Cyber claims increasing, despite underwriting refinement

Underwriters have tightened their underwriting controls to better price for cyber risk from its 2021 high, but claims frequency in 2023 has nevertheless increased 13% since the previous year, cyber insurer Coalition reports. 

Claims severity across the board also increased 10% year-over-year. 

“The uptick in overall claims frequency and severity among Coalition policyholders is indicative of industry-wide trends, though far less volatile than the pandemic-era ransomware boom in 2021,” Coalition says in its 2024 Cyber Claims Report. 

Where are most cyber insurance claims coming from? The email inbox, according to Coalition. 

In fact, more than half (56%) of all 2023 claims were a result of funds transfer fraud (FTF) or business email compromise (BEC). 

Ransomware severity dropped by over 54% in the second half of 2024 compared to the first. But severity for this risk still trends upward year-over-year.  

“Threat actors want to get paid, and the email inbox has proven to be an easy place for an attacker to uncover payment information and potentially intervene in payment processes to steal funds,” says Robert Jones, Coalition’s head of global claims. 

FTF and BEC tied for most reported claims events (at 28%). Other events — including errors, misuse, and theft; legal, privacy, and media; non-encryption system compromise; and third-party compromise — follow behind at 25%. Ransomware rounds out the bottom at 19%. 

FTF frequency increased by 15% from the year prior, and severity increased by 24%, resulting in an average loss of more than $278,000. BEC frequency increased by 5% from the year prior, and severity decreased by 15%. 

Typically, ransomware attacks tend to be less frequent, but more severe, due to the high payout from companies to their attackers.  

Claims severity stabilized toward the year-end in 2023, compared to the first half when ransomware spiked. The average loss amount for ransomware during the first half of the year was US$236,000. 

Businesses making more than $100 million in revenue saw their cyber claims severity cut in half, although it still increased 21% year-over-year. Severity at businesses making less than $25 million in revenue increased 10% from last year. And businesses with revenues between $25 million and $100 million saw their severity increase by 9%. 

Although overall severity decreased later last year, it was not enough to offset the first-half spike, which was driven primarily by increased ransomware claims. 

Coalition also found an increased risk for organizations using boundary devices like firewalls and virtual private networks. On one hand, these devices can be used to reduce cyber risk, but can also increase the likelihood of a cyber claim if they contain vulnerabilities.  

“For example, Coalition found businesses with internet-exposed Cisco ASA devices were nearly five times more likely to experience a claim in 2023, and businesses with internet-exposed Fortinet devices were twice as likely to experience a claim.” 

Feature image by iStock.com/Liudmila Chernetska