Cyber Insurance Claims Reached Record High in 2023
Record numbers of cyber claims were filed against insurance policies in North America in 2023, according to a recent analysis by the insurance broker Marsh. Last year, more than 1,800 claims were filed with the company from clients in the United States and Canada, more than any other year to date.
There was a small increase in clients reporting at least one cyber incident, up from 18% in 2022 to 21% in 2023; however, the percentage has remained fairly consistent over the past 5 years, ranging between 16% and 21%. Clients in the healthcare industry were the most likely to submit claims, followed by communications, retail/wholesale, finance, and education. In 2023, 17% of all cyber claims were made by clients in the healthcare sector.
The data show a significant increase in cyber extortion events, which include ransomware attacks. These events rose to the highest annual level in 2023, although they accounted for fewer than 20% of all claims. While there was an increase in extortion events in 2023, these events occurred at an abnormally low level in 2022. The decline in these events in 2022 has been attributed to several factors, such as disruption in cyber activity due to the Russia-Ukraine war and law enforcement actions against ransomware groups. In 2023, attacks increased to more typical levels, with ransomware attacks reaching a record high, coinciding with an increase in ransomware groups. In 2023, 282 clients reported at least one cyber extortion event, up from 172 clients in 2022.
The average cost of breach-related expenses has increased; however, the median cost has remained consistent over the past 5 quarters at around $160,000. Average breach costs increased from $963,000 in Q3, 2023 to $1 million in Q4, 2023, which March attributes to relatively few large cyber events. The most expensive breach cost $23.4 million. There was also an increase in median extortion demands and payments. Median extortion demands increased from $1.4 million in 2022 to $20 million in 2023, with median extortion payments increasing from $335,000 to $6.5 million over the same period.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The percentage of clients paying extortion demands has continued to fall from 68% in 2020 to 30% in 2022 and 23% in 2023. Companies that entered into negotiations with the threat actors were generally able to reduce the amount paid; however, March points out that each situation is unique and that may not necessarily be the case.
While many factors influence the decision about whether or not to pay a ransom, privacy liability is commonly a factor; however, it is difficult to determine if paying the ransom to prevent the publication of stolen data will be beneficial economically and will reduce future liability. March notes that privacy liability claims have increased significantly over the past few years as have settlement values and it remains an unknown if payment of a ransom will reduce future costs.
March suggests that companies need to monitor and adjust their cybersecurity controls and should engage claims advocates and says it is essential for companies to follow the proper steps in the event of a cybersecurity breach, including notifying insurers, brokers, and other stakeholders and maintaining proper documentation. Companies also need to adopt a cyber resilience strategy that incorporates a view of cyber risk across the enterprise, including the potential economic and operational impact, and advises all companies to conduct regular tabletop exercises of the breach response.
