2021 average ransoms paid by quarter was $167K, down 44.2%

In reviewing the evolving cyber risk landscape, a Corvus Insurance report includes a breakdown of the impact of zero-days and third-party risk, updates on ransom severity, ransomware claims rate, and a review of recent key vulnerabilities.

Ransomware claims, costs, and severity

One of the best indicators of overall cybercrime activity is the rate of ransomware claims in the Corvus book of business. Based on claims data, after all of the dire headlines throughout 2021 the end of the year presented signs of improvement:

• In Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021 — decreasing from 0.6% to 0.3%.
• While the Q3 2021 average ransom paid was atypically high, the entire 2021 ransoms paid by quarter average was ~$167k, 44.2% less than the Q3 figure.
• Overall, fewer ransoms are being paid compared to those demanded. The percentage for the last quarter of 2021 held steady in the low twenties, down significantly from figures that once were over 50%. As recently as Q3 2020, the ratio was 44%.

This decrease in cost and severity can be partially attributed to underwriting entities requiring stronger backups for insurance coverage, which is helping to drive the broader trend toward more sophisticated and resilient approaches to mitigating ransomware risk.

The data also revealed spikes in claims tied to major cybercrime events including the Microsoft Exchange Server vulnerability and the Kaseya ransomware attack. While these events were enough to significantly, but temporarily, impact the month-by-month ransomware claims rate, the overall average severity of claims declined.

As the cyber threat landscape continues to evolve, the report touched on Russia’s ongoing invasion of Ukraine, which has included a hybrid warfare model involving cyber attacks against public and private sector organizations. While attacks have led to increased concerns over potential collateral damage, there was a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15), highlighting the fractured ransomware threat ecosystem during a time of war.

Severity is lowered, but not across the board

The overall severity of ransomware costs by industry shifted significantly over the past year. The report indicates a decreasing cost impact on education and social services, while the professional services industry (including but not limited to law firms, consulting firms, and architecture firms) experienced increased ransomware costs. The data highlights that:

• The average claim reached nearly $400,000 within the professional services industry in Q4 2021, by far the highest in that timeframe.
• Healthcare, which saw an alarmingly high average in claim severity to start the year, has returned to a historically low average, with zero ransomware claims recorded in Q4 2021.

The decreasing claims severity within healthcare may be tied to dissipating public fears and subsequent exploitation by threat actors during the height of the COVID-19 pandemic.

SMBs still playing cyber strategy catch up

A Corvus survey conducted in Q4 2021, showed that SMBs are still building their cyber investments. The survey was deployed to Corvus’s Cyber and Tech E&O policyholders, with the nearly 300 respondents’ titles ranging from C-suite to Vice Presidents, Directors, and IT Managers. Participants’ company size ranged from fewer than 50 employees to over 250. The results showed that SMBs are primarily concerned with external threats — attack vectors including ransomware and phishing — and revealed:

• Only 8% of the smallest businesses (with <50 employees) have a dedicated cybersecurity budget.
• Among the largest businesses within the surveyed group — those with 250 or more employees — 18% reported having a dedicated cybersecurity budget.
• Spend on cybersecurity is expected to increase. Sixty percent of participants stated that their security spending is expected to increase with support from their CEO and senior management.
• Of the participants who stated that they need help with security improvements, 72% were companies that lacked a CISO — reinforcing the idea that a CISO can play a large part in improving security posture.

Survey respondents highlighted a lack of resources and the overall complexity of security as key driving factors currently preventing improvements in their defenses. Smaller companies (less than 50 employees) are more concerned with staying current on new threats, while larger organizations are more concerned with vendor breaches, bringing to light the fact that many companies may fail to emphasize and act on the need for an internal security culture.