The State of Active Insurance: 2024 Cyber Claims Report
Coalition has consistently published cyber claims data for the better part of a decade. In that time, we’ve watched losses climb and fall, seen new vulnerabilities come and go, and supported our policyholders through the volatility of the cyber threat landscape.
Cyber trends of the past tell a fascinating story. Before we dive into the newest findings from Coalition’s 2024 Cyber Claims Report, let’s revisit key lessons from previous reports:
In 2020, we reported cyber losses increasing in frequency and severity and noted the “rise of ransomware,” which accounted for 41% of all reported claims.
In 2021, we predicted that cyber risk would become “the defining risk of our age,” after a nearly 170% increase in ransom demands.
In 2022, we proclaimed that “technology is the most significant driving force of change” after spikes in claims were driven by a lack of investment in cybersecurity.
In 2023, we asserted that “cyber risk is insurable with the correct data and approach” after actively engaged policyholders were found to be more successful at preventing attacks.
These trends and lessons often feel novel and provocative in the moment. But over time, they tell the story of how the cyber insurance industry has evolved and adapted to a dynamic landscape. What’s become clearer with each passing year is that Active Insurance is the solution to address changing cyber risk conditions.
With that in mind, let’s take a look at the biggest trends in our 2024 Cyber Claims Report.
Cyber claims continue to trend upward
Overall claims frequency increased 13% year over year (YoY) while overall claims severity increased 10% YoY for an average loss amount of $100,000. The good news for Coalition policyholders is that 52% of all reported matters were handled without requiring any out-of-pocket payments.
Although it has historically been the largest contributor to claims severity, ransomware only accounted for 19% of reported claims in 2023. Instead, we observed more and more claims originating in the inbox: 56% of all claims were either business email compromise (BEC) or funds transfer fraud (FTF).
Claims frequency and severity increased YoY for businesses of all revenue amounts:
Businesses with less than $25 million in revenue experienced an 8% uptick in frequency and a 10% jump in severity.
Businesses with revenue between $25 million and $100 million saw the sharpest spike in frequency (32%), along with a 9% increase in severity.
Businesses with more than $100 million in revenue saw a 14% increase in frequency and a 21% increase in severity.
Though not as volatile as in years past, the upward trend in claims among Coalition policyholders is indicative of industry-wide trends. As you’ll learn below, Coalition employs various strategies to reduce both the frequency with which these incidents occur and the severity of the incidents that do occur.
The good news for Coalition policyholders is that 52% of all reported matters were handled without requiring any out-of-pocket payments.
Threat actors target popular boundary devices
Boundary devices are a double-edged sword for businesses. As we saw in 2023, the same technology that helps mitigate the risk of cyber threats was frequently targeted in cyber attacks — and some of the most popular devices put businesses at the greatest risk.
Businesses using and exposing any of the following technologies to the public internet were found to be at greater risk of a cyber claim:
Cisco Adaptive Security Appliance (ASA): Cisco ASA users were nearly 5x more likely to experience a claim.
Fortinet: Fortinet boundary device users were 2x as likely to experience a claim in 2023.
Remote Desktop Protocol (RDP): Businesses with internet-exposed RDP were 2.5x more likely to experience a claim when not protected by a boundary device.
Despite the relative claims frequency of these devices, boundary devices remain a critical tool in reducing a business’ attack surface and protecting other types of technology. Coalition encourages all businesses to adhere to best practices to update firmware and monitor all endpoints so they can react quickly if the device is compromised.
As we saw in 2023, the same technology that helps mitigate the risk of cyber threats was frequently targeted in cyber attacks — and some of the most popular devices put businesses at the greatest risk.
FTF remains an easy way to monetize cybercrime
FTF remains one of the most common cyber insurance claims Coalition sees. FTF is a preferred attack strategy for threat actors because it’s an easy and effective way to monetize cybercrime.
