Marsh: Cyber Extortion Reached Record High in US and Canada in 2023

Multiple companies in the U.S. and Canada experienced a record number of cyber extortion events in 2023 and unprecedented demands, a new report from Marsh shows.

The report, Ransomware: A persistent challenge in cyber insurance claims, also showed an increasing number of companies refused to pay the demands.

The report’s authors analyzed more than 1,800 cyber claims submitted to Marsh in the U.S. and Canada in 2023. They found the annual percentage of clients reporting at least one cyber event has was steady over the past five years, ranging between 16% and 21%. The authors say the report demonstrates that companies’ cyber controls have kept pace with the growing threat and frequency of cyberattacks.

Healthcare, communications, retail/wholesale, financial institutions and education were the top five of most affected industry sectors, with healthcare and communications reaching the highest numbers of annual claims, the report shows.

Other report findings include:

• 21% of clients that purchased a cyber policy reported an event in 2023.
• In 2023, events were driven by factors including increased sophistication of cyberattacks; the MOVEit event, a wave of cyberattacks and data breaches that began in June of that year, highlighting supply chain vulnerabilities; and privacy claims.
• Ransomware represented less than one-fifth of claims reported, but remained a top concern for organizations given their increased frequency, sophistication and potential severity.

The record number of events in 2023 followed a dip in extortion events in 2022. The reasons for the decrease in 2022 is hard to say, but cybersecurity experts inside and outside of Marsh cite a temporary move away from data encryption toward exfiltration, disruptions brought on by the start of the Russia-Ukraine war, decreased willingness of some companies to pay and the successful “infiltration” of a particular ransomware group by the FBI.

The median extortion payment fell from $822,000 in 2021 to $335,000 in 2022. That trend was reversed in 2023, when the median payment increased from $335,000 to $6.5 million and the median demand increased from $1.4 million to $20 million. The percentage of the median demand paid increased from 24% in 2022 to 32% in 2023, according to the report.

During the last five quarters, the median cost of breach response expenses remained at $160,000, while the average trended from $963,000 in the third quarter of 2023 to $1 million in the fourth quarter, primarily due to a few large cyber events, Marsh said.

Ransomware claims also rose in 2023, but the report shows the number or reported ransomware events has remained under 20% of reported claims for the past two years.

“This means that privacy claims and system attacks leading to unauthorized access and potentially exposed data without an extortion component comprise a much larger share of cyber events reported by Marsh clients than do those with an extortion component,” the report states.

Another report out in May found 51% of respondents ranked ransomware as the primary cyber concern for the third straight year, with 45% claiming to have been hit by a ransomware attack in the last 12 months. A large majority, 86%, said these attacks included data exfiltration.