cyber resilience framework

Five Predictions on the State of Cyber Claims in 2024

What can our 2023 Mid-Year Claims Report tell us about the state of cyber risk in the year ahead?

by Tom Egglestone

In the ever-evolving world of cybersecurity, claims data can teach us a lot about the state of digital risk. 

The Resilience Mid-Year 2023 Claims Report gave us a fascinating glimpse into how cybercriminal tactics are morphing in the face of enhanced security measures by businesses worldwide.

Attackers have been upping the ante as businesses beef up their cyber defenses. This cat-and-mouse game revealed a strategic pivot to encryption-less ransoms and a resurgence in targeting high-value entities (ie – “Big Game Hunting.”) This shift not only underscores the adaptability of cybercriminals but also flags third-party risk as a critical vulnerability point.

Reviewing data from the past year, we can begin to make predictions for cyber claims in the coming months, such as the continued growth in third-party attacks, more convincing phishing messaging, and more stringent rules around incident reporting. As we enter 2024, the cyber insurance industry must work to stay ahead of these trends to continue supporting their clients and their portfolios.

1. The Domino Effect of Third-Party Vulnerabilities – A Growing Risk for Interconnected Businesses. 

Given the successes of third-party attacks, it’s likely 2024 will see more breaches of third-party suppliers in order to scale the impact of attacks against multiple enterprises. Businesses of all sizes increasingly rely on Third-party and SaaS products for critical IT processes, with the average organization in 2022 using up to 130 SaaS products for front and back-office services. Unfortunately, one weak link in the supply chain is all it takes to cause even the most secure organizations to experience a damaging incident. 

Threat actors can gain wide access to multiple organizations when a SaaS provider is breached, increasing their likelihood of a successful ransom demand. This makes these kinds of attacks both appealing and economical for threat actors. In the first half of 2023, third-party vendor risk became the leading cause of loss that impacted Resilience claims. As a result, Resilience predicts this trend will remain a top cause of loss and point of failure in 2024. 

Organizations must thoroughly audit their third-party providers as these attacks grow more common. Third-party cybersecurity and insurance protocols must meet the same objectives and standards as the organizations that use them to avoid gaps in their attack surface. Continuous monitoring and evaluation of this extended attack surface will be critical to managing this increasingly challenging threat.  

2. The Double-Edged Sword of AI – New Tech Almost Always Presents New Challenges in Cyber. 

As the world begins to change with the widespread use of large language models (LLMs) and AI, social engineering-based cyber attacks will become more proficient and difficult to detect. Previous tip-offs of phishing messages, such as grammatical errors or unusual sentences, will become less effective in determining a false message. The use of AI in human engineering attacks will elevate the believability of these messages in ways we have never seen before, creating a need for even more stringent cybersecurity training. “The reality is there will always be a human in the chain somewhere,” said Tom Egglestone, Global Head of Claims at Resilience, “that is why it is vital that business leaders adopt an approach that considers both the technical and the human elements of cyber risk management.” 

Resilience experts predict that the advancement of AI will have a two-fold impact on claims in 2024, with an increase of successful social engineering attacks as well as a continued growth in supply chain and third-party breaches conducted through weaknesses within systems powered solely by AI. Organizations should be cautious of an overreliance on automated systems, which have the potential to be easily exploited in their early phases. Businesses using AI within their supply chain must remain vigilant and keep a human in the loop to manage and monitor these processes as we come to better understand the vulnerabilities they create. 

3. Navigating the Regulatory Maze – New Rules Lead to New Cyber Risk Management Strategies. 

2023 saw significant changes and additions to global legal frameworks around cyber risk management. With these changes, we will likely see an increase in cyber claims across the insurance industry. In 2023, seven new US states finalized amendments and passed comprehensive legislation around data privacy. As similar regulations are more widely implemented, the definition of a privacy breach will continue to develop, potentially resulting in more claims being filed. 

Resilience predicts that the new SEC rules for public organizations may also lead to increased reporting and a critical differentiation in how organizations respond to cyber incidents. The rules require public companies to “disclose any cybersecurity incident they experience that is determined to be material” and to “periodically disclose their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats.” Going forward, public business leaders will need to consider these elements in a more strategic and holistic way to prepare for this annual disclosure.

4. SEC Rules Altering the Cyber Playbook – Shifting Behaviors for Businesses and  Threat Actors. 

The introduction of new SEC rules has already begun to shift threat actor behavior, and Resilience experts predict this will continue. In late 2023, the ransomware group BlackCat/ALPHV leveraged the SEC’s new rules against a victim organization that neglected to notify the SEC within its designated timeframe. When BlackCat realized their breach had not been reported, they contacted the SEC themselves and filed a complaint against their victim for failing to follow the new rules. Fortunately, the impacted organization had not broken the rules because they had not yet taken effect. However, this brazen move is further evidence of the lengths some threat actors will go to elicit a ransom payment, playing both cop and robber in forcing an organization to react. 

The new SEC rules will also impact how public companies approach their cyber risk management protocols and procedures. Organizations will need to shift strategies to remain in legal compliance. Part of the new rules requires annual articulation of cybersecurity risk management strategies, governance, and processes. 

To comply with this requirement, many organizations will need to build more cyber expertise within their executive team. An expert who can articulate strategies, governance, and processes while bridging the gaps between security and insurance will become increasingly necessary to create and manage “a defined program which operates on a standalone basis, with trusted and repeatable outputs.” 

5. Evolving Requirements of Cyber Insurance – The Latest Rules of Resilience 

2023 was an extremely progressive year for cybersecurity regulations. Given these new security requirements, public cyber insurance clients are likely to change their behaviors to remain in security compliance. Considering the SEC’s new rules for regulation and accountability, publicly traded and even private organizations are likely to shift their approaches to incident reporting, articulating risk management strategies, and incident response planning. “While the new regulations apply specifically to be publicly-traded companies, we anticipate it will heavily influence private companies and how they manage their cyber risk,” said Egglestone.

Despite new rules around security, it will be key for public and private organizations alike to remember that a solely compliance-focused risk management strategy could create security gaps that invite the potential for a cyber incident. Resilience recommends instead taking a risk-focused strategy, which means identifying pivotal risks and working backward to maintain compliance while securing what matters most. 

Remaining Cyber Resilient in 2024 will require even further vigilance around human engineering attacks, third-party incident monitoring, and managing compliance standards. Resilience offers tools to help our clients thoroughly address every aspect of their cyber risk while monitoring the threats that matter most to their environment.

You might also like

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management