Why Did Cyber Insurance Claim Frequency and Amounts Both Hit Record Highs in 2026?
The answer is straightforward: the evolution of ransomware attack techniques, the persistence of financial fraud, and the surge in third-party litigation costs have combined to overwhelm insurers. At-Bay’s 2026 InsurSec Report, covering claims data from over 100,000 policy years, paints a stark reality: cyber threats are no longer occasional events but a normalized operational risk.
Specifically, overall claim frequency rose 7% year-over-year, while the average single claim amount reached an unprecedented $221,000. Among these, the average ransomware claim amount was as high as $508,000, a 16% surge year-over-year, making it the most expensive type of incident. Although financial fraud has a lower per-incident amount, its high frequency (about 30% of total claims) results in a significant cumulative financial impact.
More concerning is the rapid growth in litigation-related claims. Class-action lawsuits after data breaches, third-party supply chain disruption claims, and regulatory fines are forcing insurers to significantly raise premiums or tighten coverage. This means enterprises will face higher costs to obtain adequate cyber insurance in the future, and may even risk being denied coverage.
The Top Vulnerability for Ransomware Intrusion: Why Do Remote Access Services Become Hackers’ Favorite?
Remote access services accounted for 87% of ransomware claims in 2025, with VPN vulnerabilities alone comprising 73%. This figure has climbed from 38% in 2023, indicating that attackers have completely abandoned traditional email phishing methods and shifted to directly targeting internet-exposed remote access devices.
According to At-Bay’s data, email did not generate any ransomware claims in 2025. This is not because email has become safer, but because the email security filters commonly deployed by enterprises are now quite mature, prompting attackers to seek easier targets: VPN devices without timely patch updates, Remote Desktop Protocol (RDP) services, and other remote management tools.
Even more alarming is that one in three ransomware claims involved SonicWall devices. The company’s firewalls and VPN products are widely used by small and medium-sized enterprises globally, but the gap between patch release speed and user update willingness provides attackers with an excellent entry point. Attackers do not need sophisticated social engineering; they only need to scan the internet for devices with known vulnerabilities to gain full network access within hours or even minutes.
graph TD
A[Attacker scans internet] --> B{Discovers exposed VPN device}
B -->|Known vulnerability exists| C[Exploit vulnerability to intrude]
B -->|No vulnerability| D[Move to other targets]
C --> E[Gain internal network access]
E --> F[Lateral movement and deploy ransomware]
F --> G[Encrypt data and demand ransom]
style A fill:#ff6b6b,color:#fff
style C fill:#f0ad4e,color:#fff
style G fill:#d9534f,color:#fff
The essence of this attack chain is speed. Attackers no longer need to spend time convincing employees to click malicious links; a single exposed VPN device can lead directly to core systems. For enterprises, this means traditional employee training and email filtering can no longer block this attack path; the issue must be addressed at the network architecture level.
---Why Did Akira Ransomware Surge 364% in the Second Half of 2025? How Should Enterprises Defend?
Akira’s attack frequency surged 364% in Q3 and Q4 of 2025, with an average ransom demand of $1.2 million, and attack speed is extremely fast: from initial intrusion to ransomware deployment takes only hours or even minutes. This group’s attack pattern differs significantly from traditional ransomware and warrants high alert from enterprises.
Akira’s success stems from three key factors. First, they precisely target exposed VPN devices, especially those without multi-factor authentication or with known vulnerabilities. Second, their attack speed is extremely fast, leaving enterprises no time to react. Traditional ransomware attacks may require days to weeks of dormancy, but Akira often begins encrypting files within hours of gaining access. Third, their ransom demands are exceptionally high, averaging 50% higher than non-Akira attacks, but the average actual payment is $452,000, indicating victims still have room to negotiate.
