NetDiligence has unveiled its fourteenth annual Cyber Claims Study, offering a comprehensive analysis of over 10,000 cyber insurance claims reported between 2019 and 2023. The report highlights emerging trends in cyber risk across a wide range of industries, focusing on the financial burdens faced by organizations, particularly small to medium-sized enterprises (SMEs).
This year’s study, sponsored by RSM, Experian, KYND, and Constangy, Brooks, Smith & Prophete, LLP, examines real-world data breaches and cyber-related incidents from prominent cyber insurance providers. It reflects significant growth in the study’s scope, with the number of claims analyzed rising from less than 100 in 2010 to 10,464 in the current report.
You can get the full report here. Our takeaways are as follows.
The Numbers
The study paints a detailed picture of the cyber risk landscape, revealing that:
- 10,464 claims were analyzed for incidents occurring between 2019 and 2023.
- 4,991 new claims were added in 2023 alone, primarily for incidents from 2021 to 2023.
- A staggering 98% of claims (totaling $1.9 billion) came from SMEs with less than $2 billion in annual revenue, while only 2% of claims (totaling $2 billion) were from large companies with over $2 billion in revenue.
The report also highlights that ransomware and business email compromise (BEC) were the top two causes of loss, accounting for 53% of claims involving more than $1,000 in losses over the five-year period. Ransom demands remained high, with initial demands reaching up to $80 million and paid amounts peaking at $50 million.
Key Findings
- The study reveals substantial disparities in the financial impact of cyber incidents based on company size and sector:
- Large companies accounted for just 2% of claims but represented 51% of the total incident costs ($2.0 billion out of $3.9 billion).
- SMEs accounted for 98% of the claims but only 49% of the total costs.
- Among SMEs, there were 327 claims of $1 million or more, compared to 79 such claims among large companies. Ransomware and BEC together accounted for a significant portion of these high-cost incidents.
“Healthcare and manufacturing SMEs seem to be benefiting from a modest drop in incident costs,” said Mark Greisiger, President of NetDiligence. “However, the financial services sector is facing a sharp rise in incident costs, reminding us that cyber risks evolve differently across industries.”
Sector-Specific Insights
The study offers detailed insights into how cyber risks vary across different business sectors:
Professional Services: SMEs in this sector faced the highest average incident costs, with claims often exceeding $300,000. Common causes of loss included ransomware, BEC, and hacker incidents.
Healthcare: While SMEs in the healthcare sector saw average incident costs decline from $583,000 in 2021 to $173,000 in 2023, they remain vulnerable to data breaches and ransomware attacks.
Manufacturing: This sector experienced a significant reduction in average incident costs, dropping to a five-year low.
Financial Services: Contrastingly, financial services companies saw a sharp increase in incident costs, underscoring the evolving nature of cyber risks in this sector.
Growing Burden on SMEs
A notable finding of the study is the rising financial burden on SMEs due to BEC incidents. The average cost of a BEC claim more than doubled from $84,000 in 2022 to $183,000 in 2023. The report suggests that while some sectors like healthcare are seeing a decline in costs, others, such as financial services, are experiencing a rise.
“SMEs are under increasing financial pressure from cyber incidents,” Greisiger added. “Business email compromise, in particular, is causing substantial losses, and companies must stay vigilant and enhance their cyber defenses.”
Emerging Trends and Future Outlook
The report also identifies several emerging trends:
Increased Ransomware Costs: Despite a slight decrease in the average cost of ransomware incidents in 2023, the number of high-cost incidents remains significant, with 15 ransoms paid exceeding $10 million.
Focus on Third-Party Risk: Industry concern over third-party incidents is growing. Events involving thousands of businesses affected by incidents like the MOVEit Transfer and CDK Global attacks highlight the need for robust vendor management programs.
Impact on Cyber Insurance: The study notes that the cyber insurance industry remains in a unique position to drive change within the broader information security landscape. Insurers are urged to collect more data on third-party risks and enforce stricter vendor management requirements.
Looking Ahead
The findings from the 2024 Cyber Claims Study will be presented at the upcoming NetDiligence Cyber Risk Summit in Philadelphia on October 1, 2024. NetDiligence encourages all stakeholders, especially cyber insurers, to continue contributing data to enhance the study’s insights.
As cyber threats continue to evolve, the study emphasizes the need for a proactive approach to cyber risk management, focusing on both preventive measures and effective incident response strategies. “We extend our sincere thanks to our cyber insurance partners, whose continued participation enables us to provide these invaluable insights to the cyber risk and insurance community,” Greisiger concluded.
Other News: Domain Security Meets Cyber Insurance: CSC Joins NetDiligence’s eRiskHub®(Opens in a new browser tab)