Access the ICMIF Knowledge Hub homepage. Members are encouraged to bookmark this page for future reference.

Thought leadership article

2024 Cyber risk predictions

This year, we’re closely watching how the courts will respond to a recent spate of generative artificial intelligence (AI) and privacy-related litigation, evaluating how different global markets will respond to regulatory changes and thinking about how cybercriminals will evolve their tactics. And, of course, we’re preparing for the myriad ways all of these emerging trends will impact businesses. At the beginning of 2023, we predicted that greater incident complexity, class actions for cyber extortion and increased use of security measures like multi-factor authentication (MFA) would be the big themes –all of which did indeed bear out over the course of the year.

2024 Cyber risk predictions - Latest trends

With three full years of cyber claims data now available for side-by-side comparison, we can clearly see evidence of the myriad ways that security trends have evolved over time.

As anticipated, fraudulent instruction incidents were down 15% for the year, a shade more than predicted at end of Q3 . Retail, manufacturing, non-profit and government show significant improvement in managing fraudulent instruction risks, with declines of 38%, 35%, 23% and 20% year over year, respectively.

fraudulent-instruction-a

In contrast, business email compromise (BEC) was up 18% year over year across industries, returning to levels seen in 2020 and 2021. While professional services continued to experience the highest number of BEC incidents, the BEC incident count was only 5% higher than last year. Compared to levels seen in 2020 and 2021, retail and business services show consistent improvement in lowering BEC rates, while most other industries have experienced fairly consistent rates.

business-email-compromis

Incidents involving data exfiltration are again trending upward, with data exfiltration involved in 90% of incidents in Q4. Despite indications to the contrary earlier in the year, there was no significant decline in overall data exfiltration in 2023.

cyber-extortion-incident

Increased volatility is the name of the game when it comes to ransomware attacks. Phishing continues to decline among our policyholders, while incidents involving Remote Desktop Protocol (RDP) are on the rise, and those related to software vulnerabilities remain relatively steady. As always, these factors underscore the need for a continued, robust defense-in-depth approach to cyber security, not only to keep attackers out but also to prevent them from moving around and doing damage if they get in.

ransomware-vectors
Beazley_logo_pink_rgb - sent January 2024

This article is reproduced with the kind permission of ICMIF Supporting Member Beazley. For more information click here.

Published June 2024

AI’s considerable impact will play out in the courts in 2024

With high-profile lawsuits pending against key players like Open AI and Meta, we are likely to see US courts rendering a patchwork of decisions over the coming months in several key categories:

  1. Privacy:  Cases are arising out of the use of “data scraping” technology to train AI algorithms. Data scrapers extract information from websites that is then sold to train large language models, which can result in the collection and dissemination of sensitive information.
  2. Copyright/Intellectual PropertyArtists and authors are alleging that copyright laws are violated by the training of AI models on their work without providing any compensation (see for example the NY Times’ current suit against OpenAI). These cases could force large tech companies to change the way AI is built, trained and deployed so that it is fairer and more equitable.
  3. Libel/DefamationThere are questions arising around who bears responsibility when AI produces false, reputation-harming information, as in this recent incident at a local car dealership. Even more serious is the potential use of these tools to spread disinformation and to create deep fakes.
  4. Fraud/Breach/RansomwareThe availability of new AI tools will impact claims involving fraud, data breaches and ransomware.
"Data scraping can result in the collection of sensitive information. The US Federal Trade Commission has opened an investigation into whether OpenAI violated privacy and consumer protection laws by scraping people’s online data to train ChatGPT. There are also lawsuits against OpenAI alleging privacy violations as a result of the data scraping that was used to train the model." - Melissa Collins, Claims Focus Group Leader, Cyber and Technology Third-Party Claims

Global regulatory change is likely to influence behaviours

What happens in one region could impact other regions around the world, including possible ripple effects to cover and policies. To help keep our policyholders stay informed, we regularly monitor legal and regulatory developments across the globe. 

In Portugal, the Insurance and Pension Funds Supervisory Authority (ASF) has recently declared that insurance contracts indemnifying the ransom payment associated with cybercrimes are not legally permissible, due to violation of Portuguese civil law.

Australia will be implementing mandatory reporting requirements for ransomware. The government is keen to understand which organisations are being targeted because ransomware costs the Australian economy up to AU$3 billion (USD$1.9 billion) in annual damages.

