Tackling Ransomware: Helping Insurers and Their Clients Keep Pace with Change

Improving cyber-risk posture and minimizing the attack surface area can have benefits and incentives for both the commercial buyer and their insurers. And understanding and sharing valuable insights can be a critical driver in helping to reduce the frequency and severity of cyber security incidents and claims.

Insurance data is important in helping to guide insurers and commercial buyers make better-informed cyber security decisions. Buyers can use the information to understand what can actually move the needle from a cyber-security perspective. Meanwhile, insurers can use it to understand which practices and controls can have a material impact on the frequency and severity of events and claims.

To gain a better view into how security controls and claims correlate, Aon Risk Capital (encompassing Aon’s Cyber Solutions and Aon’s Reinsurance Solutions) conducted a study using red flag data from Aon’s Reinsurance Solutions’ Experience Benchmark Database and from CyQu, Aon’s proprietary eSubmission platform. Red flags are defined as the missing critical security controls that may affect insurability based on key technical underwriting concerns. These issues are reviewed and updated regularly based on market conditions and feedback from Aon brokers, consultants and insurers to help insureds improve their buying process while also helping to improve their understanding of cyber resilience.

The study looked at claims experience and security posture data by size of insured buckets — small and medium-sized enterprises or those in the middle market (SME/MM), defined as more
than $1 billion in revenue and “large” companies.1

The findings shed new light on the shape of the market and the opportunities available to mitigate risk today — and in the future. With sophisticated ransomware attacks keeping pace with the speed of technology adoption, and IT teams and analysts frequently doing more with less, building a comprehensive cyber security program starts with leveraging data and insights from both commercial buyers and insurers. These insights can help lead to better cyber security outcomes, benefiting both parties — a powerful prospect for all.

Controls and Claims: Insights from the Data and Market Experience

One of the key takeaways from the study was the crucial importance of comprehensive controls for both large and SME/MM companies. High correlation was observed between the security controls themselves for both Large and SME insureds, indicating an insured is likely to not have other controls in place if one or two essential controls are missing. And gaps in security controls, at the outset, impact a company’s insurability.

Importantly, there are different areas where certain controls can affect frequency of ransomware and cyber-attacks compared to their severity — and vice versa. Having comprehensive strategy makes a difference. For instance, practices such as multifactor authentication and phishing education and awareness were observed to play into event frequency, while backup and recovery controls were more likely to affect the severity of an incident. Our CyQu assessment can help companies identify a set of red flags when it comes to severity and frequency and help define a triage plan. Beyond that, gaps in security controls, at the outset, demonstrated to affect a negative company’s insurability.

The study shows that ransomware frequency is more closely linked to security controls across large and small to medium-sized companies than non-ransomware frequency. SME/MM-focused portfolios showed stronger correlation between security controls and claims than large- focused portfolios.

Meanwhile, large ransomware portfolio frequency has generally increased over time, while ransomware red flags have generally decreased, helping to explain the negative correlation between some controls and large ransomware frequency. But the findings don’t negate the need for comprehensive controls and cyber-security practices. In fact, they highlight other factors in the threat landscape that can have a more sizable impact on large-insured ransomware claims than common security controls alone.

The frequency of ransomware portfolios of SME/MMs with revenue less than $1 billion is a different story. Frequency has decreased over time, while red flags have generally decreased, leading to a positive correlation between controls and SME/MM ransomware frequency.

Other key findings from the study include:

• A drop in ransomware frequency observed for SME/MM businesses between second quarter 2021 and second quarter 2022 coincided with significantly reduced security red flags across all security domains, with the most observable reductions occurring within the domains of email filtering and incident response planning.
• From second quarter 2022 to second quarter 2024, a steady increase in ransomware frequency coincided with a slight increase in reported endpoint detection and response (EDR) red flags and network segmentation/monitoring red flags.
• The change in EDR red flags over time is likely due, in part, to better data capture on end-point detection and response controls over time.

These figures prompt the question: Why does large ransomware frequency appear to be less linked to cyber security controls than SME/MM ransomware frequency? Several factors observed in our study appear to contribute to this dynamic.

• Timing. Data from second quarter 2021 to second quarter 2024 show that large insureds generally have fewer red flags in this analysis than SME/MM insureds, so it is plausible that there would be less downward movement on large red flags than on SME/MM red flags over this time period.
• The nature of large and SME/MM attacks. Attacks on larger companies are often more likely to be tailored to an individual organization, whereas an attack on an SME/MM insured is likely less effort for a threat actor. Therefore, common security issues could be more likely to be exploited for an attack on an SME/MM, potentially contributing to the higher correlation we see in these results.
• Scale. Large-insured CyQu questionnaire responses are less likely to encompass information for the entire company’s network as compared to SME/MM insured questionnaire responses, because capturing a security flaw over a vast, interconnected network is more difficult than doing so in a much smaller SME/MM network.

