Canadian and American companies that have experienced cyber extortion incidents are set to see record numbers and unprecedented ransom demands in 2023, according to a report released last week by global brokerage Marsh.
But despite cybercriminals becoming bolder in their ransom demands, a June 11 report found that a growing number of businesses are refusing to pay. Ransomware: A Persistent Challenge in Cyber Insurance ClaimsThe report analyzed more than 1,800 cyber insurance claims filed with Marsh in Canada and the United States last year.
Fewer than a quarter (23%) of clients in the two countries affected by cyber extortion attacks paid the ransom in 2023, Marsh said in a press release. The 77% who refused to pay reflect a rapidly growing trend: in 2021, only 37% of Marsh clients refused cybercriminals’ demands.
Overall, 21% of Canadian and U.S. customers who purchased cyber insurance reported incidents in 2023, which is in line with the rate over the past five years (16% to 21%). However, extortion incidents reported to Marsh reached a record high of 282, up 64% from 2022.
According to the Marsh report, while ransomware accounts for just 17% of all cyber claims, it remains a top concern for organizations due to its increasing frequency, sophistication and potential severity.
“Indeed, the median ransom demand will skyrocket from $1.4 million to $20 million in 2023, with the median amount paid being $6.5 million, reflecting the effectiveness of extortion negotiations,” Marsh said in a statement.
Marsh said events in 2023 will be driven by factors such as the increasing sophistication of cyber attacks, privacy allegations and the MOVEit event, highlighting supply chain vulnerabilities.
The global MOVEit data breach affected more than 100,000 people in Nova Scotia whose personal information, including social insurance numbers, addresses and banking information, was stolen, including up to 100,000 people across the province, as well as 13,000 active employees of regional education centres and the province’s Francophone school boards.
The hackers also stole personal data for about 25,000 Halifax Water customers, 17,500 water and tax bills from the Queens Municipal Government, and data from the State Pension Board.
Not surprisingly, certain industries are targeted more frequently than others: “The top five industries affected by cyber events among Marsh clients remained consistent in 2023: healthcare, communications, retail/wholesale, financial institutions, and education,” the report states.
Canada has seen a number of recent cyber attacks involving these industries, including against the Toronto School Board, London Drugs, the British Columbia government and libraries, and Indigo Bookstore.
In addition to ransomware-related claims, Marsh said the number of reported cyber-related claims is also increasing overall in 2023. Still, since the spike in 2020, the number of reported ransomware-related incidents has remained below 20% of the total cyber-related claims reported by Marsh clients over the past two years.
“This means that privacy allegations and systems attacks leading to unauthorized access and potentially compromised data without the extortion element make up a much larger proportion of cyber incidents reported by Marsh’s clients than those involving extortion,” the report said.
In general, organizations should develop a cyber resilience strategy that incorporates an enterprise-wide view of cyber risk (including potential financial and operational impacts) and considers the cybersecurity of vendors and other third parties. Companies should also regularly conduct tabletop exercises and response assessments, Marsh advises.
Featured image: iStock.com/Dragon Claws