Businesses Report Increase in Cyberattacks in 2024

Despite a drop in risk ranking, cyber attacks continue to grow with two-thirds of businesses reporting an increase in incidents, Hiscox survey finds.

Cybersecurity and privacy concepts to protect data.

Despite a drop in perceived risk, cyberattacks are increasing in frequency and sophistication, with payment diversion fraud emerging as a potent threat and businesses ill-prepared to manage the financial and reputational risks, according to a Hiscox survey on cyber readiness.

Cyberattacks dropped to third place among perceived top business risks in 2024’s survey, down from first place in 2023 and 2022, the survey found. However, 67% of firms surveyed report an increase in cyber incidents over the past year, with the average number of attacks per organization rising to 66 from 63.

Hiscox surveyed 2,150 cyber security professionals in eight countries, including 400 U.S. participants. The survey found that the number of cyberattacks varies by size of company, with firms that have 250-999 employees facing the largest average number of attacks, or 109. Larger firms, with 1,000 or more employees, reported 94 cyberattacks on average, while companies with 50-249 employees saw 53 incidents on average.

Payment diversion fraud has emerged as a particularly potent threat, affecting 58% of organizations, up sharply from 34% in the previous year. This type of attack, where cybercriminals redirect legitimate payments to their own accounts, can result in significant financial losses for businesses.

Adding to the concern is the fact that many companies are ill-prepared for these financial risks. More than a quarter of business leaders, 26%, admit their organizations lack sufficient resources to effectively manage the financial threats associated with cyber security incidents.

Reputational Concerns

While the immediate financial impact of cyberattacks is a top concern, business leaders are increasingly worried about the long-term reputational damage these incidents can cause. Among respondents, 61% believe that a cyberattack could significantly harm their business’s reputation, and 64% fear they risk losing business if they fail to handle client and partner data securely.

According to the survey, the adverse impacts of cyberattacks have increased in the past 12 months were. Some 47% of respondents reported greater difficulty attracting new customers after a cyberattack in 2024, up from 20% in 2023. Lost customers was reported by 43%, double the 21% citing this impact in 2023, and bad publicity was reported by 38%, up from 25%.

Ransomware Response Drivers

The fear of reputational damage is also influencing how companies respond to ransomware attacks. When faced with such threats, organizations are primarily motivated by three factors: protecting customer data, safeguarding their reputation, and recovering their data. These priorities underscore the complex decision-making process companies face when dealing with cyber extortion, Hiscox noted.

However, giving in to ransom demands is far from a guaranteed solution. Only 18% of victims who paid a ransom were able to fully recover their data, the report stated.

Entry Points and Vulnerabilities

Business email compromise remains the primary entry point for cyberattacks for the second consecutive year, at 54% of attacks. However, corporate servers in the cloud have climbed to the second most common point of entry, at 50%, followed by employee access points at 46%.

The rapid adoption of new digital technologies is introducing additional security risks, the report noted. Bring Your Own Device (BYOD) policies are a growing concern, with 44% of organizations reporting an increased risk from employees using personal devices for work. These devices often lack up-to-date security software and centralized control, making them more susceptible to malware, phishing attacks, and data breaches, according to the report.

Despite security concerns, 70% of organizations have already integrated Generative AI (GenAI) into their operations. This widespread adoption comes with its own set of risks, as 56% of business leaders believe GenAI will significantly impact their cybersecurity risk profile, the survey found.

Resource and Expertise Gaps

Many organizations are struggling to keep pace with the evolving threat landscape, according to Hiscox. A third of firms (32%) admit to falling behind in adopting necessary cybersecurity technologies. The shortage of skilled professionals compounds this problem, with 52% of firms reporting a critical lack of cybersecurity expertise.

This skills gap is having a tangible impact on security measures, as 34% of organizations acknowledge that their cybersecurity efforts are compromised due to a lack of expertise in managing emerging technology risks.

Cyber resilience has become a critical component of business strategy. Three-quarters of firms recognize its vital importance, with 44% considering it extremely important. However, despite this awareness, 40% of businesses classify their cyber resilience maturity as either “basic” or “ad hoc,” indicating a lack of formal processes and limited training and awareness. Also, 34% of leaders admit their organizations are not adequately prepared to handle cyber attacks.

Strategic Priorities and Investment

To address these shortcomings, businesses are focusing on key areas for improvement. Over the next 12 months, top priorities for enhancing cyber resilience include updating existing security technologies (36%), improving employee awareness (32%), and enhancing threat detection capabilities (31%), the survey found.

By 2030, two-thirds of firms aim to implement zero trust architecture, a strategy that requires strict verification for all users attempting to access sensitive data, regardless of their location inside or outside the network.

View the full Hiscox report here. &

The R&I Editorial Team can be reached at [email protected].

Vermont’s Future Is Golden

Challenging market conditions are driving insureds to captives. Vermont offers a reliable domicile.

By: State of Vermont | November 21, 2024

Hard markets in commercial insurance lines have been a problem for years now. Many lines don’t show signs of softening, though some, like cyber, have ebbed over the past few years.

High claims volumes and costs have caused carriers to tighten terms and conditions, introduce new exclusions and increase premiums. A variety of different risks are included in this market tightening, and it’s affecting both public and private companies.

