Ransomware and business email compromise (BEC) caused the most cyber insurance claims over the past five years, accounting for 44% of about 7,000 claims examined in NetDiligence’s 2022 Cyber Claims Study.
The percentage of claims attributed to these two causes of loss rose to 50% for claims reported in 2020 and 2021. Of the 7,439 claims across five years examined for the 2022 study, 98% affected small to medium-sized enterprises (SMEs), defined as firms with less than $2 billion in annual revenue.
“Ransomware, along with business email compromise (BEC), will likely remain the primary cyber threats,” said Mark Greisiger, president of NetDiligence, in the report. “However, we have seen first-hand that when organizations have the tools and planning in place to respond quickly and efficiently, they can minimize both the cost and the disruption to their business.”
SMEs faced a five-year average incident cost of $270,000 for ransomware and $96,000 for BEC. The average cost for a ransomware event has risen steadily since 2018, up to an average of $453,000 in 2021. The average ransom demand for SMEs in 2021 came in at $555,000.
For large companies, the average incident cost for a ransomware event dropped to $10.3 million in 2021 from a high of $21.5 million in 2020. Large companies in the study sample faced an average ransom demand of $15 million in 2021.
The number of BEC claims has risen from 80 in 2017 to nearly 300 in 2021. However, BEC events have dropped in severity, down from $180,000 in 2017 to $73,000 in 2021.
The third-highest cause of loss (hacking) posted the second-highest five-year average incident cost at $263,000. However, this average was skewed by a high of $1.2 million in 2017 and has dropped significantly since, landing at an average of $94,000 in 2021.
Across all causes of loss, claims costs vary dramatically, ranging from under $1,000 to over $300 million, according to the report.
“On average, large companies experienced incidents that were up to 90 times more costly than those at SMEs,” NetDiligence said in the report. “However, SMEs experienced large losses as well, with perhaps greater organizational impact—there were 149 SME claims with total incident costs [over] $1 [million].” In fact, one of the largest incidents occurred at a small enterprise, and one of the smallest occurred at a very large company.
NetDiligence found no clear correlation between the size of an organization or the number of records to ultimate costs. The study fielded many more “recordless” claims—cyber events where no personal data was breached—in the past two years due to the rise in ransomware, wire transfer fraud, BEC and distributed denial-of-service attacks. Such incidents accounted for 80% of the 1,000 claims reported in 2021 and 72% of claims reported over the last five years.
The report noted that business interruption (BI) continues to be a major contributor to incident costs and has risen dramatically since 2018. The five-year average incident cost of a claim involving BI is nearly four times higher than a claim without BI, with BI costing an average of $340,000 out of a total average incident cost of $643,000. In 2021, those averages reached their highest point at $707,000 for BI costs and $1.3 million for the average total cost of incidents.
In terms of industries affected, professional services firms represented both the highest five-year average incident cost at $237,000 and 21% of all claims reported. Health care followed, at 10% of all claims and a five-year average cost of $103,000. However, the average incident cost for health care jumped to $541,000 in 2021 from $165,000 in 2020.
Manufacturing, financial services and retail rounded out the top five most-affected industries in the study. Like health care, the financial services sector has experienced a steady rise in average claims costs in recent years, rising from an average of $97,000 in 2019 to $233,000 in 2021.
The study also reported on insurance recovery for claimants. Claim payouts for SMEs covered an average of 75% of total incident costs over the five years studied. For large companies, the five-year average payout covered 45% of total incident costs.
© 2022 Zywave, Inc. All rights reserved