Understanding the Game in Order to Win

Current trends in cyber claims and cyber insurance

April 02, 2024 Photo

Those who have had the unfortunate experience of navigating a cyberattack can attest that the expenses associated with a cyber incident go beyond the basic restoration costs, and sometimes beyond what may be covered under a cyber insurance policy. Understandingtrends in cyberattacks and the nuances of cyber insurance can help businesses better prepare to prevent an attack in the first place, and recover should one occur.  


Generally speaking, the main objective of any threat actor is to monetize the attack, and they will accomplish this in several ways. Ransomware and wire fraud are on the rise, and have been throughout the past decade. However, in 2022, there was a decrease in reported ransomware activity while wire fraud saw a significant increase.  

Historically, threat actors deployed ransomware and encrypted data, forcing many organizations to pay the ransom to get their data back. Recently, however, with a greater number of available solutions and organizations prioritizing data backup, threat actors have been using what is known as a double extortion method: Stolen data is exfiltrated in addition to encrypted, and then a ransom for the decryption and deletion of the stolen data is demanded.  

In this new trend, actors enter systems and slowly exfiltrate small amounts of data at a time until they have a sufficient amount of sensitive data. Then they threaten to publish the sensitive data. Threat actors are calculated in their approach, accessing systems well before making any ransom demand and slowly exfiltrating small amounts of data to avoid endpoint detection and response (EDR) tools.  

Wire fraud continues to be rampant because it allows threat actors to quickly monetize without having to negotiate a ransom demand. For most wire fraud losses, the main attack vector has been via phishing email followed by a business email compromise. This can happen on either side of the parties involved in a financial transaction.  

Zero-day exploits are also increasingly common. Threat actors can exploit a single unknown vulnerability of a vendor’s or developer’s product that is widely used by enterprise customers. This often takes place when a threat actor exploits a bug or a flaw in the program before the developers have a chance to address it—a tactic that can be efficient and lucrative because it often affects many enterprises using that product at the same time.  


Many organizations underestimate their insurance needs as they relate to cybersecurity. Small- and medium-sized enterprises often do not think they are at risk for a cyberattack because of their small size, or because their industry does not serve as an appealing target for threat actors. However, many threat actors target organizations that may have limited resources and budgets for cybersecurity because it is easy to exploit vulnerabilities without detection.  

For cyber insurance brokers, educating organizations on basic preventative measures—such as enforcing multifactor authentication (MFA), testing and backing up data, data segmentation, and implementing an incident-response plan and testing it via tabletop exercise—even before they consider cyber insurance will go a long way to add value and build trust with clients.  

Also, cyber insurance has evolved from a reactive financial safety net to a proactive partner and enabler of cyber resilience. Many cyber insurance products have value-added services and continuous monitoring to try to prevent cyberattacks from occurring. As the threat landscape constantly changes, the only way to try to reduce risk is through active insurance that includes ongoing monitoring and threat detection.  


Many cyber insurance policies offer modular coverage, but one event can hit all coverage modules, so it is important to be aware of the appropriate coverages available to meet an organization’s needs. With the uncertainty of cyber losses, it is also important to be aware that some carriers are pulling back on coverage by including conditional coverage through coinsurance provisions, sublimits, higher retentions, and exclusions added by endorsement. Some reduced coverages can include: 

• Social engineering/wire fraud/fraudulent transfer of funds/e-crime. Depending on the situation (who is doing the wiring of funds), certain financial losses such as invoice manipulation or voluntary wire payments may not be covered by insurance. It is important to understand the policy language and the scenarios contemplated for coverage. 

• Business interruption. While business interruption losses are generally covered, the coverage itself varies among carriers. Waiting periods, typically around eight to 12 hours, mean that businesses may be responsible for losses during this period, which can be significant on busy days like Cyber Monday. 

• Regulatory matters. Some policies exclude coverage for incidents that result in costs incurred for regulatory investigations, lawsuits, settlements, and fines due to the potential for substantial financial penalties. 

Along the lines of unpredictable losses, certain conditions of a cyber policy often require steps to help prevent a cyberattack in the first place. While many cyber carriers will require a combination of protections to be in place, it is good cybersecurity hygiene to implement as many as possible:  

MFA should be both implemented and enforced. Some insurers will require MFA to be implemented beyond individual email account users, including administrative controls, VPNs, and Remote Desktop Protocol. 

• Segregation and segmentation of data. An organization’s key strategies should focus on segregating its most mission-critical data and ensuring the data is inventoried.  

• EDR and anti-malware. Organizations should deploy EDR to monitor network endpoints for malicious threats and ensure anti-malware software is in place to secure all software endpoints. It is critical to not only have it in place, but also to implement it, operationalize it, monitor it, and demonstrate that it is working.  

• Dual authentication for fund transfers. Consider implementing dual authentication processes for wiring funds to prevent unauthorized transfers and mitigate the risk of financial loss. 

Training and awareness. An organization’s employees are its greatest asset, and they are in the best position to prevent cyberattacks in the first place. Conduct interactive training programs to educate and engage employees on cybersecurity awareness.  

A comprehensive cyber insurance policy is often necessary, as more than one insuring agreement may be triggered. For example, many policyholders view a wire fraud loss in isolation, meaning they are focused on the actual financial loss. However, it is crucial to investigate the exposure beyond just the financial piece and assess if any systems were accessed and if data was compromised while the threat actor was perpetrating the wire fraud.  

Because of the fast pace at which cyber coverage is evolving, it is imperative to ensure the claims team is experienced and knowledgeable. A skilled cyber adjuster will not only take the lead on the incident-response process and serve as a project manager during the investigation, but will also analyze coverage under the policy, clearly explain how the coverages work, and manage expectations. The ability to do this quickly will help manage exposure and mitigate the negative financial and reputational impact on the organization.

About The Authors
Kirsten Mickelson

Kirsten Mickelson is the cyber claims practice leader at Gallagher Bassett Specialty. kirsten_mickelson@gbtpa.com

Sponsored Content
Daily Claims News
  Powered by Claims Pages
About The Community

CLM’s Cyber, Management & Professional Liability Community helps raise awareness of issues and trends in the management & professional liability insurance marketplace, with an emphasis on litigation management through a collaborative effort between insurance companies and brokerages, claims organizations and service providers.

Community Events
No community events