France has also implemented mandatory reporting requirements, but only for cybersecurity incidents covered by a cyber policy. The law requires insureds to file a complaint within 72 hours of becoming aware of a system compromise.

In the US, under the SEC’s new cybersecurity disclosure rule, public companies must now disclose the existence of key details surrounding a cybersecurity incident within four business days of determining the incident is material.

Additionally, the FBI has announced that it will increase the number of agents deployed to American embassies to focus on cyber-related crime. This increase will bring the total number of agents in foreign countries to 22 and is designed to improve the FBI’s efforts to combat international cybercrime.

"In addition to country-specific legislation, on 8 December 2023, a political agreement was reached on the terms of the European Union Artificial Intelligence Act (the “EU AI Act”). Once the final text is made public, we will be able to assess the possible impact that it will have on clients and their cyber insurance policies." Sandra Cole, Focus Group Leader - London and International Cyber - Claims

Privacy and tracking claims are likely to reach a tipping point

Privacy will be a continued and exacerbated theme for 2024, particularly in the US, where more privacy and tracking claims are anticipated. This is less of a global issue for now, but we continue to track developments in other jurisdictions where class action mechanisms are in place; for example, we have seen an increase in data privacy class actions in Australia.  Fortunately, most other global markets are still protected from mass litigation and class action litigation thanks to “loser pays” rules and a general reluctance of the courts to open the floodgates to mass litigation.

In addition to the aforementioned suits arising out of generative AI, we anticipate that facial recognition tools will also be in the hot seat in US courts. This will likely include more claims under the Illinois Biometric Information Privacy Act (BIPA) related to facial scanning, as well as an increase in geolocation claims due to vehicle tracking.

With large-scale privacy-focused class actions, plaintiffs will look to find a hook with old statutes that provide for statutory damages, like federal and state wiretapping laws and the Video Privacy Protection Act (VPPA). As the year progresses with more decisions from the courts being made, hopefully some potential class actions will be curtailed.

"It’s a pivotal time for privacy issues. With the lack of fines from regulators, coupled with recent and upcoming enforcement actions, this is a good time to stay close to your cyber insurer. We're here to help ensure you're educated about the issues and prepared for their potential implications." Andrew Girman, Cyber Services Manager - Philadelphia

Attackers will employ a wider range of strategies and tactics

Cybercriminals are constantly evolving their tactics to increase pressure on their victims, as they seek to maximise the monetary value and impact of their attacks.

Employees will require additional training on AI risks as these continue to evolve in 2024. Human resources teams, for example, should be prepared for cybercriminals to make use of AI bots to gain employees’ trust.

Organisations should also be aware that cybercriminals are starting to publish leaked data on the public Internet, making this data more accessible to the public and thus increasing the pressure to pay a ransom. An organisation named on a cybercriminal’s blog can become a target for other cybercriminals who might reach out asking for a ransom payment, falsely claiming to be the group who performed the hack.

Other risks with data being exposed publicly include public data impacting merger and acquisition (M&A) strategy or repudiating intellectual property rights, especially when trade secrets are stolen.

"We have witnessed an escalation in cyberattacks targeting critical infrastructure, notably water treatment facilities. Cyber criminals have abandoned previously held 'rules of engagement,' signalling a further disregard for ethical boundaries. Other critical assets, like hospitals and nuclear power facilities, are at higher risk. It's a stark reminder of the increasingly perilous landscape in cybersecurity, demanding vigilance and robust protective measures." Max Bradshaw, Cyber Services Manager - Chicago

AI will increase the threat landscape in 2024

Regulation will continue to evolve over the course of the year and could impact the ability of insurance to provide the level of coverage that it currently does in some territories. There will also be greater pressure on firms who suffer a data breach or cyberattack to notify official privacy bodies, which could create additional knock-on effects following an incident.

Simultaneously, cybercriminals are becoming more aggressive in their attacks as they seek new ways to force companies to pay ransoms and monetise the data they steal.

Given these factors, having an experienced cyber insurer that offers risk management services on your side will be more important than ever. By taking proactive risk management steps, organisations will help to reduce the likelihood of an attack and be in the best position to avoid all of the financial, managerial and reputational damage that this can cause.

Scroll to Top