Almost two-thirds of ransomware claims result in loss, according to Resilience’s “Midyear 2024 Cyber Risk Report: Cyber Claims Trends and Analysis” report. Ransomware also remained the leading cause of loss in Resilience’s portfolio since January 2023.
Third-Party Risk
According to the report, “Increasing merger and acquisition (M&A) activity, coupled with reliance on ubiquitous software vendors, created new opportunities for threat actors to unleash widespread ransomware campaigns—all by taking advantage of heightened third-party risk and deep industry interdependency.”
After a significant drop in 2022, research from Chainalysis shows that “ransomware payments rebounded to $1.1 [billion] in 2023, with median extortion payments in more than 60% of ransoms and fees exceeding $1 [million],” according to Resilience’s report. Overall, nearly half (48%) of Resilience portfolio claims were related to ransomware in 2023.
Furthermore, the severity of ransomware claims also increased significantly from 2022 to 2023, with a 411% increase in the financial severity of events. However, “Resilience client losses did not always result from paying extortion fees; fewer than 10% of clients paid extortion fees, the remainder opting to recover without paying a ransom.” This, as a result, reflects a trend toward “increasing costs to recover from ransomware attacks regardless of whether an extortion is paid.”
The report also found that humans still remain the weakest link when it comes to third-party risk. “This is perhaps unsurprising when we consider that cyber risk is an inherently human-engineered risk,” states the report. “Phishing leads Resilience’s list of points of failure for incurred claims again this year; these failures most often resulted in the deployment of ransomware or email compromise. M&A activity can amplify cyber risks for an enterprise not only from its own existing vulnerabilities, but also the new risks associated with the acquisition target and the challenges of integrating different IT systems post-acquisition.”
2023-2024 Ransomware Claims Trends
“The frequency of attacks has picked up slightly in the first half of 2024, with an increase of 2.2% in total claims from the first half of 2023 versus 2024,” states the report. “If the trend continues, we expect to see an increase in claims in 2024. Incurred claims as a percentage of overall claims is down a half a percent in the first half of 2024 compared to first half of 2023.”
Vendor-related Risks
Vendor-related risks have shown up in two important ways in 2024, according to the report. “The first is in the form of third-party risk from partners or suppliers that come under attack. The second, highlighted by the CrowdStrike outage in July, is risk from outages of important suppliers in a company’s technology stack.”
Thirty-five percent of claims in 2023 and 40% of claims in the first half of 2024, the report states, “are related to vendor failure of some kind—data breach, ransomware attack, or error-driven outages. That number is already ticking higher in the second half of 2024.”
Losses Led by Ransomware & BEC
“Ransomware, data breaches, and transfer fraud/business email compromises are the stalwarts of the last several years of cybercrime,” states the report. “Business Email Compromise (BEC) can look as though it fell in prominence in 2023 and 2024, but that is only because ransomware gets so much media attention. BEC attacks have remained fairly steady at between 13%-15% as a cause of loss on claims between 2022 and 2024. A larger proportion of those claims became material in 2023 jumping 11% over 2022; data in 2024 is too undeveloped to report, of the large losses ransomware is causing. In fact, BEC attacks are becoming three times more frequent and are more than doubling in severity among our portfolio.”
When companies are hit with ransomware, says Resilience, the severity of the attack can depend on the tactics of the group. “Losses from ransomware claims might reflect extortion fees, recovery costs, crisis management costs, and other losses stemming from a ransomware attack and may not reflect the full measure of losses to the client. Our claims data shows that several ransomware groups had significant impacts in 2023.”
More than half of companies that paid an extortion fee were compromised via a software vulnerability, the report states. “Clients unable to restore systems from their backups were more likely to pay extortion. While backups aren’t a failsafe, a properly segregated and tested set of backups are probably the biggest mitigation against paying ransoms.”
Cathleen Kelly Rebar, partner, Rebar Kelly, comments, “The report only reemphasizes the absolute need for preparation in advance of a cyber event. By implementing key controls within an organization and for third party vendors, insureds can significantly minimize the damage from cyber risk and prevent an attack before it happens.”