The report found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims, as well as more substantial losses from attacks, with a 72% increase in claims severity compared to the second half of 2022.

Coalition's report also saw a resounding increase in ransomware claims frequency in the first half of 2023, which grew by 27% from the second half of 2022. Ransomware claims severity reached a record high, increasing 61% from the previous half and 117% over last year. Meanwhile, FTF claims frequency increased by 15% in the first half of 2023—and FTF severity increased by 39% to an average loss cost of more than $297,000.

“The cyber threat landscape has become more volatile, and, as a result, we've seen claims become more severe and more common than ever," said Chris Hendricks, head of Coalition Incident Response. “To help prevent these costly and disruptive incidents, organizations need to take an active role in improving their security defenses and make risk management a top priority."

For the ninth straight year, cyber threats were one of the top three business concerns in the annual Travelers Risk Index. Among the 1,200 survey participants from small-, medium- and large-sized companies, the 2023 iteration of the study found that 58% said they worry some or a great deal about cyber, ranking it just behind medical cost inflation (60%) and broad economic uncertainty (59%).

Recently, ransomware attackers have become more aggressive, asking businesses to pay six, seven and even eight-figure ransoms, the Travelers report said. These criminals are deleting backups, and in some cases, threatening to disclose sensitive or confidential data, making it harder for businesses to recover from such an attack. But despite it being a leading cause of cyber-related claims in the industry, ransomware ranked ninth among cyber-specific business worries.

And while 90% of respondents expressed confidence that their company had implemented best cyber practices, an alarming number have not taken steps to prevent or reduce their exposure. As many as 25% of businesses have not taken the essential steps, such as installing firewall or virus protection and implementing data backup and password updates. A much larger percentage say they don't use endpoint detection and response (64%), conduct cyber assessments for vendors (57%) or customers' assets (56%), have an incident response plan (50%), or utilize multifactor authentication for remote access (44%).

Since 2015, the percentage of businesses that have been a victim of a cyber event has more than doubled. Over that time, it has seen a 130% increase. However, the overall number of companies with a cyber policy is increasing. Among medium-sized businesses, 74% said they have a cyber policy, up from 67% in 2022. Large companies came in at 72%, the same percentage as a year ago, while small businesses (34%) are still the least likely to secure cyber insurance coverage. Overall, 60% said their company has cyber insurance; five years ago, it was 39%.

“While the business community has come a long way in preparing for and responding to a cyberattack, the survey results show that more can still be done," said Tim Francis, enterprise cyber lead at Travelers. “A well-designed, multi-layered cybersecurity program can help mitigate the threat of a cyber event, and we encourage organizations to work closely with their independent insurance agent as we all navigate an evolving cyber landscape."

Will Jones is IA editor-in-chief.