The average ransomware loss hit $353,000 this year 📈

How Broker Roles Evolve Alongside Claims Trends

How Broker Roles Evolve Alongside Claims Trends

Businesses are getting hit harder and more often with cyber attacks — and they’re increasingly turning to their trusted brokers for guidance.

To help you keep pace with the ever-changing threat landscape, we assembled a panel of Coalition experts to provide additional analysis and key takeaways from our brand-new 2023 Cyber Claims Report: Mid-year Update.

Below, you’ll get first-hand accounts on the latest cyber trends from members of our Claims, Actuarial, Incident Response, and Security Services team. Use these insights to advise clients on new and emerging risks and empower them to prioritize their cybersecurity posture.

It’s no secret that cyber claims increased in the first half of 2023. Overall claims frequency rose 12%, and overall severity rose 42%. The average cost of a cyber claim was more than $115,000 — and businesses with more than $100 million in revenue were hit the hardest.

“When we see significant changes in claims trends, it can certainly make a broker’s job more difficult,” said Austin Aten, Actuary Lead at Coalition. “On a single account, a broker might see three quotes for the same risk with extreme differences in coverage, pricing, and security requirements. This means they have to spend more time investigating the differences in coverage, balancing the tradeoffs between quote options, and guiding their clients through contingencies.”

Now some good news: Coalition policyholders experienced 64% fewer claims than the cyber industry average, with 52% of reported events handled at no cost to the policyholder.

Brokers can use changes in the cyber risk landscape to their advantage. Mandatory security controls can be an opportunity to promote good cyber hygiene, encourage better risk management decisions, and help clients understand the financial impact of their decisions.

“When we see significant changes in claims trends, it can certainly make a broker’s job more difficult." — Austin Aten, Actuary Lead at Coalition.

As ransomware spikes, threat actors demand more money

Ransomware claims severity increased 61% to an average loss of more than $365,000. Amid the spike in activity, Leeann Nicolo, Incident Response Lead at Coalition, offered her observations about what’s new on the frontlines of ransomware negotiation.

“We’ve seen changes in the attitudes of threat actors and their ransom demands,” Nicolo said. “Most threat actors are putting pressure on negotiators to pay as soon as possible, which can add stress to the victims and make them feel like they have no other choice. We regularly see initial demands in the millions, even if the data isn’t very sensitive.”

Some more good news: When reasonable and necessary, Coalition successfully negotiated ransom payment amounts down to an average of 44% of the initial demand.

“We rarely find the low-hanging fruit of open RDP [Remote Desktop Protocol] or brute forcing anymore. The attacks appear to be planned and crafted to exploit businesses in the most secretive manner,” Nicolo said. “Threat actors will even cite the legal ramifications if their data is publicly posted, which indicates they’re doing research, and potentially using artificial intelligence, to quickly review the stolen data.”

No business is immune from ransomware, but brokers can help clients reduce risk by encouraging them to protect sensitive data. This means maintaining backups of all sensitive data, keeping the backups offline from the primary network, and securing them with multi-factor authentication (MFA).

“Most threat actors are putting pressure on negotiators to pay as soon as possible, which can add stress to the victims and make them feel like they have no other choice." — Leeann Nicolo, Incident Response Lead at Coalition

Clawing back stolen funds after fraudulent transfers

Funds transfer fraud (FTF) claims severity increased 39% to an average loss of more than $279,000. As threat actors become more patient and harder to detect, Adam Smith, Claims Counsel at Coalition, revealed his tips for recovering from these incidents and even preventing them altogether.

“It’s about selecting a partner that will go above and beyond to recover lost funds,” Smith said. “In my experience, there’s no policy on the market that’s going to cover a seven-figure wire transfer loss. Choosing a cyber insurance carrier that prioritizes recovery is the best tool a business and its broker have at their disposal.”

Even more good news: Coalition successfully clawed back more than $23 million in fraudulent transfers in the first half of 2023.

“Businesses rarely change their bank account, so alarm bells should go off any time a vendor wants to ‘update’ its banking information,” Smith said. “Always call a trusted contact at the company to verify the change before moving forward with sending any money.”

Brokers should remind their clients to keep a close eye on all money transfers and to notify us if they notice something suspicious. When Coalition is notified within 48 hours of a fraudulent transfer, our odds of recovering some or all of the funds are much higher.

“Choosing a cyber insurance carrier that prioritizes recovery is the best tool a business and its broker have at their disposal.” — Adam Smith, Claims Counsel at Coalition

Microsoft email users experienced more claims

Business email compromise (BEC) and FTF continue to drive claims among our policyholders, and both typically begin with poor email security. To improve risk selection, underwriting, and pricing, Coalition’s Security Services team looked for a correlation between email vendors and the likelihood of a claim.

We found that Microsoft Office 365 users were more than twice as likely to experience a claim than those using Google Workspace, while on-premises Microsoft Exchange users were nearly three times as likely to experience a claim.

Joe Toomey, Head of Security Engineering, shared some advice for brokers with clients that use Microsoft email products: “Avoid using on-premises Exchange and instead use Microsoft 365. Our analysis shows that the risk of ransomware is significantly reduced for businesses using Microsoft 365 compared to those hosting on-premises Exchange.”

Discussions about email vendors are a good opportunity for brokers to explain the additional risk they incur by choosing to continue to host their own email — a choice that will likely affect their cyber premium.

“The best broker is one who is prepared with data to help inform their clients’ decisions,” Toomey said. “Ultimately, the client will make their own decisions about security posture, but a well-informed broker can help influence those decisions not only at the time of purchase or renewal, but also further down the road.”

"Our analysis shows that the risk of ransomware is significantly reduced for businesses using Microsoft 365 compared to those hosting on-premises Exchange.” — Joe Toomey, Head of Security Engineering at Coalition

Want to dive deeper into cyber claims data?

We’ve only scratched the surface. Coalition’s 2023 Cyber Claims Report Mid-year Update is free to download. Explore your copy for more data and expert analysis on the latest trends in cyber insurance from the first half of 2023.

This article originally appeared in the September 2023 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.


This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.