Corvus Insurance has released findings from its second Corvus Risk Insights Index – a compilation of industry trends and data analysis based on the company’s IT security scanning technology, the Corvus Scan.
One of the major findings from the report was that ransomware attacks are down from recent peaks, as the costs and frequency of claims have trended downwards.
The report stated that within Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021, decreasing from 0.6% to 0.3%.
Whereas, in Q3 2021, the average ransom paid was “atypically high”, the entire 2021 ransoms paid by quarter average was $167k, 44.2% less than the Q3 figure.
In addition, fewer ransoms are being paid compared to those demanded. The report states that the percentage for the last quarter of 2021 held steady in the low twenties, down significantly from figures that were once 50%. As recently as Q3 2020, the ratio was at 44%.
This decrease in cost and severity can be partially attributed to underwriting entities requiring stronger backups for insurance coverage, which is helping to drive the broader trend toward more sophisticated and resilient approaches to mitigating ransomware risk.
Taking part in the Corvus Risk Insights Index were Corvus’s experts, which includes data scientists, underwriters, cybersecurity professionals, and claims managers, who reflect on the past year and current trends, and what’s to come in the remainder of 2022.
In addition, to shed light on concerns and perspectives that are unique to the small- and medium-sized business (SMB) segment, the report also contains insights from Corvus’s first Policyholder Cybersecurity Benchmarking Survey, which captured insights from their Cyber and Tech E&O policyholders.
“In support of our mission to make the world a safer place, it is our hope that this report provides guidance not only for our policyholders, but all of those seeking to protect their business, employees, and customers from cyber threats, especially at this critical time in history,” said Jason Rebholz, Chief Information Security Officer at Corvus Insurance.
“Corvus’s real-time data and AI-powered risk management tools provide unparalleled transparency between our risk capital partners, policyholders, and brokers and allow us to share these actionable insights to increase awareness around the current state of cyber risk to help keep everyone safe.”
Furthermore, as the cyber threat landscape continues to evolve, Corvus’s Risk Insights Index also touched on the ongoing conflict between Russia and Ukraine, which has included a hybrid model involving cyber-attacks against both public and private sector organisations.
While attacks have led to concerns over potential collateral damage, Corvus has observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022, highlighting the fractured ransomware threat ecosystem during a time of war.
The report also highlights how the overall severity of ransomware costs by industry shifted significantly over the past year, however this is not the case across the board, as the report indicates a decreasing cost impact on education and social services, while the professional services industry experienced increased ransomware costs.
The report showed that the average claim reached nearly $400,000 within the professional services industry in Q4 2021, which Corvus states as being “by far the highest in that timeframe”.
Healthcare which saw an alarmingly high average in claim severity to start the year, was able to return to a historically low average, with zero ransomware claims recorded in Q4 2021.
Corvus states that the decreasing claims severity within healthcare may be tied to dissipating public fears and subsequent exploitation by threat actors during the height of the COVID-19 pandemic.
Meanwhile, Corvus’s first Policyholder Cybersecurity Benchmarking Survey, conducted in Q4 2021, showed that SMBs are still building their cyber investments. The survey was deployed to Corvus’s Cyber and Tech E&O policyholders.
The results from the survey showed that SMBs are mostly concerned about external threats, attack vectors including ransomware and phishing.
The survey also revealed that only 8% of the smallest businesses have a dedicated cybersecurity budget, and of the participants who stated that they need help with security improvements, 72% were companies that lacked a CISO, which reinforces the idea that a CISO can play a huge factor in improving security posture.
Phil Edmundson, Founder and CEO of Corvus Insurance, commented: “We are in the midst of a critical and challenging time for security professionals. As the security landscape shifts and threat actors continue to evolve their attacks, this report provides the data-driven analysis critical for organizations to navigate and prepare for adverse events in this new cyber age.”