In the unpredictable world of cyber risk, the only real constant is change. 

As soon as businesses patch the latest vulnerability, ten new CVEs appear. If ransomware slows for a quarter, it returns with a vengeance the next. Attackers change primary tactics, opting for whichever risky technology or zero-day offers the greatest ROI. 

Fast-moving trends aren’t only in Vogue — we have our hands full tracking what’s in each season with cyber criminals. 

While fashion forecasting doesn’t necessarily carry over to the cyber insurance industry, we’ve found our own way to track and anticipate trends as they relate to digital risk. Our 2024 Cyber Claims Mid-year Update sheds a light on the latest developments in the threat landscape, thanks to claims data and expert risk insights. 

Looking to make informed decisions on your security staples this season? Let’s take a look at the biggest trends in our 2024 Cyber Claims Report: Mid-year Update.

1. Cyber claims are getting more costly

Overall claims frequency decreased in 1H 2024, dropping from 1.61% to 1.55%, the lowest since 2H 2022. Despite this, overall claims severity increased 14% to an average loss amount of $122,000.

How? Threat actors targeted larger businesses and reaped the benefits with increased paydays. 

Claims severity among businesses with more than $100 million ($100M+) in revenue spiked 140% to an average loss amount of $307,000 — a historic high for this cohort. While business email compromise (BEC) accounted for nearly one-third of all reported claims, ransomware was largely responsible for the increased severity (more on this later). 

2. Third-party disruption creates aggregate risk

The attacks on Change Healthcare and CDK Global dominated headlines in the first half of 2024. Naturally, this led to lengthy discussions about aggregate risk among experts in the cyber industry, but even businesses outside of the technology sector were forced to reckon with the reality of our interconnected world. Both incidents served as illuminating examples of how digital risk can quickly become more tangible for all of us. 

When Change Healthcare went down due to a ransomware attack, medical claims processing slowed or stopped for thousands of hospitals and medical groups. Across the U.S., the disruption impacted more than 90% of pharmacies with total losses projected to reach $1.6 billion. Then, a ransomware attack at CDK Global disrupted a network of 15,000 auto dealers and led to an estimated $1 billion in losses.

Both of these incidents disproportionately impacted businesses with $100M+ in revenue. Nearly 23% of healthcare businesses with $100M+ in revenue were impacted by the Change Healthcare attack, while 75% of auto dealers with $100M+ in revenue were impacted by the CDK Global ransomware event. 

With a focused team of claims handlers, Coalition kept in regular contact with impacted policyholders during both incidents, sharing information about likely timelines for restoration, as well as alternative software options and workaround solutions. 

3. Ransomware severity spikes

In 1H 2024, ransomware gangs prioritized their ROI. Despite frequency dropping from 0.31% to 0.28%, overall ransomware severity increased 68% with an average loss amount of $353,000.

While ransomware severity fell from an average of $402,000 to $239,000 over the course of 2023, the lull in activity was short-lived. As to be expected with season patterns we’ve observed in the past, ransomware actors returned in 1H 2024 with dollar-signs in their eyes.

Ransom demands were up 1% in 1H 2024, with an average demand of $1.3 million. When reasonable and necessary for a Coalition policyholder to pay the ransom, we successfully negotiated the amount down by an average 57% of the initial demand. 

4. Business email compromise drives claims

More than half of all claims originated in the inbox — and as more scammers utilize artificial intelligence (AI) to enhance their attacks, it seems unlikely we’ll buck this trend anytime soon. In 1H 2024, overall BEC frequency increased by 4%, and this single method of attack made up one-third of all claims. 

Again, businesses with 100M+ in revenue were hit the hardest, with a 60% spike in BEC frequency. Certain industries felt a varying level of heat from BEC frequency:

• Financial services businesses ($25M-$100M) saw a 390% increase 

• Consumer discretionary businesses ($100M+) saw a $250% increase

Despite the sharp increase in frequency, attack severity actually decreased 30% in 1H 2024 to an average loss amount of $26,000.

5. FTF frequency and severity drops

The frequency and severity of funds transfer fraud events (FTF) events dipped in the first half of 2024. This follows $10 billion in losses to fraud in 2023, according to the Federal Trade Commission. Unlike previous sections, the 100M+ revenue band experienced an 11% drop in FTF frequency in 1H 2021. 

Meanwhile, FTF initial severity decreased 15% in 1H 2024, to an average loss amount of $218,000. 

Coalition Clawed Back $10.8 Million 

If a policyholder experiences an FTF event, we take it as an opportunity to spring into action — not just provide a Proof of Loss form.  We work with government agencies and financial institutions to “claw back” stolen funds before they land in a threat actor’s bank account. In 1H 2024, Coalition successfully clawed back $10.8 million with an average recovery of $208,000 — bringing Coalition’s lifetime clawbacks to $94 million. 

6. Exposed login panels put businesses at 3x greater risk

From our own claims activity, we have a bird’s-eye view of the threat landscape and what vulnerabilities are currently driving financial losses for businesses. As we observe these trends in attack vectors, it’s our responsibility to pinpoint how our policyholders can strengthen their defenses. Addressing risky technologies is proven to decrease the likelihood of a claim. 

In 1H 2024, exposed login panels, or login screens, were among the most significant technologies putting businesses at increased risk. These serve as a way for users to access a website or application. By default, many businesses’ essential applications are web-accessible, but this leaves them visible to threat actors trolling the internet for easy access. 

Businesses with internet-exposed login panels were 3.1 times more likely to experience a claim in 1H 2024. 

There are legitimate reasons for businesses to have login panels visible to the public internet, such as with virtual private networks (VPNs). In these cases, Coalition advises that businesses enforce multi-factor authentication for all VPN users and that they run the latest firmware. This helps prevent brute force attacks, compromised credentials, and known vulnerabilities. 

The solution to cyber trend cycles

Threat actors are constantly dedicating time and resources to find new ways to profit off of their victims — and we don’t expect them to quit anytime soon. Given the speed and unpredictability of cyber trends, businesses need a risk partner that can keep up. 

Which is exactly why we’re dedicated to differentiating Active Insurance from traditional cyber products. By pursuing security research efforts to identify threats sooner, delivering security solutions to help prevent cyber events, and working with policyholders through the entire policy period, we’re prioritizing proactive response. 

Trends may come and go, but innovative solutions are here to stay. 

Looking for additional claims insights or more information on the state of Active Insurance? Read our full 2024 Cyber Claims Report: Mid-year Update. 

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.