The digital world is a battleground, with cybercriminals launching increasingly sophisticated attacks that threaten both businesses and individuals. The financial damage caused by these breaches can prove astronomical, as evidenced by the skyrocketing demand for cyber insurance.
According to Allianz Commercial's annual cyber risk outlook, the number of large cyber claims (exceeding €1 million) in the first half of 2024 increased by 14%, while their severity rose by 17%. Data and privacy breaches account for two-thirds of these substantial losses.
A concerning trend found in the report: "non-attack" data privacy claims. These claims arise from technological advancements, the growing commercial value of personal data, and evolving regulatory and legal landscapes. While the European Union's General Data Protection Regulation provides a framework for data protection, the United States' less prescriptive regulations create ambiguity and opportunities for litigation.
Plaintiff lawyers are increasingly targeting large corporations with class action lawsuits alleging privacy violations. These suits are costly, sometimes even exceeding the financial impact of ransomware incidents. For instance, one recent class action lawsuit against a major U.S. corporation seeking hundreds of millions of dollars in damages is directly related to alleged privacy breaches.
And data breaches have become a hotbed for class action litigation in the US. In 2023, over 1,300 such lawsuits were filed, more than double the number in 2022 and four times that of 2021. Industries ranging from healthcare and social media to gaming and entertainment have faced these legal challenges. Organizations using tracking tools like Meta Pixel to monitor consumer behavior have been particularly vulnerable.
The MOVEit data breach of 2023 is a good example of the potential for hyper litigation. Over 240 lawsuits stemming from this incident were consolidated into a single Multidistrict Litigation, which demonstrates the scale of these legal battles. With large numbers of claimants, settlements often become a viable option for both parties. Last year, the top 10 data breach class action settlements totaled $516 million, a significant increase from the previous year.
The risk of data breach litigation is not confined to the U.S. though. Europe is also witnessing a growing awareness of data protection rights and a more favorable litigation environment. While mass data privacy claims may not reach the same scale as in the US, the potential for such actions is increasing.
Cyber insurers are adapting to this evolving landscape. They shifted their focus to understand clients' data governance standards, transparency practices and vendor cybersecurity measures.
“As cyber insurers, we are having to shift focus. In discussions with clients, it is critical we understand their data governance standards and how transparent they are when it comes to their use of consumers’ data, who they share it with, and their approach to vendor cyber security,” said Tresa Stephens, Head of Cyber, North America, Allianz Commercial.
Another trend found in the report is that AI is impacting the cyber and privacy risk landscape. We are all familiar with the fact that AI relies on vast amounts of data, including personal, health and biometric information, for training and operation, yeah? While AI offers various benefits, it also introduces potential privacy, misinformation and security risks if not managed properly. The collection and processing of sensitive data create vulnerabilities, and organizations must ensure they have appropriate consent and adhere to privacy laws.
And lastly, the report found that many data breaches continue to occur due to weaknesses within organizations or their supply chains, despite increased investments in cybersecurity. These incidents result in substantial financial losses, including regulatory fines, notification costs, third-party litigation, extortion demands and business interruption.
“The insurance industry must also step up its focus on the data privacy side of cyber risk and has a key role to play in offering loss prevention and mitigation advice to businesses about this increasingly important area of exposure,” said Vanessa Maxwell, Global Head of Cyber and Financial Lines, Allianz Commercial. “The value of cyber insurance goes well beyond the payment of claims. Insurance helps companies make the business case for cyber security investment and to direct their resources towards the most effective measures.”
To mitigate data breach risks, organizations must prioritize good cyber hygiene practices. This includes strong access controls, database segregation, regular backups, patching and employee training. Additionally, enhancing oversight of cybersecurity weaknesses within supply chains is crucial.
By investing in strong cybersecurity measures as well as seeking appropriate insurance coverage, organizations are better positioned to handle the storms that come through the modern cyber environment.
Edited by
Alex Passett