As Sandy Bigglestone, deputy commissioner for the State of Vermont’s captive insurance division, explained, schools, churches and other nonprofits are contending carriers are “excluding sexual abuse and molestation from coverage for a lot of these types of entities. These organizations understand the risk and the public needs to have confidence the organizations are addressing the risks, so they must have the coverage.”

Though many commercial lines are affected, property has perhaps been hit the hardest. Increased claims, inaccurate property valuations and other challenges have caused insurers to tighten their books in recent years. 2024’s spate of hurricanes will likely make matters worse.

“There continues to be challenges in the commercial market,” Bigglestone said. “Some companies are coming to us with risks that they say they’ve been self-insuring on their balance sheet, and why not transfer that to a captive to receive greater benefits?”

Consistency and Stability

Sandy Bigglestone, Deputy Commissioner for the State of Vermont’s Captive Insurance Division

With the commercial insurance market so unstable, companies are turning to captives to house their exposures. Vermont, a long-time domicile, is getting increased attention because of their strong reputation and their leadership as the top domicile worldwide.

“All stakeholders enjoy the stable political and regulatory environment Vermont has to offer to operate in,” Bigglestone said.

Of course, a lot of consideration goes into deciding whether or not a captive is the right choice for a particular company. Businesses need to assess their exposures and their books to make sure they can adequately operate a captive.

There are significant advantages, however. “For low frequency, high severity risks, captives can access the reinsurance markets directly, so it’s very attractive for businesses to put a captive in place,” Bigglestone said.

And carriers are more accepting of captives as part of a broader insurance program.

“Captives are changing the relationship businesses have with commercial carriers,” Bigglestone said. “Commercial carriers are wanting to see companies with skin in the game; therefore, the relationships have evolved to be less transactional and more strategic.”

Balancing Bureaucracy

With 76 global domiciles, companies have a lot of options when it comes to selecting a captive partner. “Captive insurance domiciles compete globally for the business,” Bigglestone said. “If you were to put all 7,000-plus captive insurance companies around the world, all in New York, it wouldn’t have the same economic impact as 700 captives in Vermont does. The captive insurance industry is very important to our state and we will continue to support it in any way we can.”

Businesses should look for domiciles that balance a need for quality regulations with a process that isn’t overly bureaucratic and is seamless for business owners to navigate.

“Companies are attracted to an environment with quality regulatory standards and a stable regulatory environment,” Bigglestone said. “Vermont sets the regulatory standard in terms of financial analysis and examinations.”

In addition to quality regulations, firms will want to seek out a domicile that is agile enough to license captive insurance companies that fit their unique needs. It is important that a domicile have firm but fair regulation and the experience to consider new ideas and implement them. Companies must consider a variety of factors when choosing a domicile and not everyone will be the right fit for every company.

“You have to consider the captive owner and the industry sector that that owner operates in, as well as the insurance risks that are going into the captive program,” Bigglestone said. “Captive laws and regulations have to have a reasonable degree of flexibility to accommodate all the varying needs of owners and then impose rules based on the merits of each captive program.”

She added that creativity is a critical part of the process: “The ability to vet concepts and ideas with trusted individuals is key to having quality standards,” Bigglestone said. “And it can make captives appealing to insureds who are tired of commercial carriers not meeting the needs of the business, and who desire more control over their insurance programs.”

“When you think about the commercial marketplace, commercial insurers are supposed to operate in each jurisdiction in a competitive manner. Commercial carriers often look the same. They sell auto coverage to anyone with a driver’s license. The rules and regulations imposed upon commercial insurance companies are designed to be more formulaic for that reason,” Bigglestone said.

“Uniform regulatory standards apply to commercial carriers for the protection of the policyholders. These are standards all insurance regulators focus on, and standards captive insurance regulators need to understand, but with a specialized focus.”

A Quality Domicile Built for the Future

A combination of experience, regulatory standards and talent make Vermont a top domicile for companies looking to form a captive. The longevity of licensing captive insurance companies for over forty years is a testament to the quality work they’ve provided in the past and will continue to provide for many years to come.

Vermont’s reputation has helped the state attract and retain top captive talent, ensuring the businesses it serves are in good hands. The state has 32 employees dedicated to captives, and their average employee retention is 15 years. The Vermont Captive Insurance Association, the largest captive insurance trade organization, also helps companies connect with professional services needed to make their captive successful.

“There’s a whole host of service providers with proven expertise right here in Vermont,” Bigglestone said.

Taken together, Vermont’s resources, expertise and talent make it a prime domicile. They’ve been on a growth trajectory over the last few years and that’s unlikely to change anytime soon. Companies can trust their captive will be in good hands when they choose Vermont.

“Vermont has always competed on quality,” Bigglestone said. “We do have a mission and that hasn’t changed in over 40 years. It’s to maintain a system, or domicile that attracts quality business to Vermont, to promote our reputation in the industry, and to uphold a regulatory framework to protect the solvency of the companies that choose to place their business here.”

To learn more, visit: www.vermontcaptive.com

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with State of Vermont. The editorial staff of Risk & Insurance had no role in its preparation.

The State of Vermont, known as the “Gold Standard” of captive domiciles, is the leading onshore captive insurance domicile, with over 1,200 licensed captive insurance companies, including 48 of the Fortune 100 and 18 of the companies that make up the Dow 30.