The short version
• The claims data (NetDiligence) says losses are concentrated in ransomware and business email compromise, with small and midsize firms filing the vast majority of claims.
• The breach data (Verizon DBIR) shows third-party involvement and vulnerability exploitation rising fast, with ransomware appearing in nearly half of breaches—but median ransoms trending down as more victims refuse to pay.
• The long-view actuarial data (Cyentia IRIS) confirms that incidents and losses keep climbing over time, and “tail” losses are getting heavier.
What changed since last year
• Exploited vulnerabilities are now involved in about one in five breaches—up 34% from the prior DBIR—driven by zero-days and edge device/VPN targeting. Patching kept pace only ~54% of the time, with a median 32 days to full remediation. Verizon
• Ransomware showed up in 44% of breaches in the 2025 DBIR dataset (Nov 1, 2023–Oct 31, 2024). Median payments fell to $115,000, and 64% of victims declined to pay. Verizon+1
• Third-party involvement doubled to 30% of breaches; “human element” stayed ~60%. Secrets leaked in code repos took a median 94 days to remediate; a large share of compromised creds came from non-managed/BYOD devices. Verizon
• NetDiligence’s 2024 study (claims from 2019–2023) shows 98% of claims came from SMEs; ransomware and BEC remain the top loss drivers. Average BEC claim costs jumped to ~$183,000 in 2023. RSM USBerkley CrimeInsurance JournalHome | NetDiligence
• Over the long arc (2008–2024), Cyentia IRIS finds reported incidents up ~650% and median losses rising from ~$190k to nearly $3M, with severe “tail” losses multiplying by ~5×. Cyentia Institute
• FBI IC3 recorded a new high: $16.6B in reported losses in 2024; ransomware complaints against U.S. critical infrastructure rose 9% year over year. Internet Crime Complaint CenterReuters
So what actually drives today’s losses?
- Ransomware and data extortion: now present in a large share of breaches, but payouts are falling as more orgs refuse to pay and recovery improves. Insurers still scrutinize backups and incident response proof. Verizon
- BEC and payment fraud: average claim sizes are rising sharply; mailbox rules, forwarding, and weak verification remain common failure points. Insurance Journal
- Third-party and software supply chain: breaches involving partners doubled; underwriters increasingly ask about vendor risk management and SSO/MFA for third parties. Verizon
- Vulnerability/edge device exploitation: zero-day targeting of perimeter services and VPNs increased; slow patch cycles and visibility gaps prolong exposure. Verizon
What this means for buyers of cyber insurance
Insurers are aligning underwriting questions to the exact failure modes above. Expect scrutiny—and pricing/terms tied to—evidence of:
• Identity: phishing-resistant MFA (security keys/passkeys) on admin/remote access; Conditional Access; no standing global admins (use JIT/PIM).
• Email/SaaS: disable end-user OAuth consent; verified publishers only; monitor mailbox rules/forwarders; least-privilege scopes with quarterly reviews.
• Backups: 3-2-1-1-0 with at least one immutable copy; quarterly restore tests with documented RTO/RPO results.
• Vulnerability/patch: accelerated SLAs for edge devices and KEV items; proof you can push emergency fixes in hours, not weeks.
• Third-party risk: SSO/MFA for vendors; short-lived, scoped access; offboarding automation; contract language for logging/breach notices.
• Logging/response: ~12 months of searchable identity, email, admin, endpoint, and RMM/PSA logs; alerting on consent grants, privilege changes, forwarding rules, and anomalous sign-ins.
Where the three reports agree
• People still matter: ~60% of breaches involve the human element (phishing, misuse, error). Pair identity controls with help-desk verification (no resets/factor adds via chat alone; callback to pre-verified numbers and dual control). Verizon
• Preparedness is measurable: organizations that can show patch velocity, immutable backups with tested restores, and strong app-consent governance have better outcomes (and smoother claims). VerizonInsurance Journal
• Tail risk is real: plan for outliers, not averages—use limits, sublimits, and retentions that reflect the heavier “tails” Cyentia documents. Cyentia Institute
What to update in your program this quarter
• Close the edge-device gap: inventory public-facing services; patch KEV/zero-day items; remove or harden legacy VPNs; add virtual patching rules where needed. Track median days-to-remediate. Verizon
• Harden email/SaaS against BEC: lock mailbox rules/forwarders, enforce DKIM/DMARC, and turn off end-user OAuth consent. Review grants and revoke stale tokens. Insurance Journal
• Prove recoverability: run a quarterly ransomware restore test from immutable media; document timings and share the report with your broker at renewal.
• Reduce third-party blast radius: time-boxed roles, per-tenant service accounts, IP/VPN restrictions, and continuous offboarding. Verizon
Metrics underwriters want to see on one page
• MFA coverage (% of workforce; 100% of admins) and phishing-resistant MFA adoption
• % of privileged roles that are JIT (vs. standing)
• Patch SLAs met for KEV/edge device items (median/95th percentile days)
• Backup immutability status and last restore test results
• % of users blocked from end-user OAuth consent; count of high-risk grants removed last quarter
• Log retention window and alert MTTR for identity/SaaS change events
Bottom line
Cyber risk in 2025 is increasingly about identity, software supply chains, and the speed of change across SaaS and edge devices. Align your control evidence to those realities and you’ll cut loss likelihood—and qualify for better terms.
Sources
• Verizon DBIR 2025 Executive Summary (dataset size; ransomware presence & payments; human element ~60%; third-party doubled to 30%; vuln/edge exploitation; remediation stats; BYOD/infostealer insights; incident timeline window). Verizon+1
• NetDiligence Cyber Claims Study 2024 (10k+ claims; 98% SMEs; ransomware/BEC leading; BEC avg ~$183k in 2023; SME vs large-enterprise cost share). Berkley CrimeRSM USInsurance JournalHome | NetDiligence
• Cyentia IRIS 2025 (650% incident growth since 2008; median losses nearing $3M; heavier tail losses). Cyentia Institute
• FBI IC3 2024 (record $16.6B in reported losses; ransomware complaints vs. critical infrastructure up 9%). Internet Crime Complaint CenterReuters