Not If but When

Cyber attacks are a clear and present danger to business across the globe.

The 2024 Thales Data Threat Report, a survey of 2,961 businesses globally with revenues of $100 million to more than $2 billion, found that malware and ransomware attacks were two of the fastest-growing cybersecurity threats during 2023. Ransomware was more common, with 28% of all businesses surveyed experiencing an attack in that time period, up from 22% cited in the previous survey.

Ransomware attacks have become especially concerning to the insurance industry due to a new trend in cyber claims. As Joshua Parrish, president at Ryan Specialty, explains, “We are now seeing claims in the industry where defendants were not the initial target of the hack, but their client data was hosted by the target. Those impacted by the breach are then filing claims against the company that initially collected the information.”

As an example, he describes a recent breach at software provider CDK Global, in which attackers accessed the Social Security numbers, employment history, driver’s license information, and financial account details for customers of roughly 15,000 auto dealerships using CDK software. “CDK was the target, but the information that is impacted belongs to the auto dealers who use their SaaS [software-as-a-service] product. Those auto dealers might find themselves facing claims from their customers whose data was in CDKs possession.”

Businesses Must Focus on Cybersecurity

Less than half of the businesses surveyed by Thales have a formal ransomware response plan in place and nearly 10% end up simply paying the ransom. More sobering still, Thales found that 43% of businesses surveyed for the report had failed a cybersecurity compliance audit in the preceding 12 months—and nearly a third of those businesses then that year experienced a breach–the exposure of sensitive information to unauthorized actors.

“Every business in the United States should have a cybersecurity technology provider a phone call away,” says Parrish. “No matter how big or small a business is, the nature of our connected economy carries the risk that your business could be impacted by a breach.”

It’s not a matter of if a breach happens—it’s a matter of when. And these incidents are growing more expensive.

According to IBM, the average cost of a data breach for businesses in the United States was $9.48 million in 2023, up 75.5% from $5.4 million in 2013. This cyber threat environment means it’s essential for businesses to develop a response plan to malware. Cyber insurance is a crucial piece of that, as few businesses can bear the full cost of a cyber breach without it. With research firm Cybersecurity Ventures predicting that ransomware alone will cost its victims $265 billion globally by 2031, it’s more necessary than ever for businesses to protect themselves.

“Even if you’re buying cyber insurance, you might not be buying a high enough limit,” Parrish says. “But I do applaud those who are at least addressing this exposure to their balance sheet. It’s still a very small minority of all U.S.-based businesses that have any coverage for a data breach.”