Skip to main content

Report

Ransomware: A persistent challenge in cyber insurance claims

Key takeaways

Understanding cyber claims trends helps to inform an effective risk management strategy for one of the signature risks in today’s tech-driven society. Analysis of the 1,800+ cyber claims submitted to Marsh in the US and Canada in 2023 reveals the following:

  • 21% of clients that purchased a cyber policy reported an event in 2023, consistent with the percentage over the past five years.
  • In 2023, events were driven by factors including increased sophistication of cyberattacks; the MOVEit event, highlighting supply chain vulnerabilities; and privacy claims.
  • Healthcare, communications, retail/wholesale, financial institutions, and education remain in the top five of most affected industry sectors.
  • Ransomware represented less than 20% of claims reported, but remained a top concern for organisations given their increased frequency, sophistication, and potential severity.
  • In managing claims, it’s important to follow proper procedures, including notifying insurers, brokers, and other stakeholders and maintaining proper documentation.
  • Organisations’ cyber resilience strategy should incorporate a view of cyber risk across the enterprise, including its potential economic and operational impact and taking account of cybersecurity at vendors and other third parties.

Introduction

With cyber risk firmly embedded as a key concern for organisations of all sizes, effective risk transfer is an increasingly important piece of a successful cyber risk management strategy. In turn, it’s important for companies to both understand and properly manage their potential cyber claims in support of risk transfer.  

In 2023, Marsh clients in the US and Canada reported more than 1,800 cyber claims, more than in any previous year. These include claims under cyber, tech and telecom errors and omissions (E&O), and media coverage.

The increase was driven in part by the growing sophistication of cyberattacks; the MOVEit event, which highlighted supply chain vulnerabilities; privacy claims; and the increasing number of Marsh clients purchasing cyber insurance. As it has for several years now, ransomware — though accounting for less than 20% of the total cyber claims — remains a top concern for insurers and insureds alike due to its potentially significant financial impact, reputational harm, loss of market share, long-tail nature of litigation, regulatory scrutiny, and more.

Percentage of clients reporting cyber events holds steady 

The annual percentage of clients reporting at least one cyber event has remained fairly consistent over the past five years, between 16% and 21% (see Figure 1). The consistency shows, in part, that companies’ cyber controls have kept pace with the growing sophistication and frequency of cyberattacks.

Figure 1

Percentage of companies reporting a cyber event remains relatively consistent year over year

Cyber events can happen to any organisation, but specific industries have been targeted more often than others over time (see Figure 2). The top five industries among Marsh clients to be affected by cyber events has remained consistent; in 2023 they were healthcare, communications, retail/wholesale, financial institutions, and education.

Figure 2

Healthcare and communications consistently among industries with most claims annually

Although the average cost has increased for breach response expenses — consisting of privacy counsel, computer forensics, and, if necessary, notifications — the median cost has remained relatively constant (see Figure 3). During the last five quarters, the median cost of breach response expenses remained around $160,000, while the average has trended upwards, from $963,000 in the third quarter of 2023 to $1 million in the fourth quarter, primarily due to a few large cyber events.

Figure 3

Breach response costs average $1 million between 2019 - 2023

Ransomware events remain a top focus

Ransomware attacks remain central to most cyber risk discussions as they continue to increase in frequency, sophistication, and severity and remain the dominant cyber threat to many organisations’ daily operations, long-term finances, reputation, and more.

Along with ransomware claims, overall cyber claims reporting also increased in 2023. Since rising rapidly in 2020, the number of reported ransomware events has remained under 20% of total reported cyber claims from Marsh clients for the past two years (see Figure 4). This means that privacy claims and system attacks leading to unauthorised access and potentially exposed data without an extortion component comprise a much larger share of cyber events reported by Marsh clients than do those with an extortion component.

Figure 4

Cyber extortion events were under 20% of total reported cyber claims in 2022 and 2023

In 2023, the number of clients reporting cyber extortion events reached the highest annual level to date (see Figure 5). This followed a decline in cyber extortion events reported in 2022, which was lower than in the prior two years. While it is difficult to pinpoint a reason(s) for the 2022 decline, various cybersecurity experts, inside and outside of Marsh, cite such factors as a (temporary) move away from data encryption toward exfiltration, disruptions brought on by the start of the Russia-Ukraine war, decreased willingness of some companies to pay, and the successful “infiltration” of a particular ransomware group by the FBI. No matter the reasons for the 2022 decline, ransomware events reached new highs in 2023 as the number of bad actors increased significantly.

