Ransomware still the top cause of cyber loss, but third-party risk is close behind: Resilience

By Erin Ayers, Front Page News

Ransomware continues to drive cyber claim severity, with 64% of ransomware-related events resulting in a loss and a 411% increase in the financial costs tied to these attacks between 2022 and 2023, according to Resilience’s Midyear Cyber Risk Report.

Resilience observed fewer than 10% of its clients paying ransom to threat actors, but losses for the risk continue to rise due to recovery costs. Ransomware represented 48% of all claims, but 80% of the losses in Resilience’s portfolio in the last 18 months, the company noted.

While ransomware continues to be costly, Resilience also highlighted third-party risk as “the fastest growing area of claims” in its book.

“Major attacks like the ones on Change Healthcare, CDK Global, and AT&T have been wreaking havoc and making headlines, but they also remind us that we’re facing a new status quo. Increased vendor interdependence and M&A activity have created an unprecedented opportunity for hackers, with far more points of failure and potential for human error,” said Vishaal “V8” Hariprasad, co-founder and CEO of Resilience, in a statement.

Vendor-related losses accounted for 35% of all claims in 2023, Resilience said, and in 2024, the percentage already stands at 40% of all claims due to events like Change Healthcare, CDK Global, and a zero-day vulnerability affecting Palo Alto Networks’ PAN-OS software.

“Now more than ever, we need to rethink how the C-suite approaches cyber risk. Businesses are interconnected like never before, and their resilience now depends on that of their partners and others in the industry,” Hariprasad said.

According to Ann Irvine, chief data and analytics officer at Resilience, understanding the full severity of aggregated cyber events like Change Healthcare and CDK will take time, given the business interruption component of claims.

Boosting visibility into third-party risk should be a key goal for the cyber market, she added.

“This has traditionally been a major, major blind spot for the industry,” Irvine told FPN.

However, organizations can take steps to protect themselves, from identifying their critical vendors, to readying their backups, and maintaining solid cybersecurity posture.

“We have seen some organizations be more resilient than others so there are ways to manage through these,” Irvine said.

Across all cyber claims, Resilience said it saw a 2.2% uptick in frequency in 2024 from the first half of 2023. If the trends continue, the firm said it would expect an increase in claims in 2024.

Manufacturers and construction companies have seen the biggest increase in cyber claims in 2024 thus far, with manufacturing jumping from 15.2% of all claims in 2023 to 41.7% of all claims in 2024. Construction soared from 6.1% to 25%.

Additional data indicated a few troubling trends – business email compromise remained steady as a cause of loss between 2022 and 2024, but Resilience warned against ignoring the threat.

“In fact, BEC attacks are becoming three times more frequent and are more than doubling in severity among our portfolio,” the firm said in the report.

Resilience also emphasized the human element of cyber risk, finding phishing as the top point of failure for the second year in a row. This data point calls for heightened cybersecurity efforts and training, the firm said.

“While cybersecurity has historically been considered as a line item in a company’s budget, it’s clear that this is insufficient,” said Tom Egglestone, global head of claims at Resilience, in a statement. “Business leaders must adopt a risk-centric approach—one in which security strategies are grounded in the financial translation of cyber threats.”

Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com