Camilo Artiga-Purcell is general counsel at Kiteworks. Views are the author’s own.
Allianz paints a concerning picture in a recent report: Cyber claims exceeding $1 million rose 14% in early 2024, with claim severity increasing 17%—after a 1% increase in 2023.
For legal executives, these statistics represent a critical shift in corporate risk. Data breaches now trigger complex challenges across privacy regulations, cyber insurance, and third-party liability. Privacy-related class actions tripled in value over two years, while cyber insurance premiums continue to climb.
Legal teams must act quickly to revise incident response plans, strengthen vendor oversight, and align data governance with stricter underwriting requirements. This analysis outlines specific steps general counsel should take to address these converging challenges in 2024.
Cyber and compliance risk landscape
The cyber and compliance risk landscape is marked by increasingly sophisticated attacks, regulatory pressures, and sector-specific vulnerabilities. Legal professionals must navigate these challenges, particularly as ransomware, class action lawsuits, and sectoral risks intensify.
Key Risks and Trends
1. Ransomware Attacks. Ransomware has evolved into a formidable dual threat, inflicting both operational disruption and severe privacy liabilities. The 2024 Change Healthcare breach serves as a significant example, where over 100 million patient records were compromised, leading to both operational downtime and extensive privacy concerns. For organizations, this means a heightened need to secure data at all levels.
2. Class Action Surge. The number of data privacy lawsuits has surged, with over 1,300 cases filed in 2023 alone, marking a significant uptick from prior years. Total settlements in the top 10 data breach cases reached $516 million, up from $350 million in 2022, underscoring the financial implications for organizations unable to prevent or mitigate breaches. This trend signals an era of hyper-litigation, where companies, particularly those with sensitive customer data, must prepare for the likelihood of multiple concurrent lawsuits after a significant data breach.
3. Sector-specific Vulnerabilities. Certain industries face elevated risks due to the nature of the data they handle. According to the Kiteworks Industry Risk Score Report, the financial services sector recorded the highest risk score of 8.5 in 2023, up from 6.2 in 2022, reflecting increasing cybersecurity threats. Government entities, too, experienced a dramatic risk score increase, driven by the sector’s vast data troves and critical infrastructure role. Healthcare, with its reliance on sensitive patient information, remains highly vulnerable. These sectors must adopt tailored cybersecurity strategies to address their unique risk landscapes, balancing both compliance and operational security to mitigate potential losses effectively.
Shifting insurance market
The cyber insurance market has tightened considerably, with premiums climbing sharply and coverage terms narrowing. Allianz’s recent data highlights that companies with insufficient security controls are facing premium increases of 30% to 50%, while even those with robust cybersecurity measures are seeing hikes of 10% to 20%. These adjustments reflect insurers’ growing caution in the face of escalating cyber threats, particularly as claims rise in both frequency and severity.
Beyond higher premiums, coverage limitations are becoming a standard feature of cyber policies. For instance, incidents attributed to nation-state attacks are frequently excluded due to the complexity of attributing such attacks and the heightened risks involved. In addition, breaches of unencrypted data, which expose organizations to significant privacy risks, are often not covered unless specific data security protocols are in place. Third-party liabilities also face exclusions unless strict contractual security terms with vendors are documented, a condition that highlights insurers’ focus on managing interconnected risks. These coverage restrictions necessitate that organizations implement comprehensive security measures and review their insurance policies carefully to avoid gaps in protection.
Claims data and breach trends
High-value claims in the cyber insurance space are increasingly driven by privacy-related breaches. Such incidents—often involving sensitive customer data—have substantial financial implications, including regulatory fines and costly settlements. This trend is in line with findings from the Kiteworks report, which reveals that privacy-related incidents, particularly those involving sensitive content communication, are tied to increased litigation costs and higher financial liabilities. As data privacy regulations grow more stringent, breaches involving protected data trigger regulatory scrutiny and open the door to class action lawsuits, brand damage, and customer loss.
Given these trends, insurers are prioritizing robust data governance, incident response planning, and third-party security in their assessments. For organizations, especially in heavily regulated sectors, investing in strong data privacy and governance frameworks not only reduces the risk of breaches but also enhances the likelihood of securing favorable terms in this increasingly stringent cyber insurance market. Legal teams must work closely with cybersecurity and compliance teams to ensure alignment between operational security practices and the evolving requirements of cyber insurance policies.
Legal and regulatory considerations
The evolving landscape of data privacy laws is adding layers of complexity for organizations managing sensitive data. In the United States, new state-level privacy laws, such as California’s Consumer Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), mandate stringent data handling and consumer rights provisions. These laws require organizations to adapt their data management strategies to accommodate a range of rights, from opt-in consent for sensitive data to comprehensive data access and deletion options. On a global scale, the General Data Protection Regulation (GDPR) continues to be a powerful regulatory standard, with fines surpassing €4.48 billion in 2024, underscoring the high stakes of noncompliance.