Figure 5

Cyber extortion events increase in 2023 after 2022 dip

In an extortion event, companies need to decide whether they will pay a ransom to get the de-encryption key and/or to stop the compromised data from being released. Organisations need to assess the possible damages while at the same time judging the “trustworthiness” of the criminals they are dealing with — if a ransom is paid, will the threat actors comply? Or are they going to retain data for a new extortion attempt?

Marsh clients had more success responding to and recovering from cyber extortion events in 2022 than in 2023 (see Figure 6). The median extortion payment dropped from $822,000 in 2021 to $335,000 in 2022. However, this trend was reversed in 2023 as the median payment increased from $335,000 to $6.5 million and the median demand increased from $1.4 million to $20 million as cyber criminals grew bolder. While the decision to pay or not to pay is highly nuanced, organisations should be prepared to respond, including by “practicing” their response under a variety of scenarios.

Generally, extortion negotiations prove effective in reducing the final ransom paid, although it is important to note that every such situation is unique. The percentage of the median demand paid increased from 24% in 2022 to 32% in 2023.

Figure 6

Cyber extortion demands and payments increase in 2023

Marsh clients continue to invest in cyber resiliency, including in such areas as tabletop exercises, incident response vendor readiness, downtime procedures, out of band communication plans, and effective cybersecurity controls. The effectiveness of such investments is indicated by the continued drop in the percentage of those opting to pay an extortion demand (see Figure 7). 

Figure 7

The percentage of companies paying ransom demands continues to decline

Ransom payment considerations

The potential for privacy liability is typically among the many factors that may influence the decision of whether to pay a ransom. However, it can be difficult to place a value when deciding if paying will be beneficial economically or reduce future liability. Privacy liability claims significantly increased over the past few years, and the settlement values have also been increasing, making this an important unknown.

The decision can be more straightforward when criminals encrypt data and cause business interruption (BI) losses. For example, a company might be able to determine that BI losses are costing $1 million per day. If the cost to de-encrypt will be $X thousands and will enable the business to be up and running in a few days, the math may point to a decision to pay. Every situation is unique, and a decision to pay or not to pay a ransom can have consequences beyond the specific incident at hand.

Other factors that may influence the decision to pay include whether the exfiltrated data is business sensitive, or possibly embarrassing.

In some instances, insurers may more deeply scrutinise ransom payments where there is no encryption, especially if breach notification laws are triggered. If ambivalence about paying ransoms increases, some observers wonder if data theft will go full circle, with more criminals simply selling stolen data on the dark web and avoiding working with their victims.

Conclusion: Cybersecurity strategy and controls are key

As cyber risk continues to evolve, companies need to monitor and adjust their cybersecurity controls and engage claims advocates, among other measures. When a claim does arise, it’s important to follow proper steps, such as notifying insurers, brokers, and other stakeholders and maintaining proper documentation.

More broadly, companies should have a cyber resilience strategy that incorporates a view of cyber risk across the enterprise, including its potential economic and operational impact.

Accounting for cybersecurity at vendors and other third parties, undertaking regular tabletop exercises and response evaluations.

We can help you quantify your cyber risk exposures with scenario-based loss modelling, benchmark potential cyber event losses and costs, consider the effectiveness of cybersecurity controls from a financial perspective, assess the economic efficiency of multiple cyber insurance program structures, and help manage your claims, should one arise.

Using panel vendors can improve claims management

When a cyber incident occurs, many companies will turn to outside vendors to manage aspects of the event. Many insurers have a panel of vendors that are pre-approved to work on cyber incidents and claims. Marsh has found that clients using their insurer’s pre-approved vendors can significantly improve the average time from event notification to receiving confirmation of coverage or first payment — from just over 2 months when using a panel to more than 12 months when using non-panel vendors.

Why Marsh?

Cyber risk is complex and pervasive. Marsh’s Cyber Practice provides organisations with experienced risk advice when managing their exposures.

  • In-house legal, technical, and incident response practitioners to help clients before, during, and after cyber events.
  • The incident management experience that comes from handling over 1,800 cyber and technology claims annually.
  • Digital innovations to augment cyber response programs.

If you have questions about any of the issues discussed in this report, please reach out to your Marsh representative.