Cyber insurance claims in North America reached record levels in 2023, according to insurance broker Marsh.
The firm received over 1800 cyber claim reports from clients in the US and Canada, more than any other year. It said this increase was driven by a range of factors:
- The growing sophistication of cyber-attacks
- The scale of the MOVEit file transfer supply chain incident
- Privacy claims
- An increasing number of organizations purchasing cyber insurance
Around a fifth (21%) of clients reported at least one cyber event in 2023, a small increase on 2022 (18%). The proportion of covered companies reporting at one or more cyber events has remained relatively consistent over the past five years, staying between 16% and 21%.
The healthcare industry has consistently submitted the highest number of cyber insurance claims from 2020-2023, Marsh found.
Healthcare made up 17% of all claims last year, followed by communications (16%), education (9%), retail/wholesale (8%) and financial institutions (8%).
Cyber Extortion Hits Record Levels
The report showed that 282 clients reported at least one cyber extortion event, including ransomware, in 2023. This was a significant rise compared to 2022 when 172 companies reported such events, which was lower than the previous two years.
One potential factor behind the resurgence in cyber extortion events is the growing shift towards data exfiltration away from encryption by attackers, and the emergence of a new ransomware-as-a-service (RaaS) model.
Median extortion payments also surged in 2023 compared to 2022, rising from $335,000 to $6.5m. Median extortion demands by threat actors increased from $1.4m to $20m in the same period.
Marsh noted that extortion negotiations are effective in reducing the final ransom paid. However, the percentage of the median demand paid increased from 24% in 2022 to 32% in 2023.
Encouragingly though, the percentage of companies that paid a ransom demand fell to 23% in 2023, down from 30% in 2022. This continued a longer-term trend, with the proportion of victims that paid demands far higher in 2020 and 2021 (68% and 63%, respectively).
Marsh emphasized that the proportion of cyber extortion claims has remained under 20% of total reported cyber claims, with privacy claims and system attacks leading to unauthorized access and potentially exposed data without an extortion component comprising a much larger share.