Extortion attempts such as ransomware attacks are on the rise again. Companies may want to consider cyber insurance policies to protect themselves.
Client companies insured by Marsh reported a record number of cyber extortion attempts in 2023, roughly 65% more than in 2022. Marsh posits that cyber crooks were scrambling in 2022 due to “a (temporary) move away from data encryption toward exfiltration, disruptions brought on by the start of the Russia-Ukraine war, decreased willingness of some companies to pay and the successful ‘infiltration’ of a particular ransomware group by the FBI.”
The days of five-to-low-six-figure ransom demands are long gone. “The median extortion payment dropped from $822,000 in 2021 to $335,000 in 2022,” Marsh reports. But “this trend was reversed in 2023 as the median payment increased from $335,000 to $6.5 million and the median demand increased from $1.4 million to $20 million as cyber criminals grew bolder.”
Fewer extorted companies are paying ransom than just four years ago. One reason: Companies are doing a much better job of backing up their data. They can more easily determine if threat actors (TAs) possess valuable data or basic customer info that’s already on the dark web.
TAs also killed the golden goose — once upon a time, ransomware pirates held up their end of the bargain and returned stolen data and/or unlocked companies’ systems after being paid. Then the dirty crooks started selling companies’ data to other TAs, or publishing customers’ data anyway, after their victims already paid up. Now companies are much more likely to not bother paying, because what’s the point?
Extortion Threats Mitigated with Cyber Insurance
A significant cyber attack can put a company out of business. At the very least, some customers will flee to “safer” providers. That can lead to a drop in revenue, job losses and declining market share for a vulnerable business.
Cyber insurance (CI) policies, like those provided by Marsh, can help save the day. There are different levels of coverage to choose from:
- first-party CI for internal business interruption, data recovery, legal and regulatory costs
- third-party CI to cover liability for damages, plus legal and forensic investigation costs, associated with customers, and
- network security coverage for malware, ransomware attacks, email compromise schemes, et al.
Annual policy coverage can range from $500 to $5,000 for small businesses and $5,000 to $50,000 for mid-sized employers. Policies include out-of-pocket deductibles.