By Ryan Windt | Head of Growth Marketing | Updated July 2026
For years the security story businesses were told was simple. Train your people, filter your email, and you close off most ransomware. That story is now out of date. The way attackers get in has moved, and the claims data makes the shift hard to argue with. Ransomware today starts far more often at an internet-facing VPN or remote access appliance than in anyone’s inbox. If your renewal conversation still centers on phishing training, you are preparing for the last attack rather than the current one.
What the 2026 claims data actually shows
At-Bay’s 2026 InsurSec Report, built on more than 100,000 policy years of claims, found that remote access services were the entry point for roughly 87 percent of ransomware claims in 2025. VPN compromise on its own accounted for about 73 percent of the intrusions where the entry vector could be identified, and that share has climbed steeply over three years. One vendor’s devices, SonicWall, appeared in about one in three ransomware claims. The most telling figure for anyone who still treats email as the main threat: in that same year, email did not produce a single ransomware claim in At-Bay’s book.
| Year | Share of ransomware intrusions starting with VPN compromise |
|---|---|
| 2023 | About 38 percent |
| 2024 | About 66 percent |
| 2025 | About 73 percent |
The attack surface that matters most is no longer the one your employees click. It is the one sitting on the public internet waiting to be scanned.
Why an exposed appliance is such a clean way in
An internet-facing VPN or firewall appliance is attractive to attackers for three reasons that stack on top of each other.
- It is discoverable. Attackers scan the entire public internet continuously and know within hours which appliances are exposed and what firmware they run.
- It is often unpatched. Appliance firmware updates lag behind other systems, and several of the most exploited devices had public vulnerabilities with available fixes that were simply never applied.
- It frequently lacks strong authentication. Many remote access setups still rely on a password alone, or on basic multi-factor prompts that adversary-in-the-middle kits can now defeat.
Put those together and you have a path into the network that skips the user entirely. No one has to click anything.
What underwriters are now asking
Underwriters have followed the same data. Applications increasingly probe your external attack surface directly instead of relying only on self-reported controls. Expect questions about the make, model, and firmware version of your internet-facing appliances, whether any of them are end of life or no longer supported, whether multi-factor authentication is enforced on every remote access path rather than just email, and how quickly you apply appliance patches once a fix ships. A growing number of carriers now scan your perimeter before they quote and price whatever they find. If you want to see how this fits the wider evaluation, our guide on what underwriters look for on a cyber application and the controls they check before they quote both go deeper.
Where coverage responds, and where it can stop responding
This is where the underwriting shift turns into a claims problem. Two exposures matter most.
The first is your attestations. If your application states that multi-factor authentication is enforced on all remote access, and a claim later shows the entry point was a VPN with password-only access, you have a misrepresentation problem that can reduce or void the payout. We cover this failure mode in detail in how application errors cost you at claim time.
The second is known-vulnerability and failure-to-maintain language. Many policies limit or exclude losses that trace back to a vulnerability that had a fix available and was left unpatched for an extended period. An exposed, out-of-date appliance is exactly the fact pattern that language was written to catch. Coverage still responds in the ordinary case, but the appliance you forgot about is the one most likely to create a coverage fight after the fact. Keeping a documented vulnerability management program is the difference between a clean claim and a disputed one.
A control you claimed but did not actually enforce is worse than a control you never claimed. The first can undo your coverage. The second only affects your price.
What to do before your next renewal
- Inventory every internet-facing appliance and record its firmware version. You cannot document what you have not found.
- Retire end-of-life VPN and firewall appliances. If the vendor no longer ships fixes, the device is a liability on both the security side and the coverage side.
- Enforce phishing-resistant multi-factor authentication on every remote access path. Number-matching apps or FIDO2 keys resist the attacks that defeat basic prompts. Our MFA implementation guide covers what underwriters expect to see.
- Tighten your patch cadence for appliances specifically, and keep dated evidence of it. Underwriters and claims adjusters both want to see the timeline.
- Move remote access toward a zero trust model rather than a flat VPN tunnel that grants broad network access once through.
- Add around-the-clock detection. Many appliance intrusions happen at night and on weekends, and endpoint or managed detection is often what stops encryption after the initial entry.
Frequently asked questions
Does cyber insurance cover a ransomware attack that started through our VPN?
Generally yes, as long as your application was accurate and the appliance was reasonably maintained. The risk is not the vector itself but an inaccurate attestation or a long-known flaw that was left unpatched.
Do underwriters really scan our network before quoting?
Many now do. External scanning of your perimeter is increasingly common, and findings such as an exposed or outdated appliance can affect both your price and your terms.
We have multi-factor authentication on email. Is that enough?
No. The current claims pattern runs through remote access, not email. Multi-factor needs to cover every VPN and remote access path, not just the inbox.
Our VPN appliance is a few years old but still supported. Is that a problem?
Supported is fine if you patch it promptly. The danger is end-of-life hardware and delayed firmware updates, which is what most exploited-appliance claims have in common.
Related resources
- What Underwriters Actually Verify About Your Vulnerability Management Program
- The Security Controls Underwriters Check Before They Quote You
- MFA and Cyber Insurance: What to Deploy and How to Document It
- AiTM Phishing Is Breaking MFA: What Underwriters Now Want to Know
- Cyber Insurance Application Errors: What They Cost You at Claim Time
SeedPod Cyber is a specialized provider of cyber and Tech E&O coverage. If you are not sure whether your remote access setup would hold up to an underwriter’s scan or a claims review, we can help you find out before it matters. Talk to our team or see what our coverage includes.