A recent study by the insurance company Marsh mentioned the high number of claims on cyber attacks submitted against insurance plans in North America in 2023. Over 1,800 claims had been filed with Marsh from customers in the U.S. and Canada, which is higher than any other year thus far.
Clients reporting at least one cyber incident slightly increased from 18% (2022) to 21% (2023); nevertheless, the percentage has been steady in the last 5 years, from 16% to 21%. Customers in the medical sector were likely to file claims, then in the communications, retail, finance, and education sectors. In 2023, clients in the healthcare sector accounted for 17% of all cyber claims.
The information indicates a substantial upsurge in cyber extortion incidents, including ransomware attacks. These incidents increased to the highest yearly level in 2023, though they made up less than 20% of all claims. Although extortion incidents went up in 2023, these incidents happened at an unusually minimal level in 2022. The drop in these incidents in 2022 is due to a few factors, like disruption in cyber activity because of the Russia-Ukraine conflict and law enforcement activities against ransomware groups. In 2023, cyber attacks went up to more usual levels, with ransomware attacks getting a high number, coinciding with a rise in ransomware gangs. In 2023, 282 customers reported one or more cyber extortion events; there were 172 client reports in 2022.
The average cost of breach-associated expenses has gone up; though the median cost stayed constant in the last 5 quarters at about $160,000. Average breach costs went up from $963,000 in quarter 3 of 2023 to $1 million in quarter 4 of 2023, which Marsh attributes to somewhat few big cyber events. The highest breach cost was $23.4 million. Median extortion demands increased from $1.4 million (2022) to $20 million (2023), while median extortion payments went up from $335,000 to $6.5 million.
The number of clients making extortion payments has fallen from 68% (2020) to 30% (2022) and 23% (2023). Organizations that negotiated with the threat actors typically had lower-paid amounts; nevertheless, Marsh remarks that every situation is different and that may not always be so.
Although several factors affect the decision to pay a ransom, privacy violation is frequently a factor; nevertheless, it is hard to know if a ransom payment that stops the exposure of stolen information, especially PHI, will be helpful financially and will minimize future responsibility. Marsh says that privacy responsibility claims have risen considerably in the last few years as well as settlement values and it stays unknown whether ransom payment will lower future expenses.
Marsh recommends that companies keep track of and modify their cybersecurity settings and should involve claims advocates and states organizations must observe the appropriate steps in case of a cybersecurity breach, which includes informing insurance companies, brokers, and other stakeholders and keeping proper records. Organizations should also follow a cyber resilience approach that includes a perspective of cyber threat throughout the enterprise, which includes the possible economic and operational effects, and suggests all organizations perform standard practices of the breach response.