While ransomware remains a plague on organizations around the world, a new report from commercial insurance firm Corvus indicates that ransomware costs are being cut considerably due to better preparedness. And though cyber insurance claims spiked in early 2021 due to the Microsoft Exchange vulnerability, they have been on a steep downward trend since.
Cyber insurance claims spike following major vulnerability, but down overall on the year
The Corvus Risk Insights Index is a new study, but one that is planned to be released quarterly. This inaugural Q4 2021 edition draws from the company’s claims database, proprietary security scanning technology and select third-party sources.
Though it may seem an obvious point, the report drives home that improvement of basic security fundamentals leads to significant immediate improvements. An increased awareness of both email security and proper backups appears to be putting a dent in ransomware costs even as the criminal industry surges globally and ransom demand amounts increase.
In Q1 2021, there was a major spike in cyber insurance claims from tech firms due to the fallout of the Microsoft Exchange Server vulnerability. However, claims took a steep downturn as soon as that vulnerability was patched out. They continued to plummet throughout 2021, eventually dipping below 2020 levels in Q3.
While incident numbers are down, ransomware costs tend to be up on a per-incident basis due to the increasing prevalence of “double extortion” techniques (in which sensitive documents are exfiltrated and attackers threaten to publicly release them) over the past year. But that is only if a company is caught unaware, without proper backups and without having sensitive information encrypted or partitioned off from public-facing systems. Companies that are not keeping pace with security needs are paying more per breach incident, but ransomware costs overall are actually down due to a tendency toward greater awareness and preparation for attacks.
A breakdown of individual ransomware costs & the influence of security tools
The Corvus report breaks down some of the individual ransomware costs that are generally associated with cyber insurance claims. One cost that is sometimes overlooked is the possibility of litigation after sensitive data is stolen, or if a vital service is denied due to a system being inoperable.
The numbers show that the larger an organization is, the more likely it is to experience litigation costs. The smallest businesses, those with no more than 10 employees, see only about a 24% chance of being taken to court in the wake of the attack. That number steadily increases to a 76% chance for companies with at least 250 employees.
Certain industries are also at increased risk of ransomware costs owed to litigation, and are more likely to sue a vendor due to a breach. The most litigious groups by far are media companies and, somewhat surprisingly, metals manufacturers. Other vendors at substantially elevated risk include those working in finance, insurance and retail trade. However, though it is now possible for a ransomware attack to result in a death due to non-functional equipment, the health care industry is actually the least likely to take a vendor to court.
A full breakdown of costs in cyber insurance claims will not be available until 2022, but data from 2020 shows that breach responses were by far the most costly aspect of claims. Contingent business interruption, or lost revenue due to outages caused by an attack on a third-party supplier, was also a disproportionately large factor.
The report also notes two major security trends among organizations that directly contributed to the general reduction in ransomware costs. One is the gradual replacement of highly vulnerable remote desktop protocol (RDP) systems. About 50% of existing RPD systems were dropped in favor of more secure options in the past year, something heavily driven by pandemic conditions and shifts to remote work models. Prior to the start of the pandemic, as many as 10% of organizations were still using RDP systems; that number has now dropped all the way to no more than 4%.
The other reduction to ransomware costs came from a 158% increase in the use of email security tools since the start of the pandemic. Certain industries increased their use of these tools by up to 400%. However, the report notes that the total number of organizations using these tools is just a little over 16% even with these substantial increases. The study found that quality email tools tend to reduce phishing incidents in cyber insurance claims by 45%, and to drop claims by half overall.
Ransomware payment amount up; companies making payments down
The average ransom payment amount is up, but the number of companies making those payments is down. Payments have steadily declined from 44% of incidents in Q3 2020 to 12% in Q3 2021. Ransomware gangs are getting more out of the organizations they can still coerce into paying, however, ballooning the average payment to $290,000 in Q3 of this year (up from $114,000 in Q2).
The preparation of companies as the central factor in these changes to cyber insurance claims is supported by the rate of ransomware incidents staying relatively stable since 2019. There have been peaks and valleys, but Q3 2021 saw about the same amount of attacks as occurred in Q3 of both 2020 and 2019.