The Corvus Risk Insights Index is a new study that will be released quarterly. This first edition for Q4 2021 is based on the company's claims database, proprietary security scanning technology, and selected third-party sources.
Though it may appear to be an obvious point, the report emphasizes that improving basic security fundamentals results in significant immediate improvements. Even as the criminal industry expands globally and ransom demand amounts rise, increased awareness of email security and proper backups appears to be putting a dent in ransomware costs.
Due to the fallout from the Microsoft Exchange Server vulnerability, there was a significant increase in cyber insurance claims from tech firms in Q1 2021. However, once that vulnerability was patched, claims dropped precipitously. They fell further throughout 2021, eventually falling below 2020 levels in Q3.
While the number of incidents has decreased, ransomware costs have increased on a per-incident basis due to the increased prevalence of "double extortion" techniques (in which sensitive documents are exfiltrated and attackers threaten to publicly release them) over the past year. But only if a company is caught off guard, does not have proper backups, and does not have sensitive information encrypted or partitioned off from public-facing systems. Companies that do not keep up with security needs pay more per breach incident, but overall ransomware costs are down due to a trend toward greater awareness and preparation for attacks.
A breakdown of individual ransomware costs as well as the impact of security tools
The Corvus report deconstructs some of the individual ransomware costs associated with cyber insurance claims. One cost that is frequently overlooked is the possibility of litigation following the theft of sensitive data or the denial of a critical service due to a system failure.
According to the statistics, the larger an organization, the more likely it is to incur litigation costs. The smallest businesses, those with fewer than ten employees, face only a 24 percent chance of being sued in the aftermath of the attack. This figure steadily rises to 76 percent for businesses with at least 250 employees.
Certain industries are also more likely to incur ransomware costs as a result of litigation, and are more likely to sue a vendor as a result of a breach. Media companies and, somewhat surprisingly, metals manufacturers are by far the most litigious groups. Other vendors who face significant risk include those in finance, insurance, and retail trade. Despite the fact that a ransomware attack can now result in death due to non-functional equipment, the health care industry is the least likely to sue a vendor.
A complete cost breakdown for cyber insurance claims will not be available until 2022, but data from 2020 shows that breach responses were by far the most expensive aspect of claims. Contingent business interruption, or revenue lost as a result of outages caused by an attack on a third-party supplier, was also a significant factor.
The report also highlights two major security trends among organizations that have directly contributed to the overall decrease in ransomware costs. One approach is to gradually replace highly vulnerable remote desktop protocol (RDP) systems. In the last year, approximately half of existing RPD systems were abandoned in favor of more secure alternatives, owing largely to pandemic conditions and shifts to remote work models. Prior to the start of the pandemic, as many as 10% of organizations were still using RDP systems; that number has now dropped to less than 4%.
Another factor lowering ransomware costs has been a 158 percent increase in the use of email security tools since the outbreak began. Some industries increased their use of these tools by up to 400%. Despite these significant increases, the report notes that the total number of organizations using these tools is still just a little more than 16 percent. According to the study, quality email tools reduce phishing incidents in cyber insurance claims by 45 percent and cut claims in half overall.
The amount paid for ransomware has increased, while the number of companies making payments has decreased.
The average ransom payment is increasing, but the number of companies making such payments is decreasing. Payments have steadily decreased from 44% of incidents in Q3 2020 to 12% in Q3 2021. However, ransomware gangs are extracting more money from the organizations they can still coerce into paying, with the average payment reaching $290,000 in Q3 of this year (up from $114,000 in Q2).
The fact that the rate of ransomware incidents has remained relatively stable since 2019 lends credence to the importance of company preparation in these changes to cyber insurance claims. There have been peaks and valleys, but Q3 2021 saw roughly the same number of attacks as Q3 2020 and 2019.