Corvus: Ransomware Attacks Fall

Corvus: Ransomware Attacks Fall

April 14, 2022

The Corvus Risk Insights Index is a compilation of industry trends and data analysis based on the company’s proprietary IT security scanning technology, the Corvus Scan, in addition to results from its Policyholder Cybersecurity Benchmarking Survey, sent to current Cyber and Technology Errors & Omissions (Tech E&O) policyholders.

“In support of our mission to make the world a safer place, it is our hope that this report provides guidance not only for our policyholders, but all of those seeking to protect their business, employees, and customers from cyber threats, especially at this critical time in history,” said Jason Rebholz, Chief Information Security Officer at Corvus Insurance. “Corvus’s real-time data and AI-powered risk management tools provide unparalleled transparency between our risk capital partners, policyholders, and brokers and allow us to share these actionable insights to increase awareness around the current state of cyber risk to help keep everyone safe.”

In the second edition of the Corvus Risk Insights Index, Corvus’s experts — including data scientists, underwriters, cybersecurity professionals, and claims managers — reflect on the past year, current trends, and what’s to come in the remainder of 2022. In reviewing the evolving cyber risk landscape, the report includes a breakdown of the impact of zero-days and third-party risk, updates on ransom severity, and a review of recent key vulnerabilities. To shed light on concerns and perspectives that are unique to the small- and medium-sized business (SMB) segment, the report also features insights from Corvus’s first Policyholder Cybersecurity Benchmarking Survey, which captured insights from their Cyber and Tech E&O policyholders.

Ransomware claims, costs, and severity

One of the best indicators of overall cybercrime activity is the rate of ransomware claims in the Corvus book of business. Based on Corvus’s claims data, after all of the dire headlines throughout 2021 the end of the year presented signs of improvement:

In Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021 — decreasing from 0.6% to 0.3%.
While the Q3 2021 average ransom paid was atypically high, the entire 2021 ransoms paid by quarter average was ~$167k, 44.2% less than the Q3 figure.
Overall, fewer ransoms are being paid compared to those demanded. The percentage for the last quarter of 2021 held steady in the low twenties, down significantly from figures that once were over 50%. As recently as Q3 2020, the ratio was 44%.

This decrease in cost and severity can be partially attributed to underwriting entities requiring stronger backups for insurance coverage, which is helping to drive the broader trend toward more sophisticated and resilient approaches to mitigating ransomware risk.

The data also revealed spikes in claims tied to major cybercrime events including the Microsoft Exchange Server vulnerability and the Kaseya ransomware attack. While these events were enough to significantly, but temporarily, impact the month-by-month ransomware claims rate, the overall average severity of claims declined.

As the cyber threat landscape continues to evolve, Corvus’s Risk Insights Index™ touched on Russia's ongoing invasion of Ukraine, which has included a hybrid warfare model involving cyber attacks against public and private sector organizations. While attacks have led to increased concerns over potential collateral damage, Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15), highlighting the fractured ransomware threat ecosystem during a time of war.

Severity is lowered, but not across the board

The overall severity of ransomware costs by industry shifted significantly over the past year. The report indicates a decreasing cost impact on education and social services, while the professional services industry (including but not limited to law firms, consulting firms, and architecture firms) experienced increased ransomware costs. The data highlights that:

The average claim reached nearly $400,000 within the professional services industry in Q4 2021, by far the highest in that timeframe.
Healthcare, which saw an alarmingly high average in claim severity to start the year, has returned to a historically low average, with zero ransomware claims recorded in Q4 2021.

The decreasing claims severity within healthcare may be tied to dissipating public fears and subsequent exploitation by threat actors during the height of the COVID-19 pandemic.

SMBs still playing cyber strategy catch up

Corvus’s first Policyholder Cybersecurity Benchmarking Survey, conducted in Q4 2021, showed that SMBs are still building their cyber investments. The survey was deployed to Corvus’s Cyber and Tech E&O policyholders, with the nearly 300 respondents’ titles ranging from C-suite to Vice Presidents, Directors, and IT Managers. Participants’ company size ranged from fewer than 50 employees to over 250. The results showed that SMBs are primarily concerned with external threats — attack vectors including ransomware and phishing — and revealed:

Only 8% of the smallest businesses (with <50 employees) have a dedicated cybersecurity budget.
Among the largest businesses within the surveyed group — those with 250 or more employees — 18% reported having a dedicated cybersecurity budget.
Spend on cybersecurity is expected to increase. Sixty percent of participants stated that their security spending is expected to increase with support from their CEO and senior management.
Of the participants who stated that they need help with security improvements, 72% were companies that lacked a CISO — reinforcing the idea that a CISO can play a large part in improving security posture.

Survey respondents highlighted a lack of resources and the overall complexity of security as key driving factors currently preventing improvements in their defenses. Smaller companies (<50 employees) are more concerned with staying current on new threats, while larger organizations are more concerned with vendor breaches, bringing to light the fact that many companies may fail to emphasize and act on the need for an internal security culture.

“We are in the midst of a critical and challenging time for security professionals,” said Phil Edmundson, Founder and CEO of Corvus Insurance. “As the security landscape shifts and threat actors continue to evolve their attacks, this report provides the data-driven analysis critical for organizations to navigate and prepare for adverse events in this new cyber age.”

In Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021 — decreasing from 0.6% to 0.3%.

While the Q3 2021 average ransom paid was atypically high, the entire 2021 ransoms paid by quarter average was ~$167k, 44.2% less than the Q3 figure.

Overall, fewer ransoms are being paid compared to those demanded. The percentage for the last quarter of 2021 held steady in the low twenties, down significantly from figures that once were over 50%. As recently as Q3 2020, the ratio was 44%.

Severity is lowered, but not across the board

The average claim reached nearly $400,000 within the professional services industry in Q4 2021, by far the highest in that timeframe.

Healthcare, which saw an alarmingly high average in claim severity to start the year, has returned to a historically low average, with zero ransomware claims recorded in Q4 2021.

SMBs still playing cyber strategy catch up

Only 8% of the smallest businesses (with <50 employees) have a dedicated cybersecurity budget.

Among the largest businesses within the surveyed group — those with 250 or more employees — 18% reported having a dedicated cybersecurity budget.

Spend on cybersecurity is expected to increase. Sixty percent of participants stated that their security spending is expected to increase with support from their CEO and senior management.

Of the participants who stated that they need help with security improvements, 72% were companies that lacked a CISO — reinforcing the idea that a CISO can play a large part in improving security posture.