Big changes to the cyber insurance landscape have taken place over the past two years, and to a great deal that has been driven by ransomware. A new report from insurer Corvus finds that ransomware continues to be the most costly type of incident, but there are now more cyber insurance claims for fund transfer fraud than anything else.
36% of the company’s claims were related to fund transfer fraud in Q3 2022, hitting an all-time high and outpacing ransomware for the first time in a long time. Ransomware cyber insurance claims remain the most costly per incident, however, at three times the average cost of a fund transfer fraud claim.
Fund transfer fraud most common among claims, but ransomware still costs the most
Fund transfer fraud has always been fairly common and one of the more frequent reasons for cyber insurance claims, never dipping below 25% of the claim total since mid-2021 and making up 28% of all of the claims ever filed with Corvus in company history. But it has lagged ransomware by a substantial amount during the cyber crime surge initiated by the pandemic.
Fund transfer fraud is generally linked to business email compromise attacks, in which fraudsters use everything from spoofed or compromised email addresses to audio deepfakes to pretend to be a company executive and trick a payroll employee into issuing payments from the company coffers. While not as popular or damaging as ransomware has been across the board, this attack type has also surged during the pandemic period. Together, Corvus says that fund transfer fraud and ransomware comprise over 50% of all of its 2022 cyber insurance claims.
Ransomware cyber insurance claims are more costly on average due to damage that stretches beyond the ransom payment; while those payments are sometimes comparable to the amounts taken in fund transfer fraud incidents, ransomware leaves a very costly remediation process behind. This has kept the average ransomware claim at $256,000, as compared to $90,000 for a fund transfer fraud claim.
Fund transfer fraud may be steadily on the rise because automated defenses and employee training for ransomware and malware delivery tricks are slowly improving. Business email compromise offers an alternative that leans much more on social engineering than hacking. Corvus reports that 70% of these incidents reported to them were monetized with fund transfer fraud. A popular starting point for these schemes is to compromise a third-party vendor, and Corvus notes that such breaches were up 66% in 2022.
Cyber insurance claims provide additional insights
The Corvus cyber insurance claims data provides some additional insights about ransomware and the development of other types of cyber attacks in 2022.
One noteworthy item is that 48% of the cyber insurance claims for ransomware attacks in the first half of the year involved data exfiltration, an all-time high. When “double extortion” first started emerging, in 2019 and 2020, it was far from common, employed only by select big-name ransomware gangs. These numbers indicate an attempt to steal data and sell it or blackmail companies with it (or both) should now be expected as a standard element of any ransomware attack.
Ransomware has also had its peaks and valleys over the past two years, but claims have been on a steady decline throughout 2022, and the claim percentage now sits well below what it was in Q1 2022. By contrast, fund transfer fraud dipped in 2020 (as ransomware was riding high) but has since sharply and steadily increased, with claims sitting well above where they were two years ago. However, the report does not note to what degree cyber insurance claims for ransomware are down simply because of tightening of policy requirements and terms and a significant increase in costs.
The United States has also typically been the default target for criminals looking for the biggest paydays, fielding nearly half of global ransomware attacks through much of 2020 into early 2022. This percentage has steadily shrunk to closer to 1/3 of global activity, however, indicating criminals may be expanding their horizons in the face of tougher law enforcement and sanction responses.
The report also notes some key vulnerabilities associated with cyber insurance claims in 2022; while these are generally precursors to ransomware deployment, they can also be used to compromise a trusted vendor as the first step of a fund transfer fraud scheme. In the latter half of the year the Fortinet, Apache Commons Text, Zimbra and assortment of Microsoft Exchange vulnerabilities were all common issues.