Three takeaways from our 2019 cyber claims data

Between 2017 and 2018, we saw a significant increase in ransomware and extortion events globally, and the frequency of these events continues ticking up, now making up 31% of claims overall. These events also seem to be getting more expensive; in 2018 they accounted for 35% of all losses, as opposed to 39% in 2019. 

This doesn’t come as much of a surprise. Judging by the cyber claims we’ve dealt with thus far in 2020, ransomware and extortion attacks show no signs of abating and are continuing to get more widespread and severe. While a few years ago, ransomware demands hovered around $300 on average, demands in the last year have skyrocketed to eye-watering amounts in the thousands and even hundreds of thousands of dollars. What’s more, variants being used are growing in sophistication with some criminals starting to threaten the release of sensitive data if ransom demands aren’t paid, making recovery from backup moot and increasing the incentive to pay. This is a particularly worrying trend as the business interruption fallout from ransomware attacks already makes them a disproportionately expensive type of cyber event to suffer.

It is promising to see, however, that the frequency of ransomware incidents is shrinking in previously high-risk areas. In 2018, for example, 62% of the cyber claims we handled for Canadian businesses were the result of ransomware and extortion, but in 2019, this number shrunk significantly, now making up less than half. 

In late 2018, we noticed that theft of funds claims were disproportionately high in the UK, and established the cause of this to be the UK banking systems and its implementation of the Faster Payments Service (FPS). The FPS makes transferring funds incredibly simple and these happen with almost immediate effect. As a result, when a fraud takes place, funds are often siphoned off into other accounts before the victim becomes aware and notifies their bank. Fortunately, as people have become more educated, UK businesses seem to be better prepared for this risk and the funds transfer fraud rate has dropped 18 points to 31% in just a year. 

Unfortunately, other countries are now seeing events of this type rise. For example, these events grew substantially in Canada from just 9% of claims overall to 27%. With Canada and Australia starting to implement similar speedy banking systems which allow real-time payments, we expect funds transfer fraud to become an even more pressing problem in these territories in the coming year.  

Although we believe that cybercriminals’ desire to steal money, rather than data, is what will continue to drive the majority of our cyber claims, privacy-related claims still make up a large portion globally. In fact, in most territories, the combined figure of malicious data breaches (like hack attacks and phishing) and non-malicious data breaches (like lost laptops and misdirected emails) - sits around 40% of claims overall. 

There are probably a couple contributing factors. Firstly, human error and employee education is still a real issue. Many malicious data breaches begin with employees clicking on a phishing link, which is often avoidable. And of course non-malicious data breaches are made up entirely of events relating to employee error or insufficient security, like leaving an unencrypted device at a coffee shop. 

Secondly, the implementation of various privacy regulations over the last two years - from the GDPR in Europe to the the Notifiable Data Breaches scheme in Australia - is putting the onus on businesses to report more breaches and may be contributing to this figure holding steady. It'll be interesting to see what effect, if any, the implementation of the California Consumer Privacy Act (CCPA) and New York's SHIELD act have.