In 2023, Marsh clients reported over 1,800 cyber claims in the U.S. and Canada, more than any previous year, according to a Marsh report, "Ransomware: A Persistent Challenge in Cyber Insurance Claims." However, a growing percentage of companies are refusing to pay ransom demands.
Behind the Increase
The increase in reported claims "was driven in part by the growing sophistication of cyberattacks; the MOVEit event, which highlighted supply chain vulnerabilities; privacy claims; and the increasing number of Marsh clients purchasing cyber insurance,” the report states. “As it has for several years now, ransomware—though accounting for less than 20% of the total cyber claims—remains a top concern for insurers and insureds alike due to its potentially significant financial impact, reputational harm, loss of market share, long-tail nature of litigation, regulatory scrutiny, and more.”
Furthermore, notes the report, “The annual percentage of clients reporting at least one cyber event has remained fairly consistent over the past five years, however, at between 16% and 21%. The consistency shows, in part, that companies’ cyber controls have kept pace with the growing sophistication and frequency of cyberattacks.”
Attacks by Industry
Marsh reports that the top five industries impacted by cyber events among its clients are:
- Health care.
- Communications.
- Retail/wholesale.
- Financial institutions.
- Education.
Health care and communications have the most claims annually, Marsh says.
Ransomware Events and Cyber Risk
“Ransomware events remain central to most cyber risk discussions as they continue to increase in frequency, sophistication, and severity and remain the dominant cyber threat to many organizations’ daily operations, long-term finances, reputation, and more,” states the report. “Along with ransomware claims, overall cyber claims reporting also increased in 2023. Since rising rapidly in 2020, the number of reported ransomware events has remained under 20% of the total reported cyber claims from Marsh clients for the past two years.”
Cyber extortion events, in fact, were under 20% of total reported cyber claims in 2022 and 2023—although, according to the report, “in 2023, the number of clients reporting cyber extortion events reached the highest annual level to date. This followed a decline in cyber extortion events reported in 2022, which was lower than in the prior two years.
“While it is difficult to pinpoint a reason(s) for the 2022 decline, various cybersecurity experts, inside and outside of Marsh, cite such factors as a (temporary) move away from data encryption toward exfiltration, disruptions brought on by the start of the Russia-Ukraine war, decreased willingness of some companies to pay, and the successful ‘infiltration’ of a particular ransomware group by the FBI. No matter the reasons for the 2022 decline, ransomware events reached new highs in 2023 as the number of bad actors increased significantly.”
The report concludes, “As cyber risk continues to evolve, companies need to monitor and adjust their cybersecurity controls and engage claims advocates, among other measures. When a claim does arise, it’s important to follow proper steps, such as notifying insurers, brokers, and other stakeholders and maintaining proper documentation.”