A new report from cybersecurity and cyber insurance startup Coalition Inc. finds that policyholders with as few as one unresolved critical vulnerability are more likely to experience a claim.

The 2023 Cyber Claims Report found that having even one unpatched vulnerability increased the risk of cyber insurance claims by 33%. The report also found that organizations that continued to use end-of-life software — products no longer supported by their original developers — were three times more likely to suffer from an incident.

Notable insights from the report included that in addition to “human inaction” — not patching software — human error is also a primary risk factor among companies that have cyber insurance. Phishing accounted for 76% of reported incidents, more than six times greater than the next-most popular attack technique. In the case of phishing, nearly all cyber insurance claims were a direct result of employees falling for phishing tricks.

Among Coalition’s insured members, phishing-related claims increased by 29% from the beginning of 2022. With its insured members, successful phishing frequently leads to funds transfer fraud or business email compromise events, but the report notes that phishing was also the top path used to get into an organization’s system for any purpose.

“Threat actors are forever looking for targets with weak security controls or unprotected infrastructures – these are the paths of least resistance into a company’s network,” Catherine Lyle, Coalition’s head of claims, said prior to the release of the report. “Unfortunately, that’s why human inaction, such as not patching a publicized critical vulnerability or updating out-of-date software, is a high-risk factor for a cyber incident or cyber claim.”

Other takeaways from the report include that it’s not all doom and gloom when it comes to companies trying to defend against cyberattacks, with Coalition noting a 17% reduction in claims from 2021 to 2022. Fund transfer fraud also dropped slightly in 2022 after rising by 23% in 2021. Among Coalition-insured members, the company was able to recover 66% of lost funds when fund transfer fraud took place.

Coalition also reported that ransomware claims frequency dropped 54% year-over-year and ransomware demands also fell 17.5%, to $1 million in 2022. In 2022, Coalition negotiated ransom payments down for policyholders to an average of 27% of the initial demand.

Image: Coalition