Brylee Jaghbir
Head of Cyber, Pacific
Understanding cyber claims trends helps to inform an effective risk management strategy for one of the signature risks in today’s tech-driven society. Analysis of the 1,800+ cyber claims submitted to Marsh in the US and Canada in 2023 reveals the following:
With cyber risk firmly embedded as a key concern for organizations of all sizes, effective risk transfer is an increasingly important piece of a successful cyber risk management strategy. In turn, it’s important for companies to both understand and properly manage their potential cyber claims in support of risk transfer.
In 2023, Marsh clients in the US and Canada reported more than 1,800 cyber claims, more than in any previous year. These include claims under cyber, tech and telecom errors and omissions (E&O), and media coverage.
The increase was driven in part by the growing sophistication of cyberattacks; the MOVEit event, which highlighted supply chain vulnerabilities; privacy claims; and the increasing number of Marsh clients purchasing cyber insurance. As it has for several years now, ransomware — though accounting for less than 20% of the total cyber claims — remains a top concern for insurers and insureds alike due to its potentially significant financial impact, reputational harm, loss of market share, long-tail nature of litigation, regulatory scrutiny, and more.
The annual percentage of clients reporting at least one cyber event has remained fairly consistent over the past five years, between 16% and 21% (see Figure 1). The consistency shows, in part, that companies’ cyber controls have kept pace with the growing sophistication and frequency of cyberattacks.
Figure 1
Cyber events can happen to any organization, but specific industries have been targeted more often than others over time (see Figure 2). The top five industries among Marsh clients to be affected by cyber events has remained consistent; in 2023 they were healthcare, communications, retail/wholesale, financial institutions, and education.
Figure 2
Although the average cost has increased for breach response expenses — consisting of privacy counsel, computer forensics, and, if necessary, notifications — the median cost has remained relatively constant (see Figure 3). During the last five quarters, the median cost of breach response expenses remained around $160,000, while the average has trended upwards, from $963,000 in the third quarter of 2023 to $1 million in the fourth quarter, primarily due to a few large cyber events.
Figure 3
Ransomware attacks remain central to most cyber risk discussions as they continue to increase in frequency, sophistication, and severity and remain the dominant cyber threat to many organizations’ daily operations, long-term finances, reputation, and more.
Along with ransomware claims, overall cyber claims reporting also increased in 2023. Since rising rapidly in 2020, the number of reported ransomware events has remained under 20% of total reported cyber claims from Marsh clients for the past two years (see Figure 4). This means that privacy claims and system attacks leading to unauthorized access and potentially exposed data without an extortion component comprise a much larger share of cyber events reported by Marsh clients than do those with an extortion component.
Figure 4
In 2023, the number of clients reporting cyber extortion events reached the highest annual level to date (see Figure 5). This followed a decline in cyber extortion events reported in 2022, which was lower than in the prior two years. While it is difficult to pinpoint a reason(s) for the 2022 decline, various cybersecurity experts, inside and outside of Marsh, cite such factors as a (temporary) move away from data encryption toward exfiltration, disruptions brought on by the start of the Russia-Ukraine war, decreased willingness of some companies to pay, and the successful “infiltration” of a particular ransomware group by the FBI. No matter the reasons for the 2022 decline, ransomware events reached new highs in 2023 as the number of bad actors increased significantly.
Figure 5
In an extortion event, companies need to decide whether they will pay a ransom to get the de-encryption key and/or to stop the compromised data from being released. Organizations need to assess the possible damages while at the same time judging the “trustworthiness” of the criminals they are dealing with — if a ransom is paid, will the threat actors comply? Or are they going to retain data for a new extortion attempt?
Marsh clients had more success responding to and recovering from cyber extortion events in 2022 than in 2023 (see Figure 6). The median extortion payment dropped from $822,000 in 2021 to $335,000 in 2022. However, this trend was reversed in 2023 as the median payment increased from $335,000 to $6.5 million and the median demand increased from $1.4 million to $20 million as cyber criminals grew bolder. While the decision to pay or not to pay is highly nuanced, organizations should be prepared to respond, including by “practicing” their response under a variety of scenarios.
Generally, extortion negotiations prove effective in reducing the final ransom paid, although it is important to note that every such situation is unique. The percentage of the median demand paid increased from 24% in 2022 to 32% in 2023.
Figure 6
Marsh clients continue to invest in cyber resiliency, including in such areas as tabletop exercises, incident response vendor readiness, downtime procedures, out of band communication plans, and effective cybersecurity controls. The effectiveness of such investments is indicated by the continued drop in the percentage of those opting to pay an extortion demand (see Figure 7).
Figure 7
The potential for privacy liability is typically among the many factors that may influence the decision of whether to pay a ransom. However, it can be difficult to place a value when deciding if paying will be beneficial economically or reduce future liability. Privacy liability claims significantly increased over the past few years, and the settlement values have also been increasing, making this an important unknown.
The decision can be more straightforward when criminals encrypt data and cause business interruption (BI) losses. For example, a company might be able to determine that BI losses are costing $1 million per day. If the cost to de-encrypt will be $X thousands and will enable the business to be up and running in a few days, the math may point to a decision to pay. Every situation is unique, and a decision to pay or not to pay a ransom can have consequences beyond the specific incident at hand.
Other factors that may influence the decision to pay include whether the exfiltrated data is business sensitive, or possibly embarrassing.
In some instances, insurers may more deeply scrutinize ransom payments where there is no encryption, especially if breach notification laws are triggered. If ambivalence about paying ransoms increases, some observers wonder if data theft will go full circle, with more criminals simply selling stolen data on the dark web and avoiding working with their victims.
As cyber risk continues to evolve, companies need to monitor and adjust their cybersecurity controls and engage claims advocates, among other measures. When a claim does arise, it’s important to follow proper steps, such as notifying insurers, brokers, and other stakeholders and maintaining proper documentation.
More broadly, companies should have a cyber resilience strategy that incorporates a view of cyber risk across the enterprise, including its potential economic and operational impact.
Accounting for cybersecurity at vendors and other third parties, undertaking regular tabletop exercises and response evaluations.
We can help you quantify your cyber risk exposures with scenario-based loss modeling, benchmark potential cyber event losses and costs, consider the effectiveness of cybersecurity controls from a financial perspective, assess the economic efficiency of multiple cyber insurance program structures, and help manage your claims, should one arise.
When a cyber incident occurs, many companies will turn to outside vendors to manage aspects of the event. Many insurers have a panel of vendors that are pre-approved to work on cyber incidents and claims. Marsh has found that clients using their insurer’s pre-approved vendors can significantly improve the average time from event notification to receiving confirmation of coverage or first payment — from just over 2 months when using a panel to more than 12 months when using non-panel vendors.
Cyber risk is complex and pervasive. Marsh’s Cyber Practice provides organizations with experienced risk advice when managing their exposures.
Head of Cyber, Pacific
Head of Corporate – Cyber, Marsh Specialty, Australia
Growth Leader, Cyber
Australia
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.
LCPA 24/424