Top Cyber Insurance Loss Trends of 2023

This month, PacketWatch CEO Chuck Matthews discusses the top three trends in cyber insurance losses. Read on to learn how to protect your organization from these threats.

In Munich RE’s Mid-Year State of the Cyber Market Update, Miguel Canals, SVP, Senior Cyber Underwriter, identified three items representing key loss trends in the cyber insurance markets. The losses give us a picture of areas we should direct more attention to.

The three main trends driving losses in 2023 are:

• an uptick in ransomware claims,
• privacy litigation claims, and
• MOVEit vulnerability claims.

The list also resembles what PacketWatch has seen in our recent investigations.

Ransomware Increases

Ransomware continues to be a scourge for everyone. Ransomware groups (i.e., organized criminals) extort payments from victims in exchange for decryption keys to retrieve their stolen data even though they may not work.

92% of people who paid were not able to recover all their data, according to Forbes. Additionally, 80% were targeted again after paying.

Yet ransomware gangs have raked in more than $1.9 billion over the past 3 years according to the 2023 Chainalysis Crypto Crime report, in part thanks to insurers facilitating ransom payments.

This scourge will only stop when people stop paying the criminals.

Recently, a U.S.-led alliance of forty countries stated their intention to sign a pledge never to pay ransom to cybercriminals according to a White House official.

That’s encouraging, but will they follow through? That remains to be seen.

Privacy Matters

These same cybercriminals have taken their attacks a step further by exfiltrating and threatening to leak sensitive data, creating a double-extortion scenario. That leads us to the second largest claims loss mentioned, privacy litigation.

As more stolen data is posted (because fewer people are paying), privacy matters surrounding the stolen data are taking center stage, and regulators are ready to come after the firms involved.

This is a double whammy for impacted firms. After suffering through the damage from the ransomware, firms get hit by privacy lawsuits and enforcement actions from regulators.

Regulatory Repercussions

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first enforcement action related to ransomware.

Doctors' Management Services, determined to be a business associate (BA) under HITECH, reached a $100,000 settlement (fine) and three years of HIPAA compliance monitoring after a ransomware breach exposed the data of 206,695 individuals. Add to that case the recent cyber enforcement actions by the FTC and SEC.

Regulators yield a large stick, and you’d better be prepared for them to come for you following an attack. This trend will certainly increase over the next few years.

Zero-Days, Vulnerabilities and Exploits

The third category of claims involves those from the MOVEit file-transfer utility vulnerability.

This calamity exploited by the Clop ransomware gang has entangled some thousand organizations and impacted over 60 million individuals.

Zero-days that affect commonly used applications and hardware are increasingly common.

Some say this is due to the funding provided from the ransom payments.

What used to be solely in the realm of government-funded entities (think NSA, GRU, FSB), zero-days can now be afforded by organized criminals with wallets, fat from ransom payments.

Mandiant estimates that 75% of zero-day instances appear to be linked to ransomware operations.

Of the 69 zero-days disclosed so far in 2023, 44 have been used in the wild from January to September, according to Google's Threat Analysis Group.

We expect that trend to continue to increase.

Leaked data just by MOVEit exploits affecting more than 60 million people, privacy litigation and regulatory actions will also continue to increase. Just wait for it.

What can you do?

Assuming these trends continue, what should you do?

Our team continues to believe that all ransomware is avoidable with good cyber hygiene continuously applied. (See Simon Taylor’s 12 P’s blog for more.) Keep patched, use MFA properly, have tested back-ups, etc.

On the privacy side, most litigation and enforcement actions can be eased with some upfront work.

• Do your homework, know where sensitive data resides, and protect it.
• Disclose what you capture.
• Perform your mandatory security risk assessments and document policies.
• Do what you say you are going to do.
• Make sure your partners do the same.

Those simple things will make a dramatic difference.

Finally...

We believe these trends will continue into 2024 and the next several years. As you make your plans for 2024, consider how these trends will affect your firm.

If you need help, we have an entire team ready to support you as needed. Contact us for a free consultation.

Chuck Matthews is the CEO of PacketWatch, a US-based boutique cybersecurity firm focused on incident response, managed detection and response, forensics, and advisory services utilizing their proprietary network-based threat-hunting platform.