €1 million). More than half of all claims (56%) at Coalition were the result of Funds Transfer Fraud or BEC attacks. At NetDiligence, 53% of cyber claims received between 2019 and 2023 were due to ransomware and BEC attacks.

Third-party connectivity leads to greater risk exposure

As businesses rely on third parties for software, data storage, and services, new layers of complexity and risks emerge. Coalition found that nearly 23% of healthcare businesses whose revenue exceeded $100 million, were affected by the Change Healthcare attack. Similarly, 75% of auto dealers with more than $100 million in revenue were impacted by the CDK Global ransomware event. Around 40% of data breaches spanned multiple environments, i.e., both public and private clouds, Allianz found.

Privacy violations are causing a surge in class action lawsuits

Allianz noted a steep rise in class action suits resulting from data breaches. In 2023, there were 1,300 cases of class action suits related to data breaches — more than a twofold increase from 2022 and a fourfold increase compared to 2021. Claims from non-attack data breaches (sharing data without the consent of users, wrongful processing of personal data, invasion of privacy when tracking consumer behavior, etc.) are also rising: 7% in 2022, 14% in 2023, and 21% in the first half of 2024.

Human error is the leading root cause of most incidents

Allianz reports that some of the largest incidents over the past 18 months stem from common human errors such as falling prey to phishing emails, compromised credentials, cloud misconfigurations, and BEC. Similarly at NetDiligence, BEC is the second leading cause of loss at SMEs. Coalition also reinforced this trend—the root cause of more than half of all cyber claims were email. These statistics underscore the fact that human error is one of the most significant and persistent vulnerabilities in cybersecurity.

The most resourceful insurers are proactive, not reactive

Both cyber risk insurers and their customers share a common goal: reducing risk and minimizing damage from cyberattacks. By working together to prevent cyberattacks and breaches, organizations can improve resilience, boost financial health, improve customer trust and business reputation, reduce insurance costs, and gain better coverage. A minimum framework for effective prevention includes:

  1. A focus on the most prevalent threats: Channel security efforts to threats that lead to 90% of attacks. Avoid becoming distracted by narratives marketed by security vendors. Phishing, stolen credentials, and unpatched vulnerabilitiesthese are some of the most common and pervasive threats leading to security breaches.
  2. A data-driven defense strategy: Build a deeper understanding of your own infrastructure and relevant risk exposure. Implement targeted security solutions, processes, and countermeasures, after understanding your environment and threats rather than relying exclusively on outside counsel.
  3. Multi-layered cybersecurity measures: Deploy multi-layered defenses to ensure that if one layer fails, additional layers may still detect and block the threat. These include phishing-resistant multi-factor authentication, firewalls, endpoint detection and response, cloud security, email and web security, etc.
  4. Cyber-aware employees: Human factors account for almost 75% of all data breaches. Organizations must ensure they educate their users regarding the risks, test and validate their security reflexes using phishing simulation exercises, improve their awareness about security rules, policies, and procedures, make users more accountable and responsible towards security, and ensure they adhere to security best practices.
  5. Third-party risk management: Organizations must assess the cybersecurity posture of their vendors and suppliers, ensuring they adhere to best practices. Regular security audits and contractual obligations can help mitigate supply chain risks. Maintaining a Software Bill of Materials (SBOM) can help security teams understand the various components of software products, including dependencies and vulnerabilities.
  6. Incident response planning: Developing and testing an incident response (IR) plan helps minimize the impact of a cyberattack. While the average cost of a data breach is about $4.88 million, studies show organizations save at least $2 million in data breach costs if they have an IR team and practice their IR plans regularly.
  7. Data privacy resilience: Be conscious of data collected. Only gather and store personal information necessary for business operations. Implement a process to securely dispose of data when it's no longer needed. Apply encryption and monitoring for third-party access. Restrict access to sensitive data to only those individuals who need it for business purposes. Use data leak prevention tools and user behavior analytics to identify any unusual access or movement of data.

In conclusion, these insurance industry reports underscore the urgent need for organizations to bolster their cybersecurity defenses. By addressing human-generated risks, staying abreast of emerging threats, and implementing robust mitigations, organizations can navigate the evolving cyber landscape with greater resilience.

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 70,000 organizations and more than 60 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, he was co-founder of Sunbelt Software, the anti-malware software company that was acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.