Canadian and American companies experiencing a cyber extortion event hit record numbers and unprecedented ransom demands in 2023, according to a report released last week by global brokerage Marsh.
But despite cybercriminals growing bolder in their ransom demands, an increasing number of companies are refusing to pay, according to the June 11 report, Ransomware: A persistent challenge in cyber insurance claims. The report analyzed more than 1,800 cyber claims submitted to Marsh in Canada and the U.S. last year.
Less than one-quarter (23%) of Marsh’s clients in the two countries impacted by a cyber extortion event in 2023 paid the ransom, the brokerage says in a press release. The 77% that refused to pay reflects a rapidly growing trend — in 2021, only 37% of Marsh clients rejected cybercriminals’ demands.
Overall, 21% of Canadian and American clients that purchased cyber policies reported an event in 2023, consistent with the percentage over the past five years (16% to 21%). However, a record 282 extortion events were reported to Marsh, a 64% increase from 2022.
Ransomware remains a top concern for organizations given its increased frequency, sophistication and potential severity, even though it represents only 17% of all cyber claims filed, Marsh’s report says.
“Indeed, the median ransom demand soared to $20 million in 2023 from $1.4 million, while the median payment made was $6.5 million, reflecting the effectiveness of extortion negotiations,” Marsh says in the release.
In 2023, events were driven by factors such as increased sophistication of cyberattacks, privacy claims and the MOVEit event, highlighting supply chain vulnerabilities, Marsh says.
The global MOVEit data breach affected more than 100,000 people in Nova Scotia, who had personal data stolen, including social insurance numbers, addresses and banking information. This included up to 100,000 people in the province, as well as 13,000 active employees with regional centres for education and the province’s francophone school board.
Hackers also stole personal data from about 25,000 Halifax Water customers, 17,500 water and tax bill accounts from the Region of Queens Municipality, and data from the provincial pension agency.
Not surprisingly, specific industries have been targetted more often than others. “The top five industries among Marsh clients to be affected by cyber events has remained consistent: in 2023, they were healthcare, communications, retail/wholesale, financial institutions and education,” the report says.
Canada has seen a number of cyberattacks recently involving these industries, such as those impacting the Toronto District School Board, London Drugs, the B.C. government and libraries, and bookstore Indigo.
Along with ransomware claims, overall cyber claims reporting also increased in 2023, Marsh says. Still, since rising rapidly in 2020, the number of reported ransomware events has remained under 20% of total reported cyber claims from Marsh clients for the past two years.
“This means that privacy claims and system attacks leading to unauthorized access and potentially exposed data without an extortion component comprise a much larger share of cyber events reported by Marsh clients than do those with an extortion component,” the report says.
In general, organizations should have a cyber resilience strategy that incorporates a view of cyber risk across the enterprise, including its potential economic and operational impact, and taking account of cybersecurity at vendors and other third parties. Companies also should undertake regular tabletop exercises and response evaluations, Marsh advises.
Feature image by iStock.com/Dragon Claws