The headline numbers (and why they matter)
- $16.6B in reported losses (+33% YoY) and 859,532 complaints in 2024—both near records, signaling continued pressure on premiums and control verification.
- Ransomware complaints up 9% vs. 2023, with critical sectors hit hard—one reason carriers keep insisting on strong backup and endpoint controls.
- Older adults (60+) reported ~$4.8B in losses—useful when prioritizing fraud training for customer-facing roles.
- The FBI’s press coverage reinforces the scale and trajectory of losses; the full report PDF is linked below.
What this means for premiums & underwriting in 2025
- Evidence beats adjectives. Underwriters are moving from “tell me your controls” to “show me your controls.”Expect requests for screenshots/exports proving MFA, EDR/XDR coverage, immutable backups, and email security. The loss trend gives carriers the leverage to ask.
- Ransomware rigor stays high. With complaints up, carriers will scrutinize backup immutability/object lock, privileged access, and patch SLAs—especially for internet-facing systems.
- Regulated orgs: deadlines bite. If you’re under NYDFS Part 500, note the amendments with requirements effective May 1, 2025 (access controls, vulnerability scanning, anti-malware). Falling behind can affect eligibility and price.
7 actions every business can take this quarter
- MFA everywhere that matters. Enforce MFA for employees, admins, and vendors; document coverage and exceptions.
- EDR/XDR on all endpoints and servers. Keep policy screenshots and deployment reports handy.
- Backups with immutability + restore drills. Run and log restore tests quarterly; keep object-lock evidence.
- BEC defenses. Enforce DMARC (quarantine/reject), require out-of-band verification for payments, and train finance/AP teams. BEC remains a major loss driver.
- Patch the edges first. Prioritize internet-facing apps, VPNs, SSO, RMM/remote tools.
- Document your incident plan. Keep IR runbooks, a vendor call tree, and a forensics retainer ready.
- Assemble a “controls evidence pack.” 5–8 pages of MFA/EDR/backup/email-security proof smooths submissions and speeds quoting.
What we’re watching next
- IC3 trendlines: whether BEC and investment scams keep outpacing other fraud types despite awareness efforts.
- Sector guidance & rules: more states/regulators are aligning with NYDFS-style expectations on identity, backups, and detection.
How SeedPod Cyber helps
We translate your security posture into carrier-friendly evidence and shop it to markets that fit your risk profile. Our process emphasizes fast yes/no, competitive options, and coverage aligned to how your business actually runs.
Contact us: https://seedpodcyber.com/contact-us/
Sources and further reading
FBI IC3 — 2024 Internet Crime Report (PDF): https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
FBI press release — “FBI Releases Annual Internet Crime Report”: https://www.fbi.gov/news/press-releases/fbi-releases-annual-internet-crime-report
Reuters — Ransomware complaints up 9% in 2024, losses $16.6B: https://www.reuters.com/world/us/complaints-about-ransomware-attacks-us-infrastructure-rise-9-fbi-says-2025-04-23/
IC3 resource hub — Business Email Compromise (BEC): https://www.ic3.gov/CrimeInfo/BEC
IC3 PSA — “Business Email Compromise: The $55 Billion Scam”: https://www.ic3.gov/PSA/2024/PSA240911
NYDFS — Cybersecurity Implementation Timeline for Covered Entities (PDF): https://www.dfs.ny.gov/system/files/documents/2023/11/cybersecurity_implementation_timeline_covered_entities.pdf
Hogan Lovells — NYDFS Part 500 requirements effective May 1, 2025 (summary): https://www.hoganlovells.com/en/publications/nydfs-penultimate-set-of-cybersecurity-requirements-under-amended-part-500-take-effect-may-1-2025