Click to toggle navigation menu.

What Cyber Claims Data Actually Reveals About Risk, Losses, and Underwriting

< BACK

By Ryan Windt | Head of Growth Marketing | Updated June 2026

Every year, three reports do more to shape how cyber insurance is priced and underwritten than almost anything else: the Verizon Data Breach Investigations Report, the NetDiligence Cyber Claims Study, and the Cyentia IRIS study. Together they give you a view of the threat landscape from three distinct angles: what attacks look like in the wild, what they actually cost when they reach an insurer, and how losses have trended over the long arc. Here is what the most recent editions say, and what it means if you are buying or renewing a cyber policy.

What the Three Reports Are Actually Measuring

The Verizon DBIR draws on tens of thousands of incidents and confirmed breaches to show how attacks happen: the initial access methods, the actors, the industries targeted, and how long compromise goes undetected. It is the closest thing the industry has to a real-time picture of attacker behavior.

The NetDiligence Cyber Claims Study works from actual insurance claims, not just breach reports. It shows what losses look like after they hit a policy: how much ransomware costs versus BEC, which industries file the most claims, and where coverage gaps tend to surface. The 2024 edition drew on over 10,000 claims filed between 2019 and 2023.

Cyentia IRIS takes the longest view. It tracks incident frequency and loss severity over more than 15 years, giving a picture of how the risk has compounded over time that neither of the other reports can provide.

What Changed in the Most Recent Editions

Ransomware is still everywhere but payouts are falling. Ransomware appeared in 44% of breaches in the 2025 DBIR dataset. The median ransom payment dropped to $115,000, and 64% of victims declined to pay entirely, a meaningful shift from prior years. The decline in payments reflects better backup practices and incident response capability among larger organizations. Underwriters still scrutinize backup immutability and tested recovery procedures closely because the operational disruption cost, separate from the ransom itself, remains the primary driver of loss.

Vulnerability exploitation surged. Exploited vulnerabilities now appear in roughly one in five breaches, up 34% from the prior DBIR, driven by zero-day activity and targeting of edge devices and VPN appliances. Organizations only fully remediated vulnerable systems about 54% of the time, with a median of 32 days to reach full remediation. Internet-facing perimeter devices have become one of the highest-priority underwriting concerns as a result.

Third-party involvement doubled. Breaches involving a partner, vendor, or third party grew from 15% to 30% of all breaches in the 2025 DBIR. This includes compromised MSP tools, hosted development environments, and shared SaaS platforms. The MOVEit wave in 2023 was the clearest illustration of what systemic third-party risk looks like in practice, and underwriters have adjusted their applications accordingly.

BEC claim costs are rising sharply. NetDiligence found that the average BEC claim reached approximately $183,000 in 2023, up significantly from prior years. Ransomware and BEC remain the top two loss drivers across the claims database, and both are heavily concentrated in small and mid-sized businesses. Ninety-eight percent of claims in the NetDiligence study came from companies with under $2 billion in revenue, with the majority from businesses far smaller than that.

The long-term trajectory is steep. Cyentia IRIS documents a roughly 650% increase in reported incidents since 2008, with median losses rising from approximately $190,000 to nearly $3 million over that period. More concerning for buyers, the “tail” losses, the severe outlier events that drive policy limits decisions, have grown by roughly five times. The implication is that limits set based on historical averages may be significantly underweight for today’s risk environment.

FBI IC3 reported record losses. The FBI’s 2024 Internet Crime Report recorded $16.6 billion in reported cyber and fraud losses, up 33% year over year, with ransomware complaints against U.S. critical infrastructure rising 9%. For a breakdown of what those numbers mean by loss category and business type, see FBI Internet Crime Report: What Rising Cybercrime Losses Mean for Every Business.

Where Claims Concentrate by Industry

The NetDiligence data is particularly useful here because it works from actual paid claims rather than reported incidents. The industry distribution of claims tells a different story than breach counts alone.

Professional services (legal, accounting, consulting, and technology services) consistently represent the largest share of claims by count in the NetDiligence study, accounting for roughly 20 to 25 percent of all claims in recent editions. The combination of sensitive client data, direct access to financial accounts, and wire transfer activity makes this sector a persistent target for both BEC and data theft.

Healthcare generates a disproportionate share of high-severity claims. While not always the top category by claim count, healthcare claims tend to run significantly higher in average cost due to HIPAA notification requirements, breach response obligations for each affected individual, and the operational criticality of systems under attack. Ransomware operators have specifically targeted hospitals and health systems because downtime creates immediate life-safety pressure to pay.