Understanding the Cyber-Security Landscape — Today and Tomorrow

It is encouraging to see cybersecurity posture improve over time across both SME/MM and large companies, as confirmed by data from Aon’s CyQu applications. SME/MM companies improved by 22 percent, on average, across insureds and the CyQu security domain categories between the second quarter of 2021 and the same period in 2024.

While recent media coverage suggests that the frequency of ransomware incidents is increasing steadily (except for a lull in 2022), ransomware claim frequency compared to size of portfolio on SME/MM-focused portfolios decreased by 40 percent between quarter two 2021 and quarter two 2024.2 The positive correlation between this trend and the changes in security posture for SME/MM companies over the same time period suggests that improved cyber-security controls may be contributing to this favorable ransomware frequency trend.

The data on large-focused portfolios illustrates the changing cyber threat landscape. With ransomware claim frequency on these portfolios increasing between the second quarter of 2021 and the same period in 2024 even as CyQu scores and red flags have improved, it’s clear that large companies typically have different vulnerabilities than SME/MM companies. From greater complexity or legacy technology to the scale of potential payments, controls are only one piece of a larger interconnected cyber strategy. The figures highlight the need for further and granular analyses into how changes in cyber security posture affect the frequency of large-insured claims.

Takeaways for Commercial Buyers and Insurers

A major takeaway from the study — and from decades of working with carriers and buyers — is the importance of taking a complete approach that evolves over time in response to threats and
technology changes. Threat actors continually adjust their tactics to exploit the weakest areas, and weaknesses can change rapidly. Changes in the most pertinent security controls are captured in Aon’s CyQu application and its red-flag methodology as the application evolves to adjust the controls captured and criticality of those controls based on underwriter feedback. Additionally, insureds can benefit from collaborating with Aon’s brokers to identify key risks, understand marketplace trends and assess their loss exposure. This can also help improve renewal outcomes.

Insurers

Insurers can make the most of their extensive experience and control data to better calibrate their expectations for insurability and risk selection. In addition to supporting the establishment of these minimum baseline security controls, such data is also essential in the context of deciding which security controls are most important and portfolio management. Often, systematic analysis of experience and loss data reveals subtle trends that can help insurers evolve beyond a purely “reactive” underwriting and portfolio management posture. Finally, understanding these underlying risk trends can enable insurance carriers to better serve and advise clients on coverage and control optimization and further improve pricing frameworks for individual risks.

All this means that these high-impact, risk-based insights may ultimately promote enhanced underwriting profitability, reduced portfolio volatility and improved client retention rates.

Commercial Buyers

Buyers can use the CyQu assessment to understand their gaps, areas of opportunity and what to prioritize. They can also lean on their claims teams and brokers to provide advice as they develop a comprehensive cybersecurity program. No matter an organization’s size, demonstrating knowledge of risk and effective mitigation strategies, along with investing in controls, can make a difference. Getting the knowledgeable and informed advice, especially when it is focused on the relevant industry and type of data or sensitivities, is a critical component in managing and mitigating risk. And it’s just as important to focus on business continuity and recovery measures to help buyers get on track should an incident occur.

Research Considerations

Aon normalized the responses to these scores by category to look at the correlation between claims and the security scores on an apples-to-apples basis over time, because the questions included in the questionnaire change based on market security priorities. This included dividing the number of missing “critical” controls by the number of possible “critical” controls missing at that point in time.

Severity trends vary significantly by insurance portfolio, so relating insureds severity posture to their security posture needs to be done on an individual-portfolio basis or even policy-level basis rather than at the market level.

Generally, seeing correlation between claims and security scores is difficult at the market level, given the many additional factors driving claim activity. This study would be better conducted by tracking individual insured losses with those particular insureds’ security scores. This would also provide more data points in correlation calculations over a short time frame.

Large-focused portfolio correlation metrics were sensitive to updated data in cases where SME/MM-focused portfolio results stayed more consistent in Aon’s Trend Study year over year. This is because large-focused portfolios have a much smaller number of claims than SME/MM-focused portfolios, causing volatility in frequency results.

The findings and recommendations take into account potential differences in questionnaire responses between SME/MM and large insureds, the self-reported questionnaire data, as described throughout the article.