Skip to main content
main content, press tab to continue
Article | FINEX Observer

Cyber liability: 2023 in review and a look ahead to 2024

By Jason Krauss | January 10, 2024

A look back at the cyber liability market and our perspective on what to expect in 2024.

As we discussed in last year's year in review article, we are pleased to report that the cyber insurance market continued to stabilize during 2023, despite the fact that ransomware was once again on the rise. While 2022 started out with 50% to 150% increases, we regularly saw flat increases or even decreases at renewal in 2023.

Continued intense competition between markets certainly played a role in this stabilization, as incumbent markets were eager to retain business. This stabilization was in stark contrast to the threat landscape, which only expanded as the year progressed. Let us dive into a recap of the year in cyber and what clients can expect in 2024.

Cyber incidents and threats that shaped 2023

Not even two weeks into the year, approximately 11,000 flights were delayed and more than 1,300 flights were cancelled when the pilot alert system of the Federal Aviation Administration (FAA) failed. Even though there was no evidence to suggest this outage was due to a cyber-attack, this incident illustrated the fragility of our aviation system and the potential for a future malicious attack on our aviation network.

We saw the exploitation of the software of two popular file transfer services, Fortra’s GoAnywhere and Progress’s MOVEit. File transfer solutions have quickly become a valuable target for cybercriminals, given the wide range or organizations that use the software and the sensitive data being exchanged between these organizations and their partners. The Russia-linked Clop ransomware group claimed responsibility for the MOVEit hacks against banks, hospitals, hotels and energy companies and were expected to earn between $75 to $100 million from extorting victims to stop their data from being released online.

The Health Sector Cybersecurity Coordination Center of the Department of Health and Human Services issued an alert in January that the hacktivisit group ‘KillNet’ was actively targeting the health and public health sector by launching DDoS attacks. This highlighted the fact that threat actors continue to focus on the healthcare industry given the large volume of sensitive and confidential information these organizations store and the necessity of networks to be accessible to ensure patient care and safety. According to WTW’s proprietary cyber claims data for the first half of 2023, 17% of all claims and loss notifications were tendered by healthcare clients, which was third, only behind manufacturing and financial services clients.

Finally, chatbot and metapixel class action lawsuits continued to make their way through the courts. Many of these lawsuits are based on violations of decades-old laws, such as the Video Privacy Protection Act (VPPA) of 1988 and federal and state wiretapping laws. While such laws were originally designed for different technologies, they are now being applied to modern data collection methods.

Currently, more than 18 hospitals and health systems are facing lawsuits for allegedly installing the pixel technology on its websites and patient portals. In August, Advocate Health, reached a $12.2 million settlement involving millions of patients whose health information was shared with Facebook and other outside companies without their permission. There is still a wide range of approaches carriers are taking with respect to wrongful collection coverage, but many are broadly excluding coverage for the exposure and any claims or losses stemming from the use of meta pixel technology.

Regulatory attention

These new and continued threats have of course caught the attention of regulatory authorities. The year began with federal agencies flexing their cybersecurity enforcement muscles. The FCC submitted proposed cybersecurity regulations in an effort to modernize its ability to regulate the telecommunications industry in this area.

Not to be outdone, the TSA anticipates issuing specific regulations intended to secure railroads and pipelines, largely in response to the 2021 Colonial Pipeline attack. In March, the SEC announced a package of proposed policies designed to help harden the financial system against cyber incidents and soon after, in July, adopted rules, which included a requirement that all public companies disclose all cyber security breaches within four days after a registrant determines that the incident is material.

And then, in October, just to make sure organizations understood that their new cybersecurity edict was genuine, the SEC sued SolarWinds Corp., along with its CISO Tim Brown, in connection with alleged “misstatements, omissions and schemes that concealed both the company’s poor cybersecurity practices and its heightened -and increasing- cybersecurity risks” related to the 2020 supply chain cyber-attack on the company’s Orion Platform.

Finally, not a year goes by without new states following in California's footsteps in enacting privacy legislation that requires companies to give consumers more access to and control over their personal information. Iowa’s new consumer data privacy legislation was signed into law in March and in April, Indiana passed its own consumer data protection bill into law.

What to expect in 2024

The cyber insurance market

  • Given the ever-expanding threat landscape, as elaborated on above, and the reduced premiums for cyber insurance coverage, it seems logical that the cyber insurance market will continue to grow.
  • According to a report by Expert Market Research, the global cyber insurance market is expected to grow at a compound annual growth rate of 23.8% from 2024 to 2032, reaching a value of around $ 87.8 billion by 2032.
  • We will likely see more and more clients electing to purchase additional limits with their premium savings. After years of rising rates, we anticipate cyber insurance premiums to hold steady even in the face of an ever-expanding threat environment. This is largely due to the eagerness of cyber insurance carriers to be competitive and meet aggressive growth goals.

Expansion of the regulatory landscape

  • The expansion of the regulatory landscape has certainly been a factor in the growth of the cyber insurance market over the last several years and it is safe to say that this expansion will continue.
  • Oregon, Montana and Texas will have their comprehensive privacy laws take effect in 2024, while Delaware, Iowa and Tennessee’s laws will become effective in 2025. Numerous other states, including New Jersey, Michigan and Pennsylvania have active privacy bills in place.
  • Further, the New York Department of Financial Services in November adopted amendments to its cybersecurity regulation, which incorporates current best practices to better protect businesses and consumers from emerging cyber threats. Initial updates to existing reporting requirements went into effect on December 1, 2023, but changes to required policies and procedures will not begin to take effect until April 2024.
  • Organizations across all industries must remain vigilant when it comes to complying with the patchwork of privacy and cybersecurity laws and ensuring necessary regulatory coverage.

AI-related breaches

  • As we recently touched on, while artificial intelligence has the potential for a level of productivity we have never seen before, there are numerous new exposures associated with the technology that must be addressed.
  • As AI systems collect and process large amounts of data, there is a risk that this information could be mishandled, either through intentional breaches or accidental leaks. This could result in sensitive information falling into the wrong hands, leading to cyber-crime.
  • There is also the possibility that AI systems could be hacked or manipulated, allowing bad actors to take control and cause harm. The good news is that organizations are also using AI to defend themselves from these attacks in the form of enhanced cyber security, which often includes ransomware protection to detect and eliminate ransomware attacks.
  • When it comes to data privacy, a traditional cyber policy would provide third-party data privacy coverage in the form of a defense and indemnity in the event someone (likely a customer) sues the company for the unauthorized disclosure of personally identifiable information (PII).
  • However, a cyber policy does not typically provide for any first party coverage for the unauthorized disclosure of an insured’s own proprietary data, trade secrets or other confidential corporate information. A recognition of how organizations are using AI, the extent of the new risks associated with the technology and an examination of where coverage for these exposures lie will likely be a theme in 2024.

Continued debate on war exclusions


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).


FINEX NA Cyber Thought & Product Coverage Leader

Related content tags, list of links Article FINEX Observer United States
Contact us