Risk Assessment Report: The Expanding Landscape of Non-Attack Cyber Incidents and Liabilities

1.0 Introduction: Redefining the Scope of Modern Cyber Risk

The calculus of corporate cyber liability has fundamentally changed. While direct cyber-attacks remain a primary threat, a new class of non-attack incidents has arrived as a co-equal, and often more complex, source of major financial and operational loss. Analysis of Allianz Commercial's claims data reveals that technology failures, data privacy litigation, and supply chain disruptions accounted for a record 28% of the value of large claims in 2024. This demonstrates that the traditional "perimeter defense" mindset is now dangerously incomplete. The core objective of this report is to provide corporate risk management and legal teams with a data-driven assessment of these non-attack threats, detailing their financial implications and outlining a strategic path toward holistic resilience in a more interconnected digital environment.

2.0 The Shifting Threat Landscape: Analysis of Current Cyber Claims Trends

To accurately assess the impact of non-attack vectors, it is critical to first establish a baseline understanding of the current attack-driven claims environment. Attacker tactics are continuously evolving in response to corporate defenses, reshaping the overall risk profile for businesses. Data from H1 2025 indicates that well-prepared organizations are successfully hardening their defenses, with overall claims severity declining by over 50% and the frequency of large loss claims (>€1mn) down by approximately 30%. As Michael Daum, Global Head of Cyber Claims at Allianz Commercial, notes, this positive trend "is likely the result of insureds’ cumulative investments in cyber security, detection and response, as well as trends in ransomware attacks, which tend to favor those companies which are well-protected and prepared."

This improved resilience has triggered a clear tactical shift. Ransomware actors are migrating their focus from well-protected enterprises to less resilient mid-sized and smaller firms. This is substantiated by Verizon data, which shows ransomware was involved in 88% of data breaches at small and medium-sized firms, compared to just 39% at large firms. Concurrently, as encryption becomes more difficult against hardened targets, attackers are pivoting to data exfiltration, which is often an easier and faster tactic to compel a ransom payment. This has made data theft a primary driver of financial loss.

• H1 2025: 40% of large cyber claims (>€1mn) included data theft as a component.
• Full Year 2024: This represents a significant increase from 25% for the full year 2024.
• Financial Impact: Claims involving data exfiltration were more than double the value of those that did not involve data theft.

While these attack-driven trends continue to shape the market, the data reveals another critical development: the significant and accelerating rise of non-attack incidents as a major source of corporate liability.

3.0 Deep Dive: The Rise of Non-Attack Incidents and Liabilities

While malicious attacks dominate headlines, claims data reveals that non-attack incidents are responsible for a substantial and growing share of financial losses, accounting for a record 28% of the value of large claims (>€1mn) in 2024. It is crucial to view these risks—technology failure, privacy litigation, and contingent business interruption—not as a simple list, but as an interconnected system of potential liability. A single third-party technology failure, for instance, can trigger a massive contingent business interruption event and simultaneously lead to data privacy litigation if client data becomes inaccessible or is mishandled during the outage.

3.1 Technology Failure and System Outages

For the first time in 2024, business interruption from technical failure emerged as a major loss category, accounting for approximately 10% of the value of large loss claims. The widespread outage at cyber security provider CrowdStrike serves as a prime example of the scale of disruption these events can cause, impacting critical industries like healthcare, retail, financial services, and aviation. The primary causes of these damaging outages are not malicious attacks but internal operational issues, including technical glitches, human errors such as system misconfiguration, and flawed software updates.

3.2 Data Privacy Litigation and Regulatory Liability

The risk posed by data privacy actions is escalating rapidly. In 2024, incidents related to the wrongful collection and processing of data accounted for a record 18% of the value of large claims (up from 6% in 2021), tripling their share in just three years. This financial impact is driven by a surge in litigation, with approximately 1,500 data privacy actions filed in the US in 2024 alone.

Several key legal and technological trends are fueling this increase in liability:

• Biometric Data Legislation: The Illinois Biometric Information Privacy Act (BIPA) continues to spark class-action litigation, setting a precedent for legal challenges in this area.
• Web-Tracking Technologies: Hundreds of class actions have been filed against companies for the unauthorized use of data collected via pixel and session replay software.
• Emerging State Laws: New legislation, such as Daniel's Law in New Jersey, is creating new avenues for litigation related to the disclosure of personal information.

Furthermore, the proliferation of Artificial Intelligence (AI) presents an emerging liability exposure, as AI systems could facilitate breaches of privacy regulations through the unauthorized collection and use of data.

