Ghosts, Ghouls and Cyber Claims

  • Date25 October, 2022
  • Author Richard Tam

We usually think of Hallowe’en when October rolls around; however, did you know that October is also cyber security awareness month?

NetDiligence recently released the 12th iteration of their Cyber Claims Study. They analyzed approximately 7,500 cyber claims from period 2017 to2021.[1] We have summarized several of the key findings below:

  1. Ransomware and business email compromise were the leading causes of loss, accounting for approximately 44% of cyber claims from 2017 to 2021.[2] These were also the leading causes of loss in Canada.[3]Most of the claims are criminal incidents (e.g. hacking, ransomware, malware/virus, social engineering, etc.). From 2017 to 2021, 85% of claims were criminal incidents.[4]

    We note that, in ransomware claims where the ransom amount is known, the average ransom demand has increased from $18K in 2017 to $555K in 2021, which correlates with the increase in the average incident cost from $151K in 2017 to $840K in 2021.[5]

  2. Since 2018, the average business interruption and incident response costs have increased significantly, which were $152K and $249K back then, respectively. In 2021, the average business interruption cost was $707K and the incident costs were $1.3M.
  3. Below are the top 5 business sectors listed by the number of claims:
    • Professional services
    • Healthcare
    • Manufacturing
    • Financial services
    • Retail

The above is entirely consistent with our own experience in dealing with cyber BI claims. The scariest aspect of cyber incidents is seemingly how prevalent and costly they can be for an SME (Small and Mid-Size Enterprise), particularly in some of the above industries.

So what should a SME do if a cyber incident occurs?

As Mark Greisiger, President of NetDiligence, notes: “when organizations have the tools and planning in place to respond quickly and efficiently, they can minimize both the cost and the disruption to their business.”[6]

In other words, have a cyber incident response plan and develop a network of crisis service individuals (e.g. a data security and privacy lawyer to provide legal guidance, a forensic accountant to quantify the economic damages, and potentially a public relations consultant to advise on how to appropriately notify clients, etc.).

Hopefully, with such a plan in place, the only spooky surprises you will encounter this month are the trick-or-treaters.



The statements or comments contained within this article are based on the author’s own knowledge and experience and do not necessarily represent those of the firm, other partners, our clients, or other business partners.

  1. NetDiligence Cyber Claims Study 2022 Report, page 1

  2. ibid

  3. NetDiligence Cyber Claims Study 2022 Report, page 47

  4. A non-criminal event includes staff mistakes, programming errors, lost laptops, etc.

  5. NetDiligence Cyber Claims Study 2022 Report, page 31

  6. NetDiligence Cyber Claims Study 2022 Report, page 3

Ask the author

We hope you enjoyed reading this content. If you have any questions about the subject matter, we welcome you to ask the author by clicking here.

Contact Author