Enforcement patterns
Regulatory bodies are increasingly focusing on enforcement, particularly targeting organizations with inadequate data governance frameworks. GDPR violations have seen significant fines imposed on companies that fail to ensure proper data handling, especially where high-risk data is involved. The Kiteworks Sensitive Content report highlights that specific data types—such as personally identifiable information (PII) and protected health information (PHI)—present heightened compliance risks. To navigate these enforcement patterns, legal teams must prioritize data governance, ensuring robust processes for data classification, monitoring, and control.
In this complex regulatory environment, proactive compliance strategies are essential. Organizations need to maintain comprehensive documentation, perform regular audits, and ensure alignment between data privacy practices and legal obligations. By implementing these measures, legal teams can mitigate the risk of costly regulatory fines and safeguard their organization’s reputation in an increasingly privacy-conscious market.
Framework for legal teams
In the face of escalating cyber threats and regulatory demands, legal teams play a pivotal role in shaping an organization’s risk management framework. A comprehensive strategy should incorporate robust data governance, proactive third-party risk management, and a well-defined incident response plan to address the multifaceted risks associated with sensitive data.
Data governance and security practices
Effective data governance is fundamental to protecting sensitive information and meeting compliance requirements. Legal teams should advocate for data classification systems that prioritize high-risk data types, such as personally identifiable information (PII) and protected health information (PHI). Routine audits and cross-functional data governance committees that include IT, security, and privacy leaders are essential for maintaining oversight and ensuring that data management practices evolve alongside emerging risks. These committees should regularly review data handling processes, update policies, and enforce retention schedules that align with regulatory standards. Strong governance not only minimizes risk but also supports legal compliance in the event of an audit or breach.
Third-party risk management
Managing third-party risks is a critical component of a legal team’s strategic framework. With many organizations exchanging sensitive information with over 1,000 third parties, and a substantial percentage reporting over 2,500 third parties, the exposure to external vulnerabilities is substantial. Legal teams should ensure that all third-party contracts include stringent data security requirements and demand compliance with the organization’s data protection policies. In this vein, it is critical that customer contracts link limitation of liability to the economic reality of the particular deal, as well as curb or dispense with indemnification provisions that exceed intellectual property warranties. Implementing real-time monitoring of third-party access to sensitive data and requiring periodic security assessments of vendors further reduces the likelihood of a breach originating from an external partner.
Incident response
A well-prepared incident response (IR) plan is essential for mitigating the damage of a data breach. Legal teams should play an active role in developing and testing IR plans, ensuring they align with insurance policy requirements. Quarterly testing of response procedures, involving key stakeholders across legal, IT, and compliance departments, helps identify gaps and strengthens readiness. The IR plan should also outline clear points of contact for regulatory authorities, specify documentation requirements, and establish protocols for notifying insurance carriers when a breach occurs. Detailed documentation of all response activities is essential, as it provides a record that can support regulatory reporting and demonstrate the organization’s compliance efforts.
Insurance and privacy integration
Legal counsel plays a crucial role in bridging the gap between cyber insurance requirements and data privacy obligations. Key alignment areas include fostering cross-departmental cooperation to integrate data governance protocols with insurance standards. Prioritizing high-impact breaches through coordinated data management and risk assessment helps organizations meet both regulatory and insurance expectations.
Maintaining comprehensive legal documentation is essential for effective integration. Legal teams should focus on creating and preserving records that satisfy both compliance mandates and insurance policy requirements. This approach ensures that all aspects of data privacy, from breach response to third-party management, are adequately documented, which enhances organizational resilience. By aligning documentation practices with industry standards, legal teams can safeguard against potential coverage gaps and facilitate smoother claims processes if a breach occurs.
Enacting an action plan
For legal professionals, navigating today’s complex cyber risk landscape demands immediate and proactive steps. Key actions include conducting thorough policy audits to identify coverage gaps, updating vendor contracts to align with stringent data protection standards, and developing a proactive cyber insurance strategy that reflects current threat realities. These steps not only enhance compliance but also strengthen the organization’s resilience against potential data breaches.
As cyber threats continue to evolve, ongoing adaptation is crucial. Legal teams must remain agile, regularly revisiting risk management practices to address new vulnerabilities and regulatory demands. By taking decisive action now and fostering a culture of continuous improvement, legal professionals can help safeguard their organizations against the mounting risks of data privacy breaches and cyber incidents.