The real reason for spike in cyber claims

The number of reported cyber claims has jumped significantly, but it’s not because of the major breaches you’ve been reading in the headlines.

Small to mid-sized organizations are at greater risk of cyber losses than large organizations, A.M. Best Company Inc. warned in a report released Monday.

“SMEs are actually at greater risk, as they are easier targets because of generally weaker cybersecurity,” A.M. Best said in Cyber Insurers Are Profitable Today, but Wary of Tomorrow’s Risks.

The Oldwick, N.J., ratings firm was commenting on several high-profile cyber breaches, including the Starwood Guest Reservation system, owned by Marriott International.

Up to 383 million customer records (including passport numbers, names, addresses and dates of birth), going back to 2014, were exposed in the attack on the Starwood system, the Associated Press reported earlier. Affected hotel brands include St. Regis, Sheraton, Westin, Le Meridien and Four Points, among others.

In its segment report released June 17, A.M. Best alluded in its report to a breach reported in September 2018 that exposed data on tens of millions of Facebook users.

“What gets lost in the publicity of these high-profile cyber exposure events is that there is little, if any, publicity for smaller companies experiencing a cyberattack,” A.M. Best said.

U.S. insurers’ cyber premiums were up 12.6% (from US$1.8 billion in 2017 to $2.03 billion last year) but the total number of claims rose 39% (from 9 million in 2017 to 12.5 million last year), A.M. Best reported.

The main driver for this sharp increase in claims was a greater number of small to mid-sized organizations are buying cyber coverage.

“Compared to larger companies with larger premiums, smaller companies generally have fewer cyber protections, smaller exposures, lower limits, and commensurate premiums. This lower level of cyber protection makes SMEs more susceptible.”

One driver behind premium growth is stricter regulatory environments, including General Data Protection Regulation (GDPR), A.M. Best said.

GDPR, which took effect in the spring of 2018, gives privacy rights to citizens of all 28 European Union member nations. That includes nearly every European country west of Russia. Notable exceptions include Ukraine, Norway and Switzerland, while Britain is in the process of leaving the EU.

A company does not have to be located in the EU to have cyber exposure arising from GDPR.

Even having an online presence could mean GDPR exposure. An example of an online presence is if a company allows its mobile app to be downloaded to a cellphone in the EU and that cellphone user starts communicating within the EU region, Matthew McCabe, senior vice president for Marsh’s U.S. cyber practice, told Canadian Underwriter earlier.

One impact of GDPR is all EU citizens have the right to be forgotten. This means if a client gathers personally identifiable information on an EU citizen, that that must be deleted when it is no longer necessary for the purposes for which it was collected.