Financial services (including banks, credit unions, mortgage brokers, and RIAs) see a heavy concentration of BEC and funds transfer fraud claims. The average financial services BEC loss in the NetDiligence data exceeds the cross-industry average substantially, reflecting the direct access to wire transfer systems that attackers are targeting.

Manufacturing and retail have moved up in claim frequency in recent years, driven by ransomware operators specifically targeting operational downtime as a payment lever. A manufacturer that cannot run its production line faces immediate revenue loss that creates pressure independent of any data theft concern.

Education (K-12 and higher education) generates a high volume of lower-severity claims, largely from ransomware and phishing incidents. The sector is historically under-resourced on security tooling relative to its data exposure, which makes it an efficient target for volume-oriented threat actors.

The through-line across all industries: no sector is consistently low-risk in the claims data. Industry matters for pricing and underwriting scrutiny, but the notion that certain business types are “too small” or “not a target” is not supported by what insurers are actually paying out.

Loss Severity by Business Size: What Small Businesses Actually Face

The NetDiligence data consistently shows that the majority of cyber insurance claims come from small and mid-sized businesses, and this concentration has grown over time. Here is what the numbers look like when you break them down by revenue band.

Micro and small businesses (under $25 million in revenue) account for roughly 60 percent of claim counts in recent NetDiligence editions. Average total losses for this group run between $125,000 and $200,000 per incident when you include all cost categories: forensic investigation, legal, notification, business interruption, and any ransom payment. For a business with $5 million in annual revenue, a $150,000 cyber loss is not a rounding error. It is an existential event.

Mid-market businesses ($25 million to $500 million in revenue) see higher average claim costs, driven by larger business interruption losses and more complex breach response obligations. Average total losses in this band run from roughly $300,000 to over $1 million depending on incident type. Ransomware incidents for mid-market manufacturers and healthcare organizations frequently exceed $1 million in total loss when business interruption is included.

The coverage gap problem. The mismatch between what businesses buy and what incidents cost has become one of the most consistent findings in the claims data. A small professional services firm that purchased a $250,000 cyber policy two or three years ago based on then-current pricing guidance may now face a ransomware or BEC loss that exhausts that limit entirely, leaving the business responsible for the remainder. Cyentia’s documentation of five-fold growth in tail losses is the quantitative case for revisiting limits at every renewal, not just accepting the prior year’s number. For a framework on how to size limits correctly, see Choosing the Right Cyber Insurance Limit.

What This Means for Cyber Insurance Buyers

The three reports converge on the same set of failure points, and underwriters are building their applications around exactly those patterns. Here is what gets scrutinized and why.

Identity. The human element was present in approximately 60% of breaches in the 2025 DBIR. Phishing, credential reuse, MFA fatigue, and help-desk social engineering are the dominant initial access methods. Underwriters expect phishing-resistant MFA (security keys or passkeys) on administrator and remote access accounts, just-in-time privilege elevation in place of standing global admin roles, and conditional access policies that enforce device posture and risk signals.

Email and SaaS governance. BEC losses continue to climb because mailbox forwarding rules, OAuth consent grants, and over-scoped application permissions create persistent access that attackers can abuse long after initial compromise. Underwriters increasingly ask whether end-user app consent has been disabled, whether OAuth grants are reviewed quarterly, and whether forwarding rules are monitored and alerted on.

Backup integrity. The 64% of ransomware victims who declined to pay did so because they had working recovery options. Underwriters want to see 3-2-1-1-0 backup architectures with at least one immutable or air-gapped copy, and documented restore test results from the last 90 days. A backup configuration that has never been tested is treated as a gap.

Patch velocity. With exploited vulnerabilities appearing in one in five breaches and a median 32-day remediation window across the industry, carriers are asking for evidence that you patch faster than average on internet-facing systems and known-exploited CVEs. The question is not just whether you patch, but how quickly and whether you can prove it.

Third-party risk management. Doubling of third-party breach involvement has pushed vendor oversight from a soft question to a hard underwriting requirement. Expect questions about whether vendors use SSO and MFA, whether you have access to their logs, whether service accounts are scoped to least privilege, and whether you have offboarding automation in place.

Logging and detection. Underwriters want centralized, searchable logs covering identity, email admin, SaaS audit trails, endpoints, and RMM tools. Retention of roughly 12 months is the emerging baseline. Alerting on consent grants, privilege changes, mailbox rule modifications, and anomalous sign-ins is increasingly expected rather than aspirational.

For the full list of controls underwriters evaluate, see Cyber Insurance Underwriting Criteria: What Carriers Evaluate Before They Quote.

