Crime is paying less often for threat actors as improved corporate security measures — and dramatically higher ransom demands — sway more companies to reject extortion payments for seized data.
Less than a quarter of 1,800 companies that submitted cyber claims to Marsh, or 23%, paid ransom demands last year, despite a 64% jump in extortion events from 2022 to a record 282, the insurance broker and risk advisor said in a June 11 report.
In 2021, Marsh noted, 63% of its clients paid an extortion demand to protect data.
Companies, especially larger ones, are “just more resilient than they were three, four, five years ago,” Meredith Schnur, managing director of Marsh’s U.S. and Canada cyber practice, told Legal Dive.
Executives overseeing legal, risk, technology and privacy areas have also grown more sophisticated in their approach to mitigating the effects of hacks relative to just five years ago, she said.
When ransomware “initially reared its ugly head,” attacks were “very fast and furious,” Schnur said. “Companies weren’t ready.”
Threat actors locked down and threatened to release stolen data. “And it was very scary,” she said.
Today, a company struck by a ransomware may find that the resiliency measures engineered by its legal, risk, information security and technology departments are suitable to a point that the business isn’t fully impaired. And that can directly affect a company’s decision to pay ransom.
“With better resiliency, better maturation, you're not necessarily locked down,” Schnur said. “I might be a little bit handicapped at operating, but I can still operate on the data front.”
Surging ransom demands
The median ransom demand soared to $20 million last year from $1.4 million, Marsh found. That yearly claims total was a record, although ransomware attacks represented less than one-fifth of all corporate cyberattacks, relative to data breaches, theft and other hacks.
“Every situation is unique, and a decision to pay or not to pay a ransom can have consequences beyond the specific incident at hand,” the report states.
Globally, ransomware victims paid a record $1.1 billion in 2023, the first year extortion payments topped $1 billion, according to Chainalysis, a blockchain data research and services company.
Another factor in the decision about whether to meet a ransom demand: Many malicious cyber actors are based in Russia, a target of financial sanctions from the U.S. and Europe over the 2022 invasion of Ukraine. The sanctions regime creates legal issues for many U.S. and Canadian companies, precluding payments to entities in a sanctioned country, Schnur said.
Shifting the risk
Even as law enforcement becomes more adept at pursuing cybercriminals — this year an eight-nation international effort snared the most prolific group, Lockbit — companies are likely to transfer their cyber risks to insurers, Schnur said.
The healthcare industry remains ransomware hackers’ top target, owing to its rich abundance of sensitive patient data, the severity of regulations governing such data and the heightened threat that medical devices critical to life can be compromised, according to the report.
“The more resilient that companies find themselves, and the more the culture around cyber maturation and their journey just gets better and better and better, you can see less payments and then the ransom,” Schnur said