A new report shows that ransomware has remained a top threat since January 2023, with 64% of related claims in its portfolio resulting in a loss during that period.
Increased merger-and-acquisition activity and reliance on ubiquitous software vendors created new opportunities for threat actors to unleash widespread ransomware campaigns by exploiting a single point of failure, the report by Reliance said.
“Now more than ever, we need to rethink how the C-suite approaches cyber risk,” Resilience CEO Vishaal Hariprasad said in a press release. “Businesses are interconnected like never before, and their resilience now depends on that of their partners and others in the industry.”
Global M&A deal volume increased 36% in the first quarter of the year, according to an Ernst & Young analysis. While such growth can be seen as a sign of positive economic development, it can also create new entry points for cyber threat actors, Resilience said in its report.
“Some of the past year’s most devastating cyber incidents involved heavily interconnected systems or recently acquired companies,” the report said. “Vendor-driven claims are the fastest-growing area of claims in our portfolio and are now the fastest growing cause of loss for claims overall.”
So far this year, 40% of claims originated from a vendor failure, with that number expected to grow, Resilience said. Meanwhile, the financial severity of claims related to ransomware attacks increased 411% from 2022 to 2023, according to the study.
In a high-profile example, UnitedHealth Group’s Change Healthcare subsidiary, which handles a significant portion of the healthcare industry’s billing operations, was hit with a ransomware attack in February.
UnitedHealth raised its full-year outlook for the total financial impact of the massive cyberattack to between $2.3 billion and $2.45 billion, up roughly $1 billion from its previous expectations.
UnitedHealth acquired Change for $13 billion in 2022 after overcoming a Department of Justice move to block the deal in an antitrust lawsuit.
“M&A activity can amplify cyber risks for an enterprise not only from its own existing vulnerabilities, but also the new risks associated with the acquisition target and the challenges of integrating different IT systems post-acquisition,” Resilience said.
While many potential buyers in M&A deals conduct some sort of cybersecurity due diligence on the intended acquisition target, “the process is not guaranteed to protect the company from risk, just to help highlight where it exists,” according to the report.