New data privacy trends drive growth of large cyber claims

Photo by Jefferson Santos

Cyber claims have continued their upwards trend over the past year, driven in large part by a rise in data and privacy breach incidents, Allianz Commercial warns in its annual cyber risk outlook.

The frequency of large cyber claims (>€1mn) in the first six months of 2024 was up 14% while severity increased by 17%, according to the insurer’s claims analysis, following just a 1% increase in severity during 2023. Data and privacy breach-related elements are present in two thirds of these large losses. Overall, the total number of cyber claims in 2024 is expected to stabilize, following a 30% increase in frequency during 2023, which resulted in 700+ claims.

“The growing significance of data breach losses among cyber insurance claims is driven by a number of notable trends,” explains Michael Daum, Global Head of Cyber Claims, Allianz Commercial.

“A rise in ransomware attacks including data exfiltration is a consequence of changing attacker tactics and the growing interdependencies between organizations sharing ever more volumes of personal records.

“At the same time, the evolving regulatory and legal environment has brought an uptick in so-called ‘non-attack’ data privacy-related class action litigation, resulting from incidents such as wrongful collection and processing of personal data – the share of these claims has tripled in value in two years alone.”

‘Non-attack’ claims increase as privacy litigation ramps up

The rise in ‘non-attack’ data privacy claims is the consequence of developments in technology, the growing commercial value of personal data, and a developing regulatory and legal landscape. For example, unlike the EU’s General Data Protection Regulation (GDPR), privacy regulations in the US are less prescriptive and open to interpretation, while plaintiff lawyers are hungry for potential sources of revenue. This is creating a grey area that is ripe for class action litigation, the report notes.

“We are seeing more data privacy breach claims in the US where there is a growing trend for class action litigation against large US and international corporations related to privacy violations, such as around consent and data usage,” says Daum. “The cost of some of these claims can be even larger than a ransomware incident, in the hundreds of millions of dollars.”

Over the last year in particular, data breaches have emerged as one of the fastest growing areas of US class action litigation. Over 1,300 were filed across a wide range of data privacy regulations in 2023, more than double the number filed in 2022 and four times that filed in 2021, according to law firm Duane Morris.

Multiple class action lawsuits have been launched against organizations across a wide range of industries, including healthcare, social media and gaming, for using tracking tools such as Meta Pixel to monitor consumer behavior, while entertainment streaming platforms have also been targeted, alleging that they may have violated privacy protection rights. Large data breach events can also evolve into hyper litigation, with one event triggering a slew of class actions.

More than 240 lawsuits related to the 2023 MOVEit data breach were consolidated into a single Multidistrict Litigation in October 2023. And with large numbers of claimants, there are incentives for parties on both sides to settle. The top 10 data breach class action settlements last year totaled $516mn, a significant increase over the $350mn recorded in 2022.

The risk of data breach litigation is also growing in Europe. Heightened awareness of data protection rights, a rise in the availability of third-party litigation funding, and a more consumer friendly litigation environment could make mass data privacy claims a reality, albeit not on the same scale as the US, the report notes.

Asian companies must not rest on their laurels

Worldwide, the average cost of a data breach reached an all-time high in 2024 of $4.9mn. In comparison, the average data breach costs in Japan, South Korea, ASEAN, and India are $4.19mn, $3.62mn, $3.23mn, and $2.35mn respectively, according to IBM’s Cost of a Data Breach Report 2024.

“Despite the relatively lower loss severity in Asia compared to other regions, companies need to stay vigilant as there is a noticeable uptick of cyber incidents in the region,” says Karlis Trops, Head of Cyber and Tech Professional Indemnity, Allianz Commercial Asia.

“One of the contributing factors is the gradually evolving cyber security maturity. Furthermore, a considerable number of outsourced technology service providers are located in Asia, which constantly attracts threat actor interest. The aim of the supply chain attack vector is to gain access to multiple victims.

“Companies in Asia can further strengthen cyber resilience and preparedness. Notwithstanding the implementation of new privacy regulation and cyber security acts, as well as mandatory cyber security incident reporting by some countries in the region in recent years, investment in cyber security controls by companies in Asia in general lags compared to their peers in other regions such as USA and Europe.”


Previous articleLeaders feel businesses not moving fast enough to address “megatrend” risks
Next articleHow midcareer and older workers experience AI in the workplace