Chubb: Non-US cyber frequency and severity declining in contrast to US claims trends

By Michael Loney

March 12 - (The Insurer) - The frequency and severity of cyber claims in the U.S. continue to grow but are declining outside the U.S., a Chubb report has shown.

The Chubb cyber claims report analyses the insurer’s historical claims data through December 2024.

The insurer’s findings show that over the past 24 months, both the frequency and severity of cyber claims have increased overall, “even as the businesses we insure have become more secure”.

However, there is variance by region.

“The frequency and severity of cyber claims in the U.S. continue to grow – most dramatically for larger clients with over $1 billion in revenues. Outside the U.S., however, frequency and severity are declining,” the report said.

Cyber claim frequency for Chubb customers in the U.S. has increased over the past three years, but the insurer said it remains lower than the peak of 2020 to 2021.

Severity in the U.S. has increased from 2020 to 2024 with significant volatility in the past three years.

“Middle and large revenue accounts experienced a sharp increase in severity in 2022-2024, with several major companies incurring sizable claims that have been publicized widely in the media,” the report said.

“While ransomware was ultimately a significant driver of this severity, it is notable that malicious actors have begun to employ new tactics. Some of the largest attacks were not caused by sophisticated malware that managed to evade the cybersecurity defenses of these highly controlled business, but were rather social engineering attacks involving the manipulation of insured IT help desks and SIM swaps,” it continued.

In contrast, frequency outside the U.S. has declined across all sizes of insured.

“Chubb’s clients outside of the U.S. have invested in cybersecurity by increasing their awareness of cyber risk at the C-suite and board levels, building resilience in the form of improved business continuity planning and the use of incident response plans, and focusing on compliance with new regulatory structures (such as the EU’s Digital Operational Resilience Act),” the report said.

“In addition, we have seen an increase in clients who are unwilling to pay ransoms. This combination of factors – alongside the fact that many of these countries are marked by less litigious business cultures – has driven these favorable trends for clients outside of the U.S,” it continued.

Severity outside the U.S. has declined the past three years for medium and large revenue accounts, while small revenue accounts have experienced a modest increase in severity over the past few years.

IMPACT OF WIDESPREAD EVENTS GROWING

The report said that ransomware incidents have driven the severity of cyberattacks.

But it highlighted that several widespread events have contributed to the increase in frequency in 2024.

“Our claims data tell the story: Despite falling from 2021 to 2023, the percentage of total reported claims from widespread events — which are single events that affect many companies at the same time — rose again in 2024 and continues to have an impact on overall frequency,” the report said.

Widespread events account for 5.3% of Chubb’s reported cyber claims in the 2024 calendar year, up from 4.0% in 2023 and 4.8% in 2022. This was below the 6.1% in 2021, however.

In addition, Chubb said that privacy liability has become a more prominent driver of claims activity.

The report said that this is “due in part to recent court decisions and novel legal theories of liability that are being advanced”.

It added: “These trends have impacted clients of different sizes, industries and geographies in varying measures.”

Chubb said that privacy-related liability is becoming more complex as lawmakers globally pass or amend laws regulating the collection, sharing and use of biometric data and other personal information.

It advised companies and organizations to stay up to date on how these regulations will affect them and ensure adherence to regulations based on their operations.

RANSOMWARE SHARE OF U.S. CLAIMS COSTS UP IN 2023-2024

In the U.S. ransomware-related losses in 2023 and 2024 accounted for nearly 72% of cyber claim dollars, with figures of 77% in 2023 and 68%$ in 2024.

This compared to an average of 63% between 2020 and 2022.

“Ransomware-related incidents should not be thought of as merely a disruption event for clients,” the report said. “Compromised data, whether stolen or inappropriately disseminated, can often lead to a lawsuit or class action, even when a client has conscientiously deployed security controls.”

Chubb also said that the frequency of subsequent third-party litigation from ransomware incidents in 2024 is up around 75% over the 2020-2021 average.

In 2024, 36% of U.S. third-party cyber claims were triggered by a ransomware encounter, up from 26% in 2023, 32% in 2022, 22% in 2021 and 19% in 2020.

These trends are different outside of the U.S., however.

“Both the proportion of ransomware-related losses and the proportion of third-party claims related to ransomware incidents have declined over the past few years,” the report said.

Outside the U.S. 40% of total reported cyber losses were due to ransomware incidents in 2024, down from 50% in 2023 and 81% in 2022.

No third party claims were triggered by a ransomware encounter outside the U.S. in 2024, compared with 8% in 2023 and 24% in 2022.

PRIVACY LIABILITY CLAIMS RISING IN U.S.

Chubb said that a larger share of subsequent third-party liability cyber claims in the U.S., across all size risks, is related to ransomware incidents and privacy-related litigation than was the case in prior years.

In the U.S., the proportion of third-party claims related to privacy liability has doubled in 2023-24 vs 2020-22.

The insurer highlighted that U.S. laws having a “considerable impact” on privacy claims include the Illinois Biometric Information Privacy Act, the Video Privacy Protection Act and wiretapping laws.

“Privacy laws and regulations are being implemented with increased frequency and are having a measurable impact on claims, including cases involving mass arbitration of alleged violations of VPPA and wiretapping statutes, with arbitration fees becoming payable before the merits of the claim are even considered,” the report said.

It added: “Other state laws, such as Illinois’s Genetic Information Protection Act (GIPA) and Washington’s My Health My Data Act, should also be on the radar of any companies that are concerned about privacy liability.”