Identity Theft and Cybercrime

See also the Identity Theft section of our Web site Click Here

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, if and when a data security breach occurs.

Interest in cyber insurance and cyberrisk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposures businesses face. In 2019 the worst data breaches were the Capital One Financial Corp. breach in July that exposed 100 million records and the October Adobe Creative Cloud breach that exposed 7­­ million users. In 2017 the largest U.S. credit bureau, Equifax Inc., suffered a breach that exposed the personal data of 145 million people, including Social Security numbers. It was among the worst breaches on record because of the amount of sensitive information stolen.

In 2019, there were 1,473 breaches, up 17 percent from 1,257 in 2018 but below the record number of breaches in 2017, when there were 1,632 breaches. However, the number of sensitive (i.e., personal identifying information) records exposed in 2019 totaled 164.7 million, down 65 percent from 471.2 million in 2018, according to the Identity Theft Resource Center‘s 2019 End-of-Year Data Breach Report. The business sector again faced the highest number of breaches—644 in 2019 compared with 575 in 2018. The ITRC notes that while the business sector accounted for 44 percent of total 2019 breaches, these breaches exposed only 11 percent of all sensitive records. The medical/healthcare sector ranked second in 2019 for the number of breaches, with 525, exposing 39.4 million sensitive records. The education sector had 113 breaches, ranking third, with 2.3 million sensitive records exposed. Breaches in the banking/credit/financial sector—totaling 108—ranked fourth. However those breaches exposed 100.6 million or 61 percent of total sensitive records. The Capital One breach in July alone exposed 99 percent of the sensitive records in the banking sector.

In 2019 the ITRC reported that hacking was the most used method of breaching data, with 577 data breaches resulting in 15.3 million records exposed. This form of breach includes intrusion methods like phishing, ransomware and malware, and skimming. Unauthorized access ranked second with 538 data breaches, but this method affected the highest number of records exposed by data breach type—142 million, or 86 percent of all sensitive records exposed in 2019. Employee error or negligence, improper exposure or lost data had the third highest number of breaches, 161, with 2.9 million records exposed.

Despite conflicting analyses, the costs associated with cybercrime are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion. The average cost of a data breach globally was $13.0 million in 2018, up 12 percent from $11.7 million in 2017, according to a 2019 study from the Ponemon Institute and Accenture. Researchers polled 355 organizations located in 11 countries to determine what costs they faced after a cyberattack, such as the costs to detect, recover, investigate and manage the incident response. They also included the cost of activities that occur after the fact and efforts to reduce business interruption and loss of customers. In the United States, the average annual cost of cybercrime rose 29 percent in 2018, to $27.4 million, compared with $21.2 million in 2017. Globally, the banking industry had the highest average annual cost in 2018—$18.4 million—up from $16.7 million in 2017, followed by utilities and software companies. By type of attack, malware incidents had the highest cost, at $2.6 million followed closely by web-based attacks at $2.3 million.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that is rapidly shifting in scope and nature. In 2018, 545 insurers reported writing cyber insurance, up from 505 in 2017, according to NAIC data sourced from S&P Global Market Intelligence. Direct premiums written totaled $2.0 billion in 2018, from companies that can report premiums for stand-alone and coverage provided as part of package policies, up from $1.86 billion in 2017.

According to the Insurance Information Institute (I.I.I.) and J.D. Power 2019 Small Business Cyber Insurance and Security Spotlight Survey^SM, 12 percent of businesses surveyed suffered one or more cyber incidents in the prior year, up from 10 percent in 2018. Nearly 71 percent said they are “very concerned” about cyber incidents, up from 58 percent in 2018, and 75 percent said they believe the risk of being victimized by a cyberattack is growing at an alarming rate–up from 70 percent in 2018. Among the 44 percent of respondents who said they do not currently have cyber insurance and the 21 percent who said they do not know whether they do, 64 percent said they do not plan to purchase a cyber insurance policy in the next 12 months. While this is down from 70 percent in 2018 and given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.

The Internet Crime Complaint Center (IC3), a joint project of the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance monitors Internet-related criminal complaints. In 2018 the IC3 received and processed 351,937 complaints, a 17 percent increase from 2017. Losses soared to $2.7 billion in 2018, almost double losses reported in 2017 that totaled $1.4 billion. In terms of dollar losses, business email compromise and email account compromise complaints were the most reported scams, with about $1.3 billion in losses, close to half of all losses. This type of scam targets both businesses and individuals who perform wire transfers. Criminals hack email accounts and attempt unauthorized fund transfers. About 20,000 people were victims of email account scams. Personal data breaches resulted in $149 million in losses and identity theft caused $100 million in losses. About 51,000 people were victims of personal data breaches and 16,000 were victims of identity theft scams.

Almost one out of four victims (24.1 percent) was over the age of 60. Close to half of all victims were under the age of 50, and they accounted for 57 percent of all losses in 2018.