claims trends

Cyber Insurance Claims Are Heating Up In 2023

What can we expect from threat actors this year? This expert panel provided key insights.
6 min read

Cyber Insurance Claims Are Heating Up In 2023

6 min read
claims trends

If you were unable to attend the incredible Zywave Cyber Risk Insights Conference in London this year, then you will have missed key insights on cyber insurance claims trends for 2023. 

A panel discussion on the topic brought together a group of experts to share their insights and experiences from the front lines of cyber insurance claims and incidents. Moderated by Anthony Hess from Asceris, the panel included Carolyn Purwin Ryan from Mullen Coughlin, Danielle Haston from Chainalysis, Luke Johnson from Canopius, and Daniel Tobok from Cypfer

Among the topics discussed were the curious trajectory of ransomware over the last year, changes in the types of claims insurers and response teams are seeing, and how these claims are being handled. This article will summarize the key points raised by the panelists and offer insights into the current state of cyber insurance claims trends.

Cyber insurance claims were “refreshingly quiet” in 2022, but not for long

While cyber attacks were still prevalent, the percentage of insured businesses that are being targeted has significantly decreased. Luke Johnson provided insight into the various trains of thought as to why this has been the case, focusing on the impact of an underwriting hard market that has placed increasingly fervent emphasis on minimum controls. Overall, it seems that the minimum controls required for cyber insurance may have played a role in deterring hackers and making businesses more resilient against cyber attacks. For Daniel Tobok, the slowed pace in the first six months of 2022 directly correlated with the conflict between Russia and Ukraine and subsequent sanctions. Carolyn Purwin Ryan, on the other hand, felt that incidents of geopolitical tension often prompted a spike in claims, citing Biden’s visit to Ukraine and the downing of the Chinese spy balloon as examples.

“This was last year was the first year that ransomware was not the top one when it came to the claims”, Purwin Ryan added. Daniella Haston provided supporting insights, examining “on-chain data” (data that is stored within a blockchain system – you can read more about blockchain here) to determine how much cryptocurrency has been sent to ransomware-associated addresses. She reported that there has been a 40% decline in the amount of money being paid to ransomware associated addresses, just shy of half a billion dollars. Here data also suggests that less people are either willing or able to pay, with 59% of ransomware victims today not paying ransoms

For Purwin Ryan, wire transfer fraud emerged as a top concern in 2022, both due to the frequency of its occurrence and the severity of its impact. This type of fraud involves large amounts of money being transferred out of businesses, reaching eye-watering sums as high as $2 million on multiple occasions. While this type of fraud can be devastating, it is also preventable with the right education and awareness. “By providing education on the risks and potential vulnerabilities, we can help mitigate the risk of wire transfer fraud and other types of cyber attacks”, she explained.

Highly aggressive, physical ransomware resurgence expected imminently

However, the year 2023 is telling a slightly different story, with an increase in highly brazen, sophisticated attacks being observed once again. It is possible that the threat actors that were previously diverted by the Ukraine-Russia conflict are now back in action – and, this time, they’ve remobilized, are hungry for cash and have military-grade training. Triple extortion attacks have evolved, with some reaching a four- or five-pronged approach. In the space of the past year, Tobok reported, they will have reconstructed and reevaluated their operations, improving their tactics with new abilities to bypass controls and perpetrate more dynamic crimes. “Being proactive is really the best way to minimize cyber claims”, he advised.

Purwin Ryan attested to particularly shocking, recent incidents of intimidating ransomware attacks, including a recent case involving death threats issued by the threat actor against a victim’s granddaughter. The incident highlighted the ease of obtaining personal information through social media, which has enabled cybercriminals to identify potential victims and used their personal information to elevate their threats. Johnson also presented a case where the insured’s contact list was accessed by a threat actor. The actor then used spoof numbers to impersonate members of the victim’s family, their school, colleagues and so one in order to create an intimidating environment and to force the victim to pay a ransom. Tobok summarized the new “feet on the ground” approach to ransomware: “we are seeing threat actors use more traditional organized crime tactics by bringing a physical edge to cyber with real life threats in a way we have not seen before”.

Threat actors have franchised their business 

Tobok pointed out that cybercriminals have started to outsource their operations to other countries, adopting a “franchise model” to perpetrate larger-scale attacks. This means that they rely on others to carry out attacks on their behalf with a “franchised” ransomware strain, expanding their reach and making it harder to track them down.

Haston added that, by using on-chain data, it is possible to identify convergence points where multiple ransomware strains have all linked to the same address before being cashed out. This information can help organizations improve their compliance and intelligence around ransomware attacks, as they can avoid falling into a trap of paying out to the same controlling parties. It is clear that on-chain data can play an important role in combating this evolving methodology for ransomware actors.

Sloppy and aggressive attacks has made ransomware recovery more challenging

In the past, victims had a high probability of recovering their data by paying the ransom, but now the situation has changed. Tobok explained that attackers have become “sloppier”, and this has resulted in difficulties in decrypting the data even after paying the ransom. The problem is further compounded by the increasing number of inexperienced threat actors entering the market and relying on, for example, RaaS packages, who lack the necessary technical skills to perform high-quality work. As a result, recoveries have become up to seven times more difficult than they were three years ago. Decryptors are malfunctioning, and victims are finding it harder to trust them.  

Johnson pointed out the effects of recovery efforts are no longer just limited to small businesses. We are now witnessing the real-world consequences of these attacks, which can result in the downfall of major corporations. In a recent incident, the Ince Group, a global law firm, had to declare bankruptcy due to a ransomware attack they suffered in 2022. The attack caused losses of over 5 million dollars, which is just a portion of the total damage caused, including client losses and other complications that followed, leading to a complete shutdown of the firm. The Ince Group was a well-established company that had been in operation for centuries, and this highlights the severity of the impact of ransomware attacks.

The current state of cyber insurance claims, summarized

In 2022, there was a decrease in the percentage of insured businesses targeted by cyber attacks, with ransomware no longer being the top claim. Experts suggest that this was due to the minimum controls required for cyber insurance deterring hackers and making businesses more resilient against cyber attacks. However, in 2023, the threat has resurged, with highly brazen, sophisticated attacks being observed, and triple extortion attacks evolving with new abilities to bypass controls. Cybercriminals have even adopted a “franchise model” to perpetrate larger-scale attacks. Recovering from these attacks has become increasingly challenging, with attackers becoming “sloppier” and a rise in inexperienced threat actors entering the market. This has led to victims finding it harder to trust decryption methods, making recovery up to seven times more difficult than it was three years ago. It is clear that education, awareness, and proactivity are necessary to mitigate the risk of cyber attacks.

 

Want to be a Certified Cyber Insurance Specialist? Find out more here.

Unlock more world-class knowledge and expertise.

Upgrade your membership to enjoy unlimited access to premium content.

Already have an account?

About Cyber Insurance Academy

The Cyber Insurance Academy was cultivated by the leading minds in cybersecurity and insurance, with a mission to help cyber insurance professionals stay ahead of the curve. We aim to address the industry’s educational gap and technical challenges, while fostering a vibrant community of like-minded professionals.

 

Our first-of-its-kind online campus blends a Gold-Standard CII-CPD accredited course, expert-led certification courses, industry-leading events, a top-tier content library, and a supportive, diverse and professional network that equips you with the confidence and expertise to lead in cyber insurance and make an impact.

Want cyber insurance updates sent straight to your inbox?

Skip to content