The Metrics That Matter at Renewal

When brokers and underwriters ask for evidence of your security posture, these are the numbers they are looking for:

  • MFA coverage as a percentage of the workforce, with 100% of administrators as the baseline
  • Percentage of privileged roles using just-in-time access rather than standing privileges
  • Patch SLA performance on known-exploited and edge device vulnerabilities (median and 95th percentile days to remediation)
  • Backup immutability status and date of last documented restore test
  • Percentage of users blocked from end-user OAuth consent and count of high-risk grants removed in the last quarter
  • Log retention window and mean time to respond to identity and SaaS change events

Bringing this data to a renewal conversation shifts the dynamic. Carriers price for the risk they can see. When you can show strong performance against the metrics that correspond to the most common loss drivers, you are negotiating from a position of documented strength rather than general assurances. See Cyber Insurance Renewal Checklist: How to Prepare, What Underwriters Want, and How to Get Better Terms for a full walkthrough.

Are Your Coverage Limits Keeping Up?

The Cyentia IRIS finding on tail loss growth is the most underappreciated data point in the claims literature for buyers. Average losses are useful for benchmarking. Tail losses are what drive coverage gaps at the worst possible moment.

A business that set its cyber limit at $500,000 based on 2020 or 2021 pricing benchmarks made a reasonable decision at the time. But if tail losses have grown five-fold over the period covered by the Cyentia study, and if ransomware business interruption costs have emerged as the dominant loss driver, that same $500,000 limit may now be inadequate for a single incident affecting a business of comparable size.

Three questions worth working through before your next renewal:

  1. What is your actual business interruption exposure? Calculate gross profit per day and multiply by a realistic outage duration for your industry and systems. For most businesses, even a five-day outage represents a meaningful fraction of an annual cyber limit.
  2. What are your notification and regulatory obligations? If you hold personal data for customers in multiple states, your breach notification costs scale with the number of affected individuals. A breach affecting 10,000 records in a state with a $500-per-record civil penalty creates $5 million in potential regulatory exposure before any legal fees.
  3. When did you last benchmark your limit against current loss data? If the answer is more than two policy years ago, the limit was set against a different risk environment. The claims data has moved significantly in that window.

SeedPod Cyber works with businesses across every industry to benchmark limits against current claims data and carrier appetite. If your limit has not been reviewed recently, a coverage consultation is a reasonable starting point before your next renewal.

Frequently Asked Questions

What percentage of businesses experience a cyberattack each year?

Precise figures vary by study methodology, but the Verizon DBIR consistently documents tens of thousands of confirmed incidents annually across its contributor network, with the majority affecting small and mid-sized organizations. The FBI IC3 received over 880,000 complaints in 2023 with $16.6 billion in reported losses. The more useful framing for insurance purposes is loss severity: the question is not whether an incident will occur, but whether your coverage can absorb the cost when it does.

What is the average cost of a data breach for a small business?

NetDiligence claims data shows average total losses for small businesses (under $25 million in revenue) running between $125,000 and $200,000 per incident across all loss categories. This includes forensic investigation, legal fees, breach notification, business interruption, and any ransom component. Individual incidents vary widely, and the growing tail of severe events means the average understates the risk for businesses with high data exposure or operational criticality.

What is the most common cause of cyber insurance claims?

Ransomware and business email compromise are consistently the top two loss drivers in the NetDiligence claims data. Ransomware leads in total dollar losses due to the combination of ransom demands, business interruption costs, and recovery expenses. BEC leads in claim frequency for professional services and financial sector businesses. Credential theft and phishing are the initial access methods behind the majority of both categories.

How do cyber insurance premiums relate to claims data?

Underwriters price cyber coverage based on the same loss data these reports document. When ransomware frequency rises or BEC costs climb, carriers adjust rates, tighten underwriting requirements, or add sublimits on the loss categories driving the trend. The controls that reduced ransomware payouts in recent years (better backups, faster incident response) have contributed to a more stable pricing environment. Businesses that demonstrate strong control posture in line with what the claims data identifies as failure points tend to receive more favorable pricing and broader coverage terms. For current pricing context, see How Much Does Cyber Insurance Cost?

Which industries have the highest cyber insurance claim rates?

Professional services, healthcare, and financial services consistently rank at the top of claim frequency in the NetDiligence data. Healthcare and financial services tend to generate the highest average claim costs. Manufacturing and retail have seen rising claim volumes in recent years driven by ransomware targeting operational disruption. Education (particularly K-12) generates high claim volume but typically lower average severity.

If you want to understand how your current coverage compares to what the claims data says businesses actually need, contact SeedPod Cyber for a coverage review or quote.

Cyber Threats & Incident Analysis