An analytical review of cyber claims trends from Allianz.
Cyber claims have shown a notable rise over the past year, significantly fueled by an increase in incidents related to data and privacy breaches, as stated by Allianz Commercial in its latest annual report on the cyber risk outlook. The frequency of major cyber claims—those exceeding €1 million—increased by 14% in the first half of 2024, with severity rising by 17%, according to Allianz’s claims analysis. This trend follows a modest 1% increase in severity in 2023. Data and privacy breach-related factors are implicated in nearly two-thirds of these significant losses. While the total number of cyber claims in 2024 is anticipated to plateau after a 30% increase in claims frequency in 2023, which resulted in over 700 incidents reported.
“The heightened importance of data breach losses within cyber insurance claims can be attributed to several critical trends,” remarks Michael Daum, Global Head of Cyber Claims at Allianz Commercial. “The rise in ransomware attacks, coupled with data exfiltration tactics, reflects a shift in the methodologies of attackers and the increasing interconnections among organizations handling vast amounts of sensitive personal data. Concurrently, the evolving regulatory landscape has led to an increase in ‘non-attack’ data privacy-related class action lawsuits, with incidences of improper collection and processing of personal data seeing a tripling in claims value over the past two years.”
The surge in ‘non-attack’ claims is largely due to advancements in technology, the escalating commercial value of personal information, and a shifting legal and regulatory backdrop. In contrast to the EU’s General Data Protection Regulation (GDPR), privacy regulations in the United States are often less stringent and open to various interpretations, thus encouraging legal professionals to seek new avenues for revenue through litigation. This creates an ambiguous legal landscape well-suited for class action suits, as outlined in the report.
“We are witnessing an uptick in data privacy breach claims within the US, as a significant trend towards class action litigation emerges against major US and global corporations for privacy infringements pertaining to consent and data utilization,” Daum continues. “The financial repercussions of some of these claims can surpass those of typical ransomware incidents, potentially reaching hundreds of millions of dollars.”
In the past year, data breaches have become one of the fastest-growing categories of US class action litigation, with more than 1,300 suits filed under various data privacy regulations in 2023—an increase of over 100% from 2022 and quadrupling the volume recorded in 2021, as reported by the law firm Duane Morris.
Numerous class action lawsuits have been initiated against diverse sectors such as healthcare, social media, and gaming for employing tracking technologies like Meta Pixel to scrutinize user behavior. Similarly, streaming entertainment services have faced scrutiny for potential violations of privacy rights. Major data breach incidents can catalyze a multitude of lawsuits, with the 2023 MOVEit data breach triggering over 240 lawsuits consolidated under a single Multidistrict Litigation in October 2023 due to the scale of the incident. High-profile cases often incentivize settlements given the large pool of claimants. Notably, the top ten data breach class action settlements last year reached $516 million, marking a marked rise from the $350 million seen in 2022.
The risk of data breach lawsuits is also intensifying in Europe, with increasing public awareness of data protection rights, greater access to third-party litigation funding, and a more consumer-friendly legal environment contributing to the potential for mass data privacy claims, albeit at a smaller scale than in the US.
Artificial Intelligence: A Double-Edged Sword in Data Privacy
As nearly every sector adopts artificial intelligence (AI), its influence on cybersecurity and data privacy risks is anticipated to be profound. AI typically necessitates vast data sets, including personal, health, and biometric information, for developing its models and generating insights. However, AI technologies, such as chatbots, can introduce significant risks—spanning privacy, misinformation, and security challenges—if not managed appropriately. The extensive data acquisition and processing raise concerns regarding unauthorized access due to hacking or other security vulnerabilities, as well as compliance with privacy regulations.
Addressing Data Protection Challenges
Despite increased investments in cybersecurity in recent years, many data breaches—especially those linked to significant mass data exfiltration events—are due to inadequate cybersecurity measures within organizations or their supply chains. These situations can result in substantial claims, encompassing regulatory penalties, notification expenses, third-party litigation, as well as ransom demands and business interruptions.
“The insurance sector must enhance its focus on data privacy within the realm of cyber risk and play a crucial role in providing loss prevention and mitigation guidance to businesses navigating this critical area of exposure,” asserts Vanessa Maxwell, Global Head of Cyber and Financial Lines at Allianz Commercial. “The benefits of cyber insurance extend beyond mere claims payments. It serves as a catalyst for companies to justify investments in cybersecurity and prioritize resources towards the most effective protective measures.”
Robust cyber hygiene, including stringent access controls, database segmentation, data backups, timely patching, and comprehensive training, is essential for mitigating data breach risks. Firms must also bolster their oversight regarding cybersecurity vulnerabilities within their supply chains, an area identified for improvement across many enterprises.
“The early identification and response capabilities are pivotal. Approximately two-thirds of incidents are commonly revealed by external parties or the attackers themselves,” explains Rishi Baviskar, Global Head of Cyber Risk Consulting at Allianz Commercial. “Breaches that go undetected or are not addressed promptly can escalate in cost, potentially becoming 1,000 times more expensive; for instance, turning a €20,000 loss into one of €20 million.”
“AI is increasingly becoming a vital asset in countering cyber threats, as it can detect security breaches swiftly and automatically isolate affected systems and databases, leading to considerable reductions in the cost and duration of data breach claims by automating procedures like forensic investigations and notifications, which can save companies millions.”
