2023 an ‘unprecedented’ year for cyber extortion

CFOs should understand by now that cybersecurity is an enterprise risk and not just something for those techies in IT to worry about.

New analysis from Marsh shows that cyberattacks aren’t going away. In fact, 2023 was a banner year for one type of attack, the broker found.

Marsh analyzed the 1,800-plus cyber claims that its US and Canadian clients submitted last year. About a fifth (21%) of clients reported at least one cyber event during 2023, which fell in the range of 16% to 21% over the last five years.

But not everything was business as usual in 2023. According to the report, organizations saw a record number of cyber extortions (282), a 64% bump from 2022. Cyber extortion is a cyberattack that includes a blackmailing component, like when an attacker threatens to release sensitive information if the victim doesn’t pay a ransom demand.

While only a small percentage (17%) of cyber claims included an extortion component, “ransomware remains a top concern for organizations given their increased frequency, sophistication, and potential severity,” according to a Marsh news release. The median ransom demand shot up to $20 million compared with $1.4 million in 2022, and the median payment increased to $6.5 million from $335,000.

While extortion events are up, more companies are clearly over it. Less than a quarter (23%) of victims succumbed to attackers’ ransom demands last year, continuing a downward trend since 2020, according to the report. In 2022, 30% of victims paid the ransom, but in 2021 a majority (63%) paid.

In the report, Marsh credited clients’ cybersecurity investments for the shrinking proportion of organizations that ultimately cave to extortion demands. These investments include “tabletop exercises, incident response vendor readiness, downtime procedures, out of band communication plans, and effective cybersecurity controls.”