Report: Cybersecurity Claims for Data Loss Vary Broadly

Cybersecurity claims reported in recent years vary sharply, with larger claims reaching $500 million of data loss and smaller claims as low $1,000.

NetDilligence released its annual report, which analyzes 10,464 claims from incidents between 2019 and 2023.

The report shows 98% of claims were from small- to medium-size enterprises (SMEs) with less than $2 billion in annual revenues. While only 2% were larger companies, these claims accounted for 51% of the total incident cost analyzed in the report ($2.0 billion vs. $3.9 billion), the report shows.

Ransomware and business email compromise (BEC) were the two leading causes of loss. They accounted for 53% of claims in the period studied, and nearly 39% to date in 2023:

• 2,754 claims were due to ransomware, 54% of which occurred between 2021 and 2023 with initial demands as high as $80 million; 15 ransoms were paid as high as $50 million with the average cost of ransom claims at $205.
• 1,714 claims were due to BEC attacks, 56% of which occurred between 2021 and 2023 with the average cost of a BEC claim at $183,000 in 2023.

Other common losses were hacking, wire transfer fraud and staff mistakes, according to the report.

The most affected sectors by number of SMEs claims were professional services, manufacturing, financial services, retail and healthcare. Healthcare was the highest incident cost average per industry ($261,000).

The average cost of business interruptions for SMEs was $487,000, and for larger companies it was $26 million.

To compile the report, researchers asked cyber liability underwriters and carriers to submit claims information. The report also includes data from previously published NetDiligence studies representing 5,473 incidents.