Reports on cyber insurance claims have become a welcome tool for managing cyber risk in a field with limited measurement. While claims data is a lagging indicator versus the more tactical threat data more commonly used in cyber defense, it provides a deeper view into the cost of enterprises’ exposure to cyber risk.
As cyber risk practitioners ourselves, we believe that understanding past claims trends is core to future planning for enterprises. Part of Resilience’s mission is to bring this knowledge to our clients, and now, with the release of our first annual Claims Report, the public as well.
This report provides insight into our progress and successes in building Cyber Resilience in the insurance market. With the rise in ransomware, the pivot to remote work caused by the COVID-19 pandemic, and the growing need for building digital transformation on a shrinking budget, there is no more critical time for this shift to a Cyber Resilience approach.
Resilience’s claims, insurance, and security experts took three high-level lessons from our
findings:
- Contrary to popular belief, ransomware continued to go up as a cause of loss throughout 2022 and into 2023. However, we have found that robust ransomware drills at the executive level, active warning of vulnerabilities targeted by criminal actor groups, and financial incentives to address cyber hygiene dramatically increased clients’ resistance to extortion attempts.
- After three years of a surge in digital payments and increased reliance on third-party SaaS vendors to support remote work during the Covid-19 pandemic, transfer fraud and vendor data breaches are now leading causes of loss as threat actors pivot to less sensational financial crimes.
- Phishing remains the primary “Point of Failure” that leads to financial loss. The risk from third-party vendors is a close second, followed by poor access management controls. Despite years of emphasizing phishing training, vendor risk management, and multi-factor authentication, current approaches are not closing the gap. A new approach is needed to incentivize organizations to adopt known controls to address both human and technical risk exposures.
While these three trends show a cyber insurance market still very much under crisis, we have begun to see approaches for tackling ransomware extortions, understanding cyber threats that line up with global IT trends, and implementing cyber security controls needing more of an incentive-based approach.
Ransomware and the Impacts of Cyber Resilience
Analysis of Resilience’s 2022 claims shows a drop in early 2022 ransomware activity, down 25% from Q4 2021 to Q1 2022. However, this trend reversed in the latter half of the year, growing 300% from Q3 2022 to Q1 2023.
As payments reached a peak in 2022, Resilience found that:
● 100% of clients engaged with Resilience’s risk management solution were able to avoid paying a ransom to resolve an extortion incident.
● These clients also incurred 67% fewer losses overall than clients who were not engaged with Resilience’s risk management solution.
● Additionally, 78.6% of Resilience’s clients impacted by ransomware were able to avoid paying a ransom. This makes the percentage of our clients who had to make a payment (~21%) nearly half the industry average victim payment rate of 41%, as measured by Coveware in 2022.
Financial Transfer Fraud and Vendor Data Breach Risk Drive Causes of Loss
While ransomware is a major focus for the cyber insurance industry due to its growth over the past five years, it may be surprising that it was not the primary driver of cybercrime or insurance claims within our portfolio. Transfer fraud (17% of all claims), vendor data breach (11.8% of all claims), and business email compromise (10.4% of all claims) all led versus direct ransomware (9.7%) or ransomware attacks against third-party vendors (8.1%) in claims notices from Resilience clients.
Combating fraud requires a mixture of strong data security practices and technology solutions. This highlights the importance of focusing on a holistic approach to building resilience against cybercrime. While ransomware is the highest growth challenge we see, organizations should still focus on limiting impacts from old-fashioned fraud delivered through high-tech means.
Critical Points-of-Failure All Point to Old Problems
From its start, Resilience has been laser-focused on understanding some of the core drivers of cyber risk. Too often, we see cybersecurity professionals reach for technical solutions, aiming to prevent 100% of cyber incidents. Claims data reinforces that while technical security products are important, strong programmatic controls are critical to reducing the real Points-of-Failure that drive financial loss from cyber incidents for organizations.
Among all primary claims notices, Resilience found that:
● Phishing is unsurprisingly the lead Point-of-Failure (23.4% of all claims),
● Third-Party vendor breaches are a close second (22.1% of all claims), and
● Privileged access management (14.5% of all claims) came in third.
All three of these critical Points-of-Failure have well-documented and supported corresponding cybersecurity controls that have been repeatedly enforced for years. But despite significant investment in these areas, these points of failure continue to remain the basis for the majority of financial loss from cyber incidents. Resilience believes that by aligning financial incentives around cyber hygiene, we can positively affect clients' ability to respond to an incident without experiencing a significant loss. This is backed up by our industry-leading loss ratio, which is three times lower than the market average.
Sharing this Data
Resilience believes that transparency in our loss of data can greatly strengthen the entire cyber risk ecosystem. We hope that this report will serve as concrete evidence for a Cyber Resilience approach that incentivizes strong cyber hygiene and managing cybersecurity as a team across finance, risk, and security leaders.
We want to thank all of our customers for their trust and support in achieving tremendous progress in developing this new model in such a short amount of time. We look forward to evolving it as our company grows and will continue to share our learnings with the broader cyber risk community.