Notably, all Akira victims who successfully avoided data encryption had deployed 24/7 MDR (Managed Detection and Response) monitoring services. This is no coincidence: MDR teams can intervene the moment attackers begin lateral movement or ransomware deployment, disrupting the attack chain. Additionally, two-thirds of Akira attacks occurred at night or on weekends, leaving enterprises without round-the-clock monitoring almost no chance to stop the attack.
sequenceDiagram
participant Attacker as Attacker
participant VPN as VPN Device
participant InternalNetwork as Internal Network
participant MDR as MDR Monitoring Center
Attacker->>VPN: Scan and exploit vulnerability
VPN->>InternalNetwork: Provide access
Attacker->>InternalNetwork: Lateral movement and reconnaissance
MDR->>InternalNetwork: Detect anomalous behavior
MDR->>Attacker: Disconnect and isolate device
Note over Attacker,MDR: Without MDR: Attacker successfully deploys ransomware
Enterprises must adopt a layered defense strategy. The first layer is to immediately phase out all known vulnerable VPN devices and switch to cloud or SaaS-based remote access solutions, such as Zscaler or Cloudflare Access. The second layer is to deploy EDR (Endpoint Detection and Response) tools and enable automated blocking. At-Bay's CISO Adam Tyra stated bluntly: "Most enterprises buy EDR tools but are afraid to enable automated blocking. This must change. You may not be able to afford professional MDR services, but you can definitely maximize the tools you already have."
---Why Are Small and Medium Enterprises Becoming New Targets for Ransomware Attacks? What Is the Impact on the Cyber Insurance Market?
Enterprises with revenue under $25 million experienced a 21% year-over-year increase in ransomware claim frequency in 2025, with average claim amounts rising 40% to $422,000. This figure breaks the traditional notion that large enterprises are the primary targets, showing that attackers have expanded their scope to every link in the supply chain.
The reason lies in the shift in attack methods. Ransomware groups like Akira no longer conduct customized attacks against specific companies but use large-scale scanning to find exposed VPN devices. As long as a device has a vulnerability, it becomes a target regardless of company size. SMEs often lack dedicated cybersecurity teams, have slow VPN device update cycles, and may not even have multi-factor authentication enabled, making them the easiest prey.
The impact on the cyber insurance market is profound. In the past, SMEs had lower claim amounts, so insurers were willing to underwrite them at relatively cheap premiums. But now, an average claim of $422,000 is devastating for a company with annual revenue under $25 million, and it is becoming unprofitable for insurers. In the future, insurers may take the following measures:
- Significantly raise premiums for SMEs, especially those without MDR or EDR deployment
- Require enterprises to prove they have patched specific vulnerabilities (e.g., SonicWall VPN) to qualify for coverage
- Narrow coverage scopes, excluding certain attack types (e.g., ransomware due to unpatched vulnerabilities) as exclusions
Which Industries Are Most Vulnerable to Ransomware Attacks? What Do Differences in Claim Amounts Indicate?
The manufacturing industry has a ransomware claim frequency 2.2 times the overall average, the technology industry has the highest average claim amount ($875,000), followed by financial services ($731,000) and healthcare ($675,000). These figures are not random but reflect the cybersecurity vulnerabilities of different industries during digital transformation.
| Industry | Claim Frequency (vs. Overall Average) | Average Claim Amount (USD) | Key Weaknesses |
|---|---|---|---|
| Manufacturing | 2.2x | - | OT/IT convergence, legacy equipment, lack of cybersecurity staff |
| Technology | 1.8x | 875,000 | Numerous exposed APIs, development environments, third-party dependencies |
| Financial Services | 1.5x | 731,000 | High-value data, regulatory pressure, third-party vendor risk |
| Healthcare | 1.3x | 675,000 | Legacy medical devices, high-value patient records, limited budgets |
Manufacturing is the most frequent target due to the widespread exposure of Industrial Internet of Things (IIoT) and legacy Operational Technology (OT) devices to the internet. Many factory PLCs and SCADA systems still use traditional remote access methods lacking basic authentication and encryption. Once attackers breach these systems, they can not only encrypt data but also directly impact production lines, forcing companies to pay ransoms.
The technology industry has the highest average claim amount, reflecting the high value of intellectual property and customer data these companies hold. Attackers know that if a tech company suffers ransomware, the downtime losses and data breach consequences are severe, making them willing to pay higher ransoms.