3.3 Contingent Business Interruption (CBI) from Supply Chain Dependencies

A primary emerging threat vector is contingent business interruption (CBI) stemming from events at IT supply chain partners. The financial impact of this risk is increasing sharply, with its share of large cyber claims more than doubling in the first half of 2025 compared to the prior year.

CBI losses can be triggered by either direct cyber-attacks or technical faults at third-party suppliers, such as software vendors or cloud service providers. This risk is magnified by the increasing frequency of supply chain incidents; according to CrowdStrike, cloud intrusions increased by 136% in H1 2025 compared to all of 2024. This dependency creates a scenario where an organization's resilience is directly tied to the security and operational stability of its external partners.

4.0 Quantifying the Financial and Operational Impact

The identified non-attack risks translate into significant and quantifiable financial consequences. Understanding these costs is critical for effective risk management and for justifying strategic investments in resilience. The financial delta between a contained incident and a full-blown crisis is stark, often differing by a factor of 1,000, as this real-world claims scenario illustrates:

€20,000 or €20mn? How Early Detection and Response Can Make All the Difference

An attack on a manufacturing company is detected and contained early, before the attacker gains administrative rights. The total cost for forensics and restoration is approximately €20,000.

In the same scenario, the attacker is not detected early and is able to encrypt systems and exfiltrate data. The total loss from business interruption, ransom, restoration, and third-party claims totals approximately €20mn—a cost 1,000 times greater.

This principle applies equally to mitigating the cascading effects of a technical failure or CBI event. The primary financial drivers for both attack and non-attack incidents include business interruption, which remains the single largest driver of loss, accounting for over 50% of the value of all cyber claims. This directly links to the growing risks from technology failure and supply chain outages. Additionally, according to IBM's Cost of a Data Breach 2024 report, the average global cost of a data breach reached a record high of almost US$5 million. This figure is directly influenced by stricter data privacy regulations and the escalating threat of class-action litigation, reinforcing the central themes of this report.

5.0 Strategic Recommendations for Risk Mitigation and Resilience

While the cyber risk landscape is expanding in complexity, organizations have an unprecedented ability to mitigate these threats through targeted investments in technology, processes, and training. An effective strategy must be multi-faceted, enhancing resilience against both traditional attacks and the emerging categories of non-attack incidents.

5.1 Bolster Detection, Response, and Preparedness

The financial case for investing in detection and response capabilities is overwhelming, as these measures can reduce ultimate claim costs by a factor of 1,000. Organizations should prioritize:

• AI-Powered Security Tools: AI is transforming cyber security by automating threat detection. According to IBM, organizations that used AI and automation saved an average of US$2.2 million in breach costs compared to those that did not.
• Incident Response Preparedness: Regular tabletop exercises are critical for testing and refining response plans. In one Allianz-managed claim, an insured that had recently conducted such an exercise was significantly better prepared for a real-world attack, which ultimately helped mitigate the final claim cost.

5.2 Address Supply Chain and Third-Party Risk

As dependency on external IT services grows, rigorous vendor management becomes a cornerstone of cyber resilience. As Michael Daum advises, "The risk of breaches at their IT suppliers and partners is much harder to control... vendors need to be well controlled and managed, from a contractual perspective, but also around access control, monitoring and audits of suppliers." Organizations must develop robust business continuity plans specifically designed to address potential CBI events originating from critical third-party service providers.

5.3 Navigate the Evolving Regulatory Environment

New regulations are raising the bar for cyber resilience, offering a strategic opportunity to embed best practices. This is a direct regulatory response to the systemic risks, particularly the contingent business interruption and supply chain threats quantified earlier in this report.

• Digital Operational Resilience Act (DORA): Aims to strengthen the digital operational resilience of financial entities by mandating robust IT risk management and resilience testing.
• Network and Information Security Directive (NIS2): Establishes a common cybersecurity framework across 18 critical sectors and their supply chains, mandating enhanced risk management and incident reporting.

Compliance with these frameworks, while challenging, enables organizations to mature their risk management systems, particularly benefiting mid-sized companies and fortifying the entire digital ecosystem.

6.0 Conclusion: Adopting a Holistic View of Cyber Resilience

This assessment confirms that the modern cyber risk landscape has fundamentally expanded beyond the exclusive focus on external, malicious attacks. Substantial liabilities now arise from internal technology failures, complex data privacy litigation, and critical supply chain disruptions. These non-attack vectors have become significant drivers of financial loss, demanding a commensurate level of attention from corporate risk and legal teams. While claims trends show that well-prepared organizations are becoming more resilient to traditional attacks, these emerging threats require a broader, more holistic approach to risk management. To ensure continued viability, organizations must evolve their risk posture beyond attack-centric defense to address these operational and legal liabilities, as this is now a non-negotiable component of modern corporate resilience.