Cyber Claims Stabilized in 2022, but Cyber Crime Remains a Threat

While the digital economy has increased cyber risks and organizations' exposure to disruptive events such as ransomware, cyber claims stabilized in 2022, according to a report from cyber-insurance provider Coalition.

Coalition's 2023 Cyber Claims Report notes that the interconnected nature of technology has increased concerns about the possibility of a widespread cyber catastrophe.

But, the report says, 2022 underscored the important impact employees have on cyber security. "Whether failing to patch vulnerable software, using outdated technology, or clicking on malicious links, employee actions were the greatest contributing factor to organizations that experienced a cyber insurance claim," Coalition's report says. "Conversely, organizations that prioritized security controls and promoted good cyber hygiene saw the benefits of their investments."

Coalition notes that cyber criminals frequently choose the path of least resistance, and the combination of common social engineering techniques and older technologies make organizations easy targets. That's led the US government to release new regulation strategies and lawmakers to call on the private sector to take proactive steps to reduce their risks, the report says.

"The most important lesson from 2022 is that cyber risk is manageable," the Coalition report says. "A majority of the incidents we observed could have been prevented with the right security controls and an active approach to cyber risk management."

The report stresses that while cyber risks stabilized in 2022 after years of turmoil, cyber crime remains a persistent threat. Still, overall claims frequency decreased 22 percent during the year, Coalition says, with most organizations experiencing a decrease in the frequency and severity of cyber claims, while less sophisticated cyber crimes became increasingly popular.

According to Coalition, one of those less-sophisticated crimes, funds transfer fraud (FTF), surpassed ransomware as the leading cyber-crime type, responsible for nearly one-third of all claims in 2022. Ransomware saw a sharp decline among all reported claims during the year, Coalition says, while business email compromise (BEC) remained steady.

Ransomware represented 15 percent of all cyber-insurance claims in 2022, down from 26 percent in 2021 and 25 percent in 2020, according to the report.

The greatest contributor to the decrease in overall cyber-insurance claims frequency in 2022 was ransomware, which decreased 54 percent year-over-year, Coalition says. Meanwhile, claims frequency for all other cyber-event types remained relatively flat.

While claims frequency declined, cyber-insurance claims severity increased by 7 percent in 2022 to an average loss of nearly $169,000, according to the Coalition report. BEC claims were among those seeing increased severity, up 54 percent during the year. At the same time, average claims severity for ransomware and FTF claims remained about the same at $303,000 and $198,000, respectively.

Claims frequency for businesses with less than $25 million in revenue decreased 24 percent in 2022 after a slight increase a year earlier, the report says. Meanwhile, claims frequency for businesses with more than $100 million in revenue also dropped 28 percent in 2022, while midmarket businesses saw frequency decrease 12 percent.

In terms of cyber-claims severity, businesses with less than $25 million in revenue saw claims severity fall 16 percent last year, a considerable change from a 48 percent increase a year earlier. "Nonetheless, the average claim for businesses of this size was still more than $108,000, a substantial loss for small businesses and often the result of limited resources and funds to train employees, patch vulnerabilities, and retire outdated technology," the Coalition report says.

With today's organizations dependent on technology, critical vulnerabilities can turn essential technologies into major cyber risks, Coalition says. That's particularly true if vulnerabilities are left unresolved.

The report says that among Coalition policyholders, those with one unresolved vulnerability of any kind were 33 percent more likely to experience a claim than those that resolved the vulnerability.

"Critical vulnerabilities associated with specific technology products continued to create risk, particularly with Microsoft Exchange," the Coalition report says. "Both businesses with less than $25 million in revenue and businesses with more than $100 million in revenue running on-premise Microsoft Exchange had an increased risk of claims."

Businesses with less than $25 million in revenue with on-premise Microsoft Exchange were nearly twice as likely to experience a claim than those without it, the report says. Businesses with more than $100 million in revenue with on-premise Microsoft Exchange were more than twice as likely to experience a loss than those without it, a 97 percent increase from the prior year, according to Coalition.

The Coalition report notes that end-of-life (EOL) software products that are no longer supported or updated by their original developers are highly vulnerable to cyber attacks. "EOL software reveals targets of opportunity for threat actors; it signals weak security controls or unprotected infrastructure is likely in place, which creates risk for companies," the report says.

Once cyber criminals have targeted an organization, they can launch any number of attacks to gain unauthorized access, the report says. Coalition says among its policyholders, those using EOL software were three times more likely to experience a cyber claim than those that weren't. Over the past 2 years, claims among its policyholders using EOL software have steadily increased across all sizes of organizations, the Coalition report says.

Phishing was the most common method of cyber attacks in 2022, Coalition reports, spiking over the course of the year to represent 76 percent of all claims during the second half of 2022.

"Threat actors have started leveraging AI tools to write credible phishing emails and translate the scams across multiple languages, giving them more time and cover to gain access to a network," the report says.