Rising Trends in Cyber Insurance Claims: A Closer Look at 2025 Data
In a significant report by Coalition, which encompasses a comprehensive analysis of over 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany, it was found that business email compromise (BEC) and funds transfer fraud (FTF) account for a staggering 58% of all cyber insurance claims filed in 2025. This highlights a growing vulnerability among businesses in the digital landscape.
BEC emerged as the predominant type of claim, representing 31% of all claims filed. Notably, the frequency of BEC incidents has surged by 15% from the previous year, with an occurrence rate of 0.47%. This increase in frequency indicates an alarming trend in cyber threats. However, organizations are demonstrating improvement in their response mechanisms, as the average financial loss associated with BEC incidents has declined by 28%, settling at $27,000. This shift can largely be attributed to enhanced detection methods and swifter responses by affected companies.
Conversely, funds transfer fraud (FTF) accounted for 27% of total claims. In contrast to BEC, the frequency of FTF incidents saw a decline of 18%, now reporting an occurrence rate of 0.42%. The average financial impact of FTF has also lessened, dropping 14% to $141,000 per incident. A striking 71% of FTF events involved elements of social engineering, with attackers impersonating executives, vendors, or financial institutions to facilitate unauthorized transactions. Here, the average loss due to social engineering tactics was recorded at $127,000. Additionally, a separate category of fraudulent instructions sent directly to banks represented 20% of FTF events, revealing a concerning trend of higher incidents linked directly to banking institutions, with these cases reflecting an average loss of $218,000.
Interestingly, BEC often plays an auxiliary role in FTF events, acting as a precursor in 52% of cases with an average associated loss of $112,000. Attackers frequently leveraged mailbox access to intercept transactions, manipulate payment details, or acquire sensitive banking information, thus compounding the threat businesses face.
In terms of recovery efforts, Coalition reported a remarkable recovery of $21.8 million in stolen funds connected to FTF incidents in 2025, boasting an average recovery of $202,000 per incident. Notably, recovery occurred in 32% of reported FTF events, underscoring the potential for organizations to reclaim lost funds when proactive measures are in place.
The study also sheds light on ransomware incidents, which constituted 21% of claims filed. The frequency of ransomware attacks remained unchanged from the previous year at 0.32%. However, the severity of losses related to these attacks dropped by 19%, bringing the average loss to $262,000. Alarmingly, the average initial ransom demand has surged by 47% to just over $1,019,000, with some demands peaking as high as $16 million. The disparity in demands illustrates a troubling trend where opportunistic attacks against smaller organizations result in lower ransom requests, typically around $9,000, while highly targeted attacks against financially robust organizations result in exorbitant demands.
Among the various ransomware variants, Akira stood out, linked to 25% of incidents with an average demand of $926,000. Qilin and RansomHub also made their mark, accounting for 12% and 7% of incidents respectively, illustrating the ever-evolving nature of cyber threats.
Interestingly, the study revealed that 86% of ransomware victims chose not to pay the ransom. Among the 14% who did pay, expert negotiators managed to lower initial demands by an impressive 65%, which brought the average final payment down to $355,000, with a median payment settling at $200,000.
In response to these threats, there has been an evident shift towards dual extortion tactics, where attackers encrypt systems while simultaneously exfiltrating data. This newfound strategy constituted 70% of ransomware claims, with an average loss of $299,000. Other forms of ransomware attacks, such as encryption-only and exfiltration-only attacks, presented average losses of $138,000 and $205,000 respectively, signifying varying degrees of risk associated with different methodologies.
Amid these challenges, organizations are pressed to bolster their backup strategies, with industry professionals emphasizing that backups must be secured, immutable, and isolated from production networks. According to Shelley Ma, the Incident Response Lead at Coalition, organizations need to implement tight access controls and rigorous testing protocols for their backups to ensure that they can effectively recover vital infrastructure following cyber incidents.
Furthermore, a strategic emphasis on data governance must coincide with backup protocols, which should focus on minimizing the retention of sensitive data and safeguarding high-value data stores to mitigate potential legal and reputational damage in the event of a breach. For different sectors, such as manufacturing and healthcare, tailored recommendations were made regarding data minimization and recovery protocols to ensure business continuity and compliance with regulatory standards.
The report further reveals that VPNs were the most frequently targeted technology in ransomware incidents, featuring prominently in 59% of cases when technology compromise was verified. Organizations exposing their VPN login panels to the public internet faced a significantly heightened risk, three to four times more likely to encounter a cyber incident than those employing necessary cybersecurity measures.
Overall, the report illustrated a disturbing rise in the frequency of global claims, with a 3% year-over-year increase reaching 1.54%. Meanwhile, the average severity of losses across all event types fell by 19% to $116,000, indicating that while organizations are encountering more frequent cyber incidents, they are becoming better equipped to handle the financial repercussions. Moreover, on the privacy liability front, a notable 72% of privacy rights allegations stemmed from the California Invasion of Privacy Act, reflecting the evolving nature of privacy regulations in the digital space.
As organizations navigate through these multifaceted cyber threats, a concerted effort in cybersecurity infrastructure and crisis response strategies will be essential for safeguarding their assets and ensuring resilience in the face of adversity.