Why Has Financial Fraud Consistently Accounted for About 30% of Cyber Insurance Claims for Three Years? Email Remains the Primary Intrusion Vector
Financial fraud remained the most common type of cyber insurance claim in 2025, accounting for about 30% of total claims, with 82% of fraud incidents originating via email. This data shows that despite increased investment in email security, social engineering and Business Email Compromise (BEC) remain difficult to eradicate.
The biggest difference between financial fraud and ransomware is that the former typically does not require advanced technical skills. Attackers only need to forge an email that appears to come from the CEO or CFO, requesting the accounting department to wire funds to a specific account, and it may succeed. This technique remains effective because it exploits human nature: employees tend to follow superiors’ instructions, especially under pressure or in urgent situations.
Notably, while the average single claim amount for financial fraud is lower than ransomware, the total losses are substantial. According to At-Bay data, the average financial fraud claim amount is about $80,000 to $120,000, but due to its high frequency, the cumulative financial impact can even exceed that of ransomware.
Enterprises must adopt a two-pronged defense strategy. On the technical side: enforce multi-factor authentication, implement dual-approval payment processes, and deploy AI-driven email anomaly detection tools. On the personnel side: conduct regular phishing simulation training, establish clear payment review SOPs, and ensure employees know that even if a “boss” sends an urgent request for a wire transfer, it must be verified through other channels.
Three Major Trends in the Cyber Insurance Market in 2026: Rising Premiums, Stricter Underwriting, and Changing Claim Conditions
The cyber insurance market is undergoing a structural shift, and enterprises will face higher premiums, stricter underwriting standards, and more claim exclusions in the future. This is not a short-term market fluctuation but a long-term trend of insurers repricing risk.
| Trend | Impact on Enterprises | Recommended Response Strategy |
|---|---|---|
| Premiums increase 20-40% annually | Cyber insurance cost as a share of IT budget rises | Reassess balance between risk retention and insurance |
| Stricter underwriting requirements | Must prove deployment of MDR or EDR to get reasonable quotes | Prioritize investment in quantifiable security controls |
| More claim exclusions | Ransomware attacks due to unpatched known vulnerabilities may not be covered | Establish vulnerability patching SOP and retain evidence |
Insurers now require enterprises to provide detailed cybersecurity maturity assessment reports, including whether MDR is deployed, whether EDR configurations have automated blocking enabled, whether VPN devices are updated to the latest versions, and whether multi-factor authentication is implemented. Enterprises that cannot demonstrate these controls may face significant premium increases or even denial of coverage.
For enterprises, the most pragmatic strategy is to “invest in defense first, then buy insurance.” Cyber insurance should not be seen as a substitute for cybersecurity investment but as the last line of defense in an overall risk management strategy. Instead of paying high premiums annually, it is better to allocate budget to MDR services, EDR tools, and vulnerability patching processes, so that insurers see that your risk has been reduced to an acceptable level.
FAQ
Why did cyber insurance claim frequency and amounts hit record highs in 2026?
In 2026, cyber insurance claim frequency increased 7% year-over-year, with the average single claim amount reaching a record $221,000. Ransomware average claim amount reached $508,000, up 16% year-over-year.
What is the primary intrusion vector for ransomware attacks?
Remote access services accounted for 87% of ransomware intrusion vectors, with VPN vulnerabilities comprising 73%. Akira ransomware intrusions via VPN devices surged 364% year-over-year.
How has the role of small and medium-sized enterprises changed in cyber insurance claims?
Enterprises with revenue under $25 million saw ransomware claim frequency increase 21% year-over-year, with average claim amounts rising 40% to $422,000, indicating attackers have expanded targets to SMEs.
How can enterprises reduce the risk of ransomware attacks?
Accelerate the phase-out of vulnerable VPN devices and switch to cloud or SaaS remote access; deploy 24/7 MDR monitoring, or maximize EDR tools with automated blocking of malicious activity.
What is the share of financial fraud in cyber insurance claims?
Financial fraud has accounted for approximately 30% of cyber insurance claims for three consecutive years, with 82% originating via email. Enterprises should enforce multi-factor authentication and enhance employee training.
