2017 Cyber Insurance Claims

So you can’t really do much about preventing an earthquake or even knowing when one will hit. So, you get insurance just in case. And you can’t always predict and may not even have thought that a malware outbreak, such as WannaCry can hit your organization. However, the cyber insurance provider AIG has come out with a report on just how many claims they paid in 2017. The numbers are a bit surprising. Why, you ask? Because, unlike an earthquake a lot of these incidents are preventable.

According to the report, “Cyber insurance claims: Ransomware disrupts business,” 2017 was a banner year for cyber insurance claims, with more of them filed in that one year than the four previous years combined. That amounted to about one claim per working day.

The highest percentage of claims, at 26% was for ransomware attacks. That represents a significant jump over the last four years, which was only 16%. So if you think ransomware attacks are declining, you can see now that it isn’t the case.

To blame are a combination of leaked NSA tools and state-sponsored capabilities, according to AIG’s head of cyber for EMEA.

The financial services sector made up a lower percentage of the claims than previous years; 18% compared to 23%, which is a great result indeed. But it doesn’t mean those in that industry can stop paying attention.

Retail and wholesale made the list at 12% and Business Services and Manufacturing were both at 10% of the total AIG cyberclaims.

Also on the list of significant events were unauthorized access and impersonation fraud. Human error was blamed for the majority of the claims, even though the percentage for employee negligence claims decreased from 2016.

What is important is that many of these events--ransomware outbreaks, data breaches, virus/malware infections, physical loss, -- are preventable. It takes continual awareness training, however. This means that every organization should create a plan that includes reminding anyone in the organization (don’t forget contractors and consultants) what the cyber risks are and how to avoid falling victim to their trickery. Fortunately, many companies are jumping on that bandwagon. Unfortunately, many of them stop the awareness training after once a year and that just isn’t enough.

Awareness training needs to be done on a continual basis. Malware is modified to bypass detection. Social engineering thieves create new scenarios that catch people off guard. In many cases, just alerting users about how to detect phishing is all it takes to prevent an outbreak such as WannaCry. But it really needs to be done more often than yearly.

In addition to training, keeping all security software and anti-virus software updated is paramount to avoiding attacks. And don’t forget about performing regular backups just in case you need to restore, should someone accidently let loose some ransomware.

Doing this will not only save your organization time and money, but it can potentially keep your cyber insurance premiums lower too. And lower insurance premiums are always welcome.