In the cases of cyber extortion, claims severity depends on the type of organisation, the level of business interruption caused and need for forensic investigation and system restoration. Ransom demands typically remain small. For example, one online retailer was subject to a DDoS attack, which resulted in their website being inaccessible or experiencing reduced performance. Prior to the attack they received an online message claiming that their website protection was extremely low and it would be taken offline unless a payment of £3,000 was made. Further ransom demands of £500 were made during the attack.

Largescale DDoS attacks are also a rising concern, up 138 percent year-on-year, according to Akamai’s latest State of the Internet/Security Report. In October 2016, a massive DDoS attack hit servers at domain name system provider Dyn, resulting in widespread disruption. The DDoS involved a botnet coordinated through tens of millions of connected devices including surveillance cameras, webcams, smart thermostats and even baby monitors infected with the Mirai malware.

For those affected by ransomware or DDoSattacks, business interruption (BI) costs are highest during peak trading periods. Half of the respondents to one recent survey revealed that they could lose over $100,000 per hour during critical periods – even if the initial ransom demand is low.

While business interruption currently accounts for just four percent of AIG EMEA cyber claims (with a further four percent of claims falling under system failure/outage), BI cyber claims are expected to increase in frequency and severity in the future. Rapid breach response is one way of mitigating the potential impact.

Regulation to drive data breach claims

Perhaps unsurprisingly, the majority of cyber claims currently emanate from industries that are required to notify customers if sensitive data has been compromised. But from 2018, under the General Data Protection Regulation (GDPR), all companies based in the EU and those based outside of the EU who process EU citizens’ data will be required to report a breach within 72 hours of it occurring – if that is feasible. There will be significant fines for those firms that have failed to protect data adequately. A company can be fined up to two percent of their global annual turnover for not having records in order, failing to notify the supervisory authority about a breach or failing to conduct impact assessments. Infringements that are more serious could merit a four percent fine.

It is anticipated the new data protection rules and headline-hitting data breach exposés will continue to drive greater demand for cyber cover. However, despite the growing risk of a cyberattack, a surprising number of companies are unprepared to deal with the threat. From our experience of working with companies – large and small – that have suffered from some sort of data breach, it is clear that it is not just being a victim of a breach that can cause damage to businesses, but also how a breach is handled. Many organisations are dealing with cyber claims for the first time and, even if they have the resources required to respond, they often do not know how to deploy them. Insurance plays a key role in not just offsetting costs when a cyber event happens, but also preventing an attack in the first place, and responding correctly to reduce damage when cyber security fails.