New York | June 11, 2024
According to a new report published today by Marsh, the world’s leading insurance broker and risk advisor and a business of Marsh McLennan (NYSE:MMC), the number of companies in the US and Canada experiencing a cyber extortion event hit record numbers in 2023, with unprecedented ransom demands.
Yet, as cyber criminals have grown bolder in their requests, an increasing number of companies refused to pay, according to the report, Ransomware: A persistent challenge in cyber insurance claims, which analysed more than 1,800 cyber claims submitted to Marsh in the US and Canada in 2023.
Overall, 21% of Marsh’s clients reported a cyber event in 2023, a vast majority of which were privacy claims and system attacks leading to unauthorised access and potentially exposed data. This has remained fairly consistent over the last five years — between 16% and 21% — demonstrating in part that companies’ cyber controls have kept pace with the growing sophistication and frequency of cyberattacks, Marsh said.
In 2023, however, a record 282 extortion events were reported to Marsh, a 64% increase from 2022. Although representing only 17% of all cyber claims filed, ransomware remains a top concern for organisations given their increased frequency, sophistication, and potential severity, Marsh said. Indeed, the median ransom demand soared to $20 million in 2023 from $1.4 million, while the median payment made was $6.5 million, reflecting the effectiveness of extortion negotiations, Marsh notes in the report.
Only 23% of Marsh’s clients impacted by a cyber extortion event in 2023, paid the ransom. A majority — 77% — refused, reflecting a growing trend. In 2021, only 37% of Marsh’s clients rejected cyber criminals’ demands.
“With the ever-increasing threat of ransomware and its far-reaching impact on diverse industries, it is imperative for clients to adopt a proactive stance in safeguarding themselves," said Meredith Schnur, Cyber Practice Leader at Marsh, US & Canada. “To enhance their cyber resilience, organisations should proactively fortify defences, implement robust security measures, and consider cyber risk across the enterprise, including potential economic and operational impacts, as well as cybersecurity at vendors and third parties.”