GDPR could increase cyber claims


The implementation of the new EU General Data Protection Regulations (GDPR) could cause a surge in data breach and other security failure insurance claims, AIG Europe has predicted.

The company’s Cyber Claims Report 2018 found that 2017 was a record breaking year for cyber claim notifications, with as many reported in 2017 as the previous four years combined. Mark Camillo, Head of Cyber for EMEA at AIG, believes this number is only going to increase: “The arrival of GDPR will become another tool for negotiation by extortionists. They will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences could be more significant under the new regime. Companies will be more inclined to report breaches, leading to an increased impact on the volume of cyber claims.”

This has already been seen, he added, in the US, ‘after state breach notification laws came into effect and where nearly every high-profile cyber breach is met with at least one class action lawsuit’.

In 2017, ransomware was the top reason for a cyber claim being filed, with 26 per cent of all claims being for this reason. A data breach by hackers came second (12 per cent) with other security failure/unauthorised access making up 11 per cent of claims.

The report also showed that cyber claims affect a wide range of industries, and are not just confined to tech firms. Professional services and financial services tied for the top position with both taking 18 per cent of claims, with retail (12 per cent), business services (10 per cent) and manufacturing (10 per cent) making up the rest of the top five.

“Whatever their size or sector, organisations operating in today’s interconnected and increasingly digital world are becoming more attuned to the risk and aware of how good cyber hygiene, combined with cyber insurance, can play an important part in mitigating potentially dire financial consequences,” said Camillo. “To become cyber-resilient, organisations need to prepare – practise their response, implement a robust cyber risk strategy and ensure they are indemnified for the full range of cyber exposures, including network interruption.”