Business email compromise (BEC) attacks have overtaken both ransomware and data breaches as the main reason companies filed a cyber-insurance claim in the EMEA region last year according to new research from insurance giant AIG.
Statistics published by the firm in July revealed that BEC-related insurance filings accounted for 23 percent of all cyber-insurance claims received by the company in 2018.
Incidents related to ransomware came in second place and accounted for 18 percent of all cyber-insurance claims in the EMEA region. Data breaches caused by hackers and data breaches caused by employee negligence tied for third place with both at 14 percent.
According to AIG, the recent rise in cyber-insurance claims from BEC attacks was caused by poor security measures at victim companies including the use of poor passwords for email accounts, not using multi-factor authentication and the lack of employee training about email-based attacks.
Although BEC attacks currently hold the top spot, AIG expects that ransomware may regain its top spot soon. As ransomware became more targeted, the number of ransomware-related cyber-insurance claims dropped last year.
This is because those launching ransomware attacks have begun to target businesses and government organizations as opposed to consumers. The number of incidents may be lower but the attackers behind them are receiving larger payouts.
As enterprise and government victims learn that they can offset losses by filing a cyber-insurance claim, AIG believes that the number of claims will go up despite the smaller number of ransomware infections recently. This trend has already become widespread in the US and a recent ProPublica investigation discovered that insurance companies are now advising victims to pay the ransom demand and then file a cyber-insurance claim afterwards.
AIG also found that GDPR has affected the number of cyber-insurance claims filed as businesses can no longer hide data breaches and have to disclose them under the regulation. Now companies are publicly revealing their data breaches and filing a cyber-insurance claim to help cover some of their costs and any fines levied against them under GDPR.
A fifth of all the cyber-insurance claims AIG received in 2018 included a public GDPR notification. However, the firm found that these claims included costs that were significantly higher than those did not include a GDPR data breach notification.