The 2023 cyber year in review

Three major trends have dominated the cyber market in 2023 says Jaime Palumbo of Corvus Insurance.

Scammers are becoming more sophisticated, impersonating internal communications from CEOs by using near-perfect email addresses or even bona-fide ones that have been compromised. Credit: dimadesigner/Adobe Stock;

Third-party liability claims

When everyone thinks of cyber, first-party ransomware claims spring to mind, but this year there has been a more significant rise in third-party liability claims driven by pixel and tracking software-related matters.

As more U.S. states pass laws against the collection of personally identifiable information, tracking software claims have evolved. This new trend follows other data privacy trends that also gained traction in 2023 such as the Illinois Biometric Information Privacy Act (BIPA). Due to several plaintiff-friendly rulings, there was an increase in the overall settlement value of these matters in addition to an increase in the number of filings.

The litigation of pixel and tracking software matters is still in the infancy stage. Notwithstanding, there have been some early benchmark settlements – for example, with Meta. The legislation gives individuals the right to private action with statutory damage with a resulting increase in class actions. Meta agreed to pay out $650 million to settle a lawsuit relating to data privacy claims in 2021, while Google paid out $100 million last year.

With first-party cyber claims, such as ransomware, insurers can scan for system deficiencies to help prevent breaches and resultant claims, but third-party liability claims can oftentimes be unpredictable as they arise from conduct that is sometimes unknown by the policyholder.

In 2023, insurers have begun to outright exclude coverage and continue to keep a pulse on new trends as they evolve. Today, plaintiffs’ attorneys are becoming more and more creative when they bring these actions, focusing on any breach of data privacy including but not limited to the wrongful collection or sharing of information without informed consent.

Ransomware: The risk that is never going away

Despite a slowdown in 2022, we have seen an uptick in ransomware incidents in 2023. There are new criminal organizations on the scene, and their tactics are always evolving. Carriers need to continue to be vigilant and ensure their clients are protecting themselves from these threats. However, there are scenarios where you can do everything by the book and cybercriminals still find a way to infiltrate your system.

Unfortunately, there are some insureds who don’t take enough care to implement appropriate protocols and maintain good system hygiene to protect themselves from cyberattacks. Underwriters can mitigate these risks by asking the right questions and applications have been modified in 2023 to interrogate the insured about their systems in greater detail. Corvus underwriters carry out monthly scans throughout the life of the policy to detect any vulnerabilities, such as an open port, so we can notify the client to take preventative action. We also have a dashboard with security questions, and if the policyholder continues to log in, they are given a discount on retention. Cyber risk is constant and evolving, so it’s important that insurers have a continuous interaction with policyholders to assist in preventing claims.

Social engineering claims

Although not always the most costly, this continues to remain the most prevalent type of claim – for fraudulent fund transfers and misdirected payments – that comes into our firm week in and week out – even more than ransomware. Employee error happens across the board, and companies are still falling victim to scams. This is another risk that is never going away, and small to middle-sized companies are particularly vulnerable as they don’t always have the right protocols in place.

Scammers are becoming more sophisticated, impersonating internal communications from CEOs by using near-perfect email addresses or even bona-fide ones that have been compromised. Recently, an insured fell victim to sending a seven-figure sum after receiving a WhatsApp message, while others received text messages. Although most cyber carriers only offer limited coverage for social engineering claims, the risk is significant and can leave the insured out of pocket for large amounts.

Carriers and brokers can educate the insureds by warning them to slow down and check that messages are genuine. It is important to explain social engineering techniques and tactics to the potential insured and ensure they are carrying out due diligence and putting in preventative measures such as double verification.

No matter the type of risk, it’s wise for cyber insurers to have many touchpoints with clients and remain involved throughout the lifecycle of a policy to ensure a positive claim experience.

Related: