Business email compromise (BEC) has overtaken ransomware and data breaches as the main reason companies filed a cyber-insurance claim in the EMEA (Europe, the Middle East, and Asia) region last year, said insurance giant AIG.
According to statistics published in July, AIG said that BEC-related insurance filings accounted for nearly a quarter (23%) of all cyber-insurance claims the company received in 2018.
Ransomware-related incidents came in in second place, accounting for 18% of all cyber-insurance claims in the EMEA region, followed by claims for data breaches caused by hackers and data breaches caused by employee negligence (e.g. sending data to the wrong person), both with 14%.
All in all, AIG said that cyber-insurance claims nearly doubled between 2017 and 2018 and that they received more cyber-insurance claims last year than in 2016 and 2017 combined.
The fact that BEC attacks ranked first is no surprise for industry experts. In April 2019, the FBI said losses caused by BEC (Business Email Compromise) scams doubled in 2018, compared to 2017 figures, and reached a whopping $1.3 billion, based on victim reports received by the agency’s Internet Crime Complaint Center (IC3).
AIG blamed the recent rise in BEC-related cyber-insurance claims on the poor security measures victim companies had in place, such as the use of poor passwords for email accounts, companies not using multi-factor authentication, or the lack of employee training in regards to email-based attacks.
Ransomware-related claims expected to grow
But despite BEC ranking first, AIG expects that ransomware may soon reclaim its top spot, which it held in the previous year, in 2017, when ransomware-related claims accounted for 26% of all cyber-insurance claims.
The number of ransomware-related cyber-insurance claims dropped in 2018 because ransomware attacks, in general, became more targeted.
Nowadays, ransomware gangs tend to go after companies and government organizations, rather than home consumers. The incidents are fewer, but the payouts for criminal gangs are larger.
But despite the smaller number of ransomware infections, AIG believes the number of cyber-insurance claims will go up, as enterprise and government victims learn that they can offset losses by filing a cyber-insurance claim.
A trend like this has already become widespread in the US. A recent ProPublica investigation discovered that insurance companies are now advising victims to pay the ransom demand and then file a cyber-insurance claim. This recent tactic, seen predominantly in the US, is a win-win strategy where the victim regains access to its files and the cyber-insurer gets away with covering a smaller claim for the ransom demand, rather than a bigger one for rebuilding a victim’s entire IT network.
Claims frequency and the GDPR
But the most interesting trend from the AIG report in regards to cyber-insurance claims filed in 2018 in the EMEA region is one that’s related to the EU’s new General Data Protection Regulation (GDPR).
AIG noted a pronounced “GDPR effect,” meaning that companies started filing more cyber-insurance claims after the GDPR came into effect in late May 2018.
The reason may be that companies can’t hide data breaches anymore, facing steep GDPR penalties, so they choose to go public and file a cyber-insurance claim to cover some of their costs and the impending GDPR fine.
AIG said that around a fifth of all cyber-insurance claims it received in 2018 in the EMEA region also included a public GDPR notification. Those insurance claims, AIG noted, included costs significantly higher in comparison to claims that didn’t result in a GDPR data breach notification.