In 2023, FTF accounted for 28% of Coalition cyber insurance claims. The frequency of FTF claims increased 15% YoY, while the initial severity of FTF claims increased 24% YoY for an average loss of more than $278,000.
At Coalition, we have good reason to specify “initial severity” for FTF claims: When a policyholder calls us about a possible FTF loss, we don’t just initiate the coverage process and provide the policyholder with a Proof of Loss form. Our claims team snaps into action and does everything within their power to put stolen funds back in policyholders’ pockets.
Coalition claws back $38 million in FTF losses
If a business reports an FTF loss to Coalition, we leverage relationships with government entities and financial institutions to stop payments and “claw back” stolen funds. In 2023, Coalition successfully clawed back more than $38 million in fraudulent transfers.
Clawbacks by the Numbers
$470,000 average clawback per FTF claim when recovery was successful
46% of FTF events had a full recovery when recovery was successful
102% increase in total FTF recovery amount since 2022
$80 million+ in clawbacks since Coalition’s inception
The clawback process is critical and time-sensitive because threat actors often transfer the stolen money between banks and across jurisdictions to cover their tracks. As such, policyholders that report the loss quickly to Coalition have a greater likelihood of recovery.
In 2023, Coalition successfully clawed back more than $38 million in fraudulent transfers.
Ransomware volatility: A tale of two halves
Ransomware claims activity can seem like a rollercoaster from month to month. The frequency of claims has gone up and down over time — likely a result of efforts to take down individual gangs — and the severity of claims fluctuates in the same way.
In 2023, ransomware frequency increased by 15% YoY, primarily driven by a sharp spike in the first half of the year following historic lows in 2022. Ransomware severity also spiked in the first half of 2023 — the average ransomware claim during this six-month stretch was more than $369,000 — but dropped 54% in the back half of the year.
Across the full year, the average ransomware loss was more than $263,000, a 28% increase from 2022. The expenses that go into a ransomware claim include things like forensic investigation, notifications, breach counsel, business interruption, exposure to legal action, litigation, regulatory activity, and public relations impact.
However, the ransom payment itself can significantly contribute to the overall cost, which is why Coalition often works directly with policyholders to negotiate ransoms and lessen the overall impact of these incidents.
Coalition negotiates a 64% reduction in paid ransom amounts
Threat actors demanded more money from Coalition policyholders in 2023. The average ransom demand was nearly $1.4 million, a 36% increase from the year prior.
Choosing to pay a ransom is rarely an easy decision. But when a policyholder decides payment is the best available option, Coalition supports the business and helps to reduce the impact as much as possible.
Among policyholders that experienced a ransomware incident, 40% decided it was reasonable and necessary to pay the ransom. In those instances, Coalition significantly lessened the impact of the ransomware attack and successfully negotiated the payment amount down by an average of 64% of the original demand.
Paying a ransom is not always the answer, which is why our primary approach to ransomware is prioritizing good cyber hygiene and proactive risk mitigation. However, Coalition continues to assert that a blanket ban on ransomware payments is an impractical solution based on misconceptions about cyber insurance.
Adapting to the needs of our policyholders
Volatility across the cyber threat landscape can seem inescapable. However, Coalition found success in minimizing the impact of cyber incidents through data-driven risk selection and active engagement with policyholders in 2023. So, while the frequency and severity of cyber claims trend upward, we’ve continuously sharpened our approach and expanded our capabilities to meet the most pressing needs of our policyholders: We now counteract FTF events with Coalition Clawbacks, cut ransom payments in half via negotiation through our affiliate Coalition Incident Response (CIR), offer Managed Detection and Response (MDR) services through CIR to help address alert fatigue, and so much more.
Coalition believes that mitigating cyber risk requires an active partnership. We continue to see a direct correlation between the technologies businesses use and the risks associated with cyber insurance claims, which is why we promote good cyber hygiene and strong security controls to help businesses stay one step ahead of digital risk.
Looking for additional claims insights or more information on the state of Active Insurance? Download the full 2024 Cyber Claims Report.
