Cyber has officially staked its claim as a central player on the global risk stage. Cyber risk is no longer a matter of if an incident will occur but is a question of when. Every organization with access to the internet or to connected technology is exposed.
Every business in every sector is vulnerable to cyber-attacks. In 2020, we saw several universities suffer data breaches after hackers launched a ransomware attack against Blackbaud—a cloud computing firm that administered the schools’ data. We witnessed tech firm Canon fall prey to a ransomware attack. And social media giant Twitter suffered a sophisticated social engineering attack through which the accounts of celebrities and high-profile individuals were used to trick people into sending bitcoin to criminal accounts.
While we hear about these attacks on large companies, the vast majority of attacks happen to organizations with under 100 employees.
While we hear about these attacks on large companies, the vast majority of attacks happen to organizations with under 100 employees. Small businesses are under pressure to shore up their data privacy and protection practices or face increasing punitive regulation. Cyber challenges have only grown more extreme in the context of the COVID-19 pandemic, which has forced many businesses to adopt remote working practices. With more employees working from home and accessing business networks remotely, cyber risk has grown exponentially.
The cyber market has some troubling claim trends, particularly regarding ransomware where the frequency and severity of claims has soared since the pandemic. Ransomware has now reached epidemic status, comprising up to 40 percent of all cyber claims. The trend continues to get worse in frequency but especially in severity. Ransomware demands have gone from four- or five-digit figures to millions of dollars.
Market capacity, while still high with over 150 unique markets actively writing cyber insurance domestically and abroad (UK & Bermuda), is showing some signs of pull-back due to losses, primarily driven by ransomware events. Many carriers are more closely evaluating their $5 million and $10 million limits, with some backing off anything higher than a $3 million limit in small business.
The year 2020 saw an increase in ransomware, business email compromise, and social engineering claims. Average ransom paid in 2018 of $28,920 increased to $302,539 in 2020. Associated coverages such as business interruption and incident response were affected as well, driving losses higher across the entire cyber landscape.
We are seeing signs of change in what has traditionally been a very soft market for cyber insurance. Many carriers are announcing pricing increases of 20 percent or more across their entire books. Some industry sectors—including healthcare, financial services, and education—are seeing even higher increases. New insurance companies to the market (who do not yet have market share high enough to feel the impact of the increasing frequency and severity of ransomware claims) continue to price aggressively.
- Almost three quarters of ransomware attacks result in the data being encrypted. Fifty-one percent of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73 percent of these attacks.
- Ninety-five percent of organizations that paid the ransom had their data restored.
- Paying the ransom doubles the cost of dealing with a ransomware attack. The average cost to rectify the impacts of the most recent ransomware attacks (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc.) was $732,520.
- Most successful ransomware attacks include data in the public cloud. Fifty-nine percent of attacks where the data was encrypted involved data in the public cloud. +