According to the company, it received the same number of claims related to cyber breaches in 2017 as in the previous four years combined and expects more attacks after the introduction of GDPR.
The insurer predicts that cybercriminals will hold companies and organisations to ransom by seizing sensitive data that is inadequately protected online and then threatening to disclose it unless they cough up.
The firm claims that the criminals would then pitch the cost of the ransom lower than the cost of the fines under GDPR and the reputational damage of disclosure.
Mark Camillo, head of professional liability & cyber EMEA at AIG, said: “GDPR is likely to become another tool for extortionists, who will threaten to compromise an organisation’s data unless a payment is received, knowing that the consequences will be more significant under the new regime.”
While previous ransomware such as WannaCry, which brought parts of the NHS to a standstill last year, has threatened to destroy files, there have been concerns that new versions will threaten to alert the authorities.
Scammers have already taken advantage of the confusion around GDPR to send “phishing” emails under the guise of GDPR-related emails, with customers of NatWest among those targeted. Action Fraud has released a statement confirming that banks will never ask for a pin, password or memorable information by text or email. It has also pointed out that fraudulent GDPR emails will often contain poor spelling or grammar, as well as sub-quality design you would not expect in a legitimate email from a bank.