By Ryan Windt | Head of Growth Marketing | Updated March 2026
Every year, three reports do more to shape how cyber insurance is priced and underwritten than almost anything else: the Verizon Data Breach Investigations Report, the NetDiligence Cyber Claims Study, and the Cyentia IRIS study. Together they give you a view of the threat landscape from three distinct angles: what attacks look like in the wild, what they actually cost when they reach an insurer, and how losses have trended over the long arc. Here is what the most recent editions say, and what it means if you are buying or renewing a cyber policy.
What the Three Reports Are Actually Measuring
The Verizon DBIR draws on tens of thousands of incidents and confirmed breaches to show how attacks happen: the initial access methods, the actors, the industries targeted, and how long compromise goes undetected. It is the closest thing the industry has to a real-time picture of attacker behavior.
The NetDiligence Cyber Claims Study works from actual insurance claims, not just breach reports. It shows what losses look like after they hit a policy: how much ransomware costs versus BEC, which industries file the most claims, and where coverage gaps tend to surface. The 2024 edition drew on over 10,000 claims filed between 2019 and 2023.
Cyentia IRIS takes the longest view. It tracks incident frequency and loss severity over more than 15 years, giving a picture of how the risk has compounded over time that neither of the other reports can provide.
What Changed in the Most Recent Editions
Ransomware is still everywhere but payouts are falling. Ransomware appeared in 44% of breaches in the 2025 DBIR dataset. The median ransom payment dropped to $115,000, and 64% of victims declined to pay entirely, a meaningful shift from prior years. The decline in payments reflects better backup practices and incident response capability among larger organizations. Underwriters still scrutinize backup immutability and tested recovery procedures closely because the operational disruption cost, separate from the ransom itself, remains the primary driver of loss.
Vulnerability exploitation surged. Exploited vulnerabilities now appear in roughly one in five breaches, up 34% from the prior DBIR, driven by zero-day activity and targeting of edge devices and VPN appliances. Organizations only fully remediated vulnerable systems about 54% of the time, with a median of 32 days to reach full remediation. Internet-facing perimeter devices have become one of the highest-priority underwriting concerns as a result.
Third-party involvement doubled. Breaches involving a partner, vendor, or third party grew from 15% to 30% of all breaches in the 2025 DBIR. This includes compromised MSP tools, hosted development environments, and shared SaaS platforms. The MOVEit wave in 2023 was the clearest illustration of what systemic third-party risk looks like in practice, and underwriters have adjusted their applications accordingly.
BEC claim costs are rising sharply. NetDiligence found that the average BEC claim reached approximately $183,000 in 2023, up significantly from prior years. Ransomware and BEC remain the top two loss drivers across the claims database, and both are heavily concentrated in small and mid-sized businesses. Ninety-eight percent of claims in the NetDiligence study came from companies with under $2 billion in revenue, with the majority from businesses far smaller than that.
The long-term trajectory is steep. Cyentia IRIS documents a roughly 650% increase in reported incidents since 2008, with median losses rising from approximately $190,000 to nearly $3 million over that period. More concerning for buyers, the “tail” losses, the severe outlier events that drive policy limits decisions, have grown by roughly five times. The implication is that limits set based on historical averages may be significantly underweight for today’s risk environment.
FBI IC3 reported record losses. The FBI’s 2024 Internet Crime Report recorded $16.6 billion in reported cyber and fraud losses, up 33% year over year, with ransomware complaints against U.S. critical infrastructure rising 9%.
What This Means for Cyber Insurance Buyers
The three reports converge on the same set of failure points, and underwriters are building their applications around exactly those patterns. Here is what gets scrutinized and why.
Identity. The human element was present in approximately 60% of breaches in the 2025 DBIR. Phishing, credential reuse, MFA fatigue, and help-desk social engineering are the dominant initial access methods. Underwriters expect phishing-resistant MFA (security keys or passkeys) on administrator and remote access accounts, just-in-time privilege elevation in place of standing global admin roles, and conditional access policies that enforce device posture and risk signals.
Email and SaaS governance. BEC losses continue to climb because mailbox forwarding rules, OAuth consent grants, and over-scoped application permissions create persistent access that attackers can abuse long after initial compromise. Underwriters increasingly ask whether end-user app consent has been disabled, whether OAuth grants are reviewed quarterly, and whether forwarding rules are monitored and alerted on.
Backup integrity. The 64% of ransomware victims who declined to pay did so because they had working recovery options. Underwriters want to see 3-2-1-1-0 backup architectures with at least one immutable or air-gapped copy, and documented restore test results from the last 90 days. A backup configuration that has never been tested is treated as a gap.
Patch velocity. With exploited vulnerabilities appearing in one in five breaches and a median 32-day remediation window across the industry, carriers are asking for evidence that you patch faster than average on internet-facing systems and known-exploited CVEs. The question is not just whether you patch, but how quickly and whether you can prove it.
Third-party risk management. Doubling of third-party breach involvement has pushed vendor oversight from a soft question to a hard underwriting requirement. Expect questions about whether vendors use SSO and MFA, whether you have access to their logs, whether service accounts are scoped to least privilege, and whether you have offboarding automation in place.
Logging and detection. Underwriters want centralized, searchable logs covering identity, email admin, SaaS audit trails, endpoints, and RMM tools. Retention of roughly 12 months is the emerging baseline. Alerting on consent grants, privilege changes, mailbox rule modifications, and anomalous sign-ins is increasingly expected rather than aspirational.
The Metrics That Matter at Renewal
When brokers and underwriters ask for evidence of your security posture, these are the numbers they are looking for:
- MFA coverage as a percentage of the workforce, with 100% of administrators as the baseline
- Percentage of privileged roles using just-in-time access rather than standing privileges
- Patch SLA performance on known-exploited and edge device vulnerabilities (median and 95th percentile days to remediation)
- Backup immutability status and date of last documented restore test
- Percentage of users blocked from end-user OAuth consent and count of high-risk grants removed in the last quarter
- Log retention window and mean time to respond to identity and SaaS change events
Bringing this data to a renewal conversation shifts the dynamic. Carriers price for the risk they can see. When you can show strong performance against the metrics that correspond to the most common loss drivers, you are negotiating from a position of documented strength rather than general assurances.
SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes. Contact us for a coverage review or quote.