Businesses bear a heavy burden when it comes to cyber risk. They're expected to stay one step ahead of attackers despite the fact that many things can get in the way. Time, money, expertise — these are all crucial factors when managing organizational risk.

Cyber insurers have shown that they can provide support to businesses in need. But businesses must share in the responsibility and embrace collaboration by considering cyber risk in all their digital interactions. Whether purchasing new software, transmitting customer data, or paying vendors, all business actions should tie back to cyber risk management.

At Coalition, we provide security recommendations to businesses not just at the time of quoting but throughout the policy period. Yet, many of the claims we continue to see could have been prevented with stronger security controls and better risk management decisions.

Cyber insurance is more than a set-it-and-forget-it solution. As evidenced in our 2023 Cyber Claims Report Mid-year Update, cyber risk is dynamic and constantly evolving. Businesses can go from secure to exposed in an instant, which is why we continuously promote good cyber hygiene and encourage our policyholders to be prepared to weather a cyber attack.

Let's look at some of the key cyber trends in the first half of 2023 (1H 2023). We'll explore how businesses can proactively improve their cybersecurity posture, as well as how Coalition supports policyholders before, during, and after a cyber event.

Cyber claims increase amid record-breaking attacks  

Globally, March 2023 was one of the most prolific months for ransomware in recent years. The surge in attacks rippled across all industries and drove increases in cyber claims activity for many insurers. 

Among Coalition policyholders, cyber claims increased in both frequency and severity in 1H 2023, largely driven by the resurgence of ransomware. Overall claims frequency increased 12% in the first half of the year, and overall claims severity increased 42%. 

The impact was felt by businesses of all sizes, highlighting the opportunistic nature of threat actors. Businesses with more than $100 million in revenue saw the largest increase in frequency, and while other revenue bands were more stable, they also faced surges in claims.

Now is the time for businesses to recognize that good cyber hygiene goes beyond the act of purchasing a cyber policy. That's why we take an active approach to partnering with our policyholders on their cybersecurity journey, incentivizing businesses to adopt the security controls that can dramatically reduce their overall risk.

Even in the context of increasing claims, we're encouraged to see our active approach works: Coalition policyholders experienced 64% fewer claims than the industry average in 1H 2023, with 52% of reported events handled at no cost to the policyholder.

Ransomware roars back after brief respite

Ransomware was the largest driver of the increase in overall claims frequency, accounting for 19% of all reported claims.

In early 2022, ransomware dipped in severity and there was significant speculation as to what may have driven the decline. But the end of 2022 and the first six months of this year have shown that threat actors were unwilling to pass up on such profitable attacks.

Ransomware claims severity reached historic highs in 1H 2023, spiking 61% to an average loss amount of more than $365,000. What's more, the average ransom demand increased 47% to a total of $1.62 million.

Of course, no business wants to engage with threat actors or give in to ransom demands, but at times there’s no other viable option. These instances are prime examples of how cyber insurers can support businesses in their most vulnerable moments.

When reasonable and necessary, Coalition and its partners negotiated ransom payment amounts down to an average of 44% of the initial demand. We also helped policyholders ensure decryption keys worked and helped restore their networks to an operational state.

Funds transfer fraud remains an easy, lucrative crime

In contrast to ransomware, funds transfer fraud (FTF) is a less volatile attack method that is easier to execute. Despite recent upward trends, FTF events have been relatively stable over time. 

FTF initial severity increased by 39% in 1H 2023 to an average loss of more than $297,000. Notably, FTF frequency only increased by 15%, but due to the sit-and-wait nature of these events, threat actors don't need to target more businesses; they only need to exercise patience. 

The first 48 hours after an FTF event are crucial. Threat actors typically move the stolen funds through various accounts to conceal their crimes and make them difficult to trace — this is why we encourage our policyholders to immediately contact Coalition at the first sign of a cyber event. 

When an FTF event is reported in a timely manner, we have a significantly higher chance of recovering the stolen funds. Coalition maintains unique relationships with government entities and financial institutions for this exact reason: to move quickly, go where others can't, and help "claw back" money on behalf of our policyholders. 

Despite the increased persistence of threat actors, our recovery FTF efforts have only improved.

In just six months, Coalition successfully clawed back more than $23 million in fraudulent wire transfers. Our FTF recovery efforts were nearly three times greater than the latter half of 2022, showcasing our commitment to supporting policyholders when they need us most. 

New report, new methodology

The purpose of reporting our claims data is to share timely information on the evolving cyber threat landscape. In our newest report, we updated our methodology to facilitate a more expedient data-gathering and publishing process. 

In the 2023 Cyber Claims Report: Mid-year Update, our team of data scientists and actuaries used the reported experience as of six months of age, rather than ultimate loss projections. Ultimate loss is the total sum paid by the policyholder and its insurers. As a projection, ultimate loss can change overtime due to future loss development. This change allows for direct comparison between reporting periods moving forward; however, past claims data calculated with our new methodology may appear different from previous reports.

As a general practice, please reference our most recent reports when possible, as this updated methodology will be our standard for reporting cyber claims trends moving forward.

How businesses can actively address cyber risk

Businesses are not powerless against cybercriminals. Simple but actionable security controls help create a strong security posture where layers of technical and policy controls layer together to protect information and assets. Coalition recommends all its policyholders take a thoughtful approach to risk management, and there are several reputable, freely available frameworks to help inform which controls are the best fit for each organization.

When it comes to combating ransomware, implementing and testing offline backups of critical business data should be standard practice. Having viable backups can mean the difference between restoring operations and negotiating with a threat actor. 

Threat actors routinely exploit human error to perpetuate cybercrimes, which is why most FTF events begin with a phishing email. Implementing multi-factor authentication (MFA) on all critical accounts helps minimize the risk of phishing. Sensible financial best-practices also help, such as proactively verifying the recipient details for large payments. 

Cybersecurity best practices often sit in opposition to convenience. Cyber insurance can play a unique role in incentivizing businesses to make good cyber risk management decisions by helping them understand the financial impacts of their choices. 

Our mission is to protect the unprotected. We share these insights to help brokers and businesses better understand new and emerging trends in cyber insurance. To learn more about the cyber risks that impacted our policyholders — from email security to the high-profile MOVEit vulnerability — download the 2023 Cyber Claims Report Mid-year Update.

Coalition is a trading name of Coalition Risk Solutions Ltd. which is an appointed representative of Davies MGA Services Limited, a company authorized and regulated by the Financial Conduct Authority (FCA), registration number 597301, to carry on insurance distribution activities. You may check this on the FCA register by visiting the FCA website www.fca.org.uk. Coalition Risk Solutions Ltd. is registered in England and Wales: company number 13036309. Registered office: 34-36 Lime Street, London, United Kingdom, EC3M 7AT. Copyright ©2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc. or its affiliates.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.