Cyber insurance covered more than 95% of average data breach losses and 90% of average first-party losses - even as a single ransomware event in the dataset surpassed US$500 million in losses. The findings come from Willis's "Cyber Claims in Focus: Getting Value From Cyber Insurance," released June 16, 2026, which examined 5,500 claims filed between January 2013 and January 2026 across 95 countries, representing approximately $1 billion in insurer payments.
Ransomware recorded the highest financial severity of any loss type in the dataset, with disrupted productivity and extended system downtime as the primary cost drivers. Data breaches remain the most frequently reported loss type, with malicious incidents accounting for the majority of cases. The average ransomware event lasted 25 days and produced an average loss of US$5.3 million. Attackers demanded an average of US$3.8 million but collected US$1.5 million, with business interruption and ransom payments making up the two largest expense categories.
The Willis figures sit alongside a broader market picture of shifting ransomware dynamics. Coalition's 2026 Cyber Claims Report found that initial ransom demands surged 47% year-over-year in 2025, yet a record 86% of businesses refused to pay - suggesting that improved backup systems and incident response capabilities are helping organisations resist extortion demands. Business email compromise and funds transfer fraud still accounted for 58% of cyber incidents Coalition observed, a reminder that high-profile ransomware events can obscure the dominance of more routine fraud in claim volumes.
The report draws a significant distinction between attack vectors. Incidents targeting an organisation's own systems accounted for 58% of ransomware notifications but 95% of total costs, while vendor-led incidents accounted for 42% of notifications but only 5% of costs. That divergence - frequent in notification volume but limited in financial severity - has direct implications for how organisations weigh third-party risk in their coverage assessments.
Third parties were responsible for nearly half of data breach losses and 29% of first-party losses in the dataset. Among third-party breach sources, IT, technology and telecom vendors accounted for 50% of incidents, financial institutions for 17% and administrative services providers for 11%. The report identifies systemic risk from single-vendor incidents affecting multiple organisations simultaneously as a continuing concern, and also flags pixel-tracking litigation as a hidden cyber insurance risk, with some cases resulting in material losses across the wider market.
Michael Parrant, director of cyber and technology practice, FINEX Pacific at Willis, said the dataset reveals a consistent skew between claim frequency and cost. "While the average claim value is approximately US$3.3 million, a relatively small number of large-scale events drive the majority of total losses. Incidents exceeding US$10 million represent only around 5% of claims by volume, yet account for close to 90% of total cost - underscoring the materiality of tail risk in cyber portfolios," Parrant said.
Parrant cited Australia as an example of escalating post-incident consequences, pointing to increased regulatory scrutiny, greater class action exposure and costs associated with remediation, customer notification and business disruption. He added that organisations are increasingly adopting cyber risk quantification to support both control investment and insurance purchasing decisions, ensuring programmes are calibrated not only to expected losses but to increasingly volatile and interconnected tail-risk scenarios.
Healthcare entities accounted for 20% of all cyber policy notifications in the dataset, followed by financial institutions at 16% and manufacturing at 13%.
Peter Foster, chairman of global FINEX cyber and cyber risk solutions at Willis, said differences in how policies are constructed leave some organisations exposed where they most need protection. "Cyber insurance cover varies widely, which is why organisations must understand what they have in place and ensure it aligns with their risk exposures. When cover doesn't reflect reality, organisations risk critical gaps where protection is needed most, while paying for cover that offers little real value," Foster said. Organisations seeking the strongest value from cyber insurance, he added, should ensure coverage is designed around the claims patterns most likely to affect their specific risk profile.
The coverage alignment challenge is playing out against a softening market. Swiss Re projects global cyber insurance premiums will reach US$15.6 billion in 2025 and US$16.4 billion in 2026, with the sector's growth outlook revised down to a 5% compound annual growth rate from 2023 - a sharp deceleration from the 30%-plus annual growth recorded between 2017 and 2022. In the US, admitted direct written premiums fell 2.3% in 2024 to US$7.1 billion - the first decline since 2018. For underwriters, that pricing environment makes the coverage design question more acute: falling premiums reduce the margin for error when policies fail to respond as expected. Insurance Business AmericaInsurance Business America
Conor Keating, head of cyber in Asia at Willis, said the risk environment across Asia is growing more layered as businesses automate and expand their reliance on third-party technology systems. "While AI has not yet emerged as a stand-alone driver of cyber insurance claims, it is already amplifying existing threats - from social engineering and deepfake phishing to ransomware," Keating said.
Limit adequacy is drawing greater scrutiny across Asia given that the average ransomware event now costs businesses more than US$5 million. Clients are increasingly seeking cyber risk quantification analysis to inform insurance purchasing, and insureds are working with brokers to embed cyber policies within existing incident response plans, with pre-agreed vendor engagement and regular testing enabling faster action during active events. "Cyber insurance should not be viewed as a static policy purchase," Keating said. "It should form part of a broader resilience strategy that helps to quantify exposures, test response plans, and incorporate coverage aligned to real-world claims scenarios most likely to affect the business."
