Cyber insurance covered more than 95% of average data breach losses and 90% of average first-party losses across 5,500 claims spanning 13 years and 95 countries, according to a new Willis report – even as a single ransomware event in the dataset surpassed US$500 million in losses. The report, “Cyber Claims in Focus: Getting Value From Cyber Insurance,” released June 16, 2026, by Willis, a WTW business unit, examined claims filed between January 2013 and January 2026, representing approximately US$1 billion in insurer payments.
Ransomware recorded the highest financial severity of any loss type in the dataset, with disrupted productivity and extended system downtime as the primary cost drivers. Data breaches remain the most frequently reported loss type, with malicious incidents accounting for the majority of cases. The average ransomware event lasted 25 days and produced an average loss of US$5.3 million. Attackers demanded an average of US$3.8 million but collected US$1.5 million. Business interruption and ransom payments made up the two largest expense categories in ransomware events.
The report draws a distinction between attack vectors. Incidents targeting an organization’s own systems accounted for 58% of ransomware notifications and 95% of total costs, while vendor-led incidents accounted for 42% of notifications but only 5% of costs. That divergence suggests vendor-led incidents, while more frequent in notification volume, carry substantially less financial severity than direct attacks – a distinction with implications for how organizations weigh third-party risk in their coverage assessments.
Third parties were responsible for nearly half of data breach losses and 29% of first-party losses in the dataset. Among third-party breach sources, IT, technology, and telecom vendors accounted for 50% of incidents, financial institutions for 17%, and administrative services providers for 11%. The report identifies systemic risk from single-vendor incidents affecting multiple organizations simultaneously as a continuing concern for the market. The report also flags pixel-tracking litigation as what it describes as a hidden cyber insurance risk, noting that some cases have resulted in material losses across the wider market. Both the third-party vendor trend and pixel-tracking exposure contribute to the aggregate loss volatility visible in the dataset.
Michael Parrant, director of cyber & technology practice, FINEX Pacific at Willis, said the dataset reveals a consistent skew between claim frequency and cost. “Our analysis highlights a consistent pattern: while the average claim value is approximately $3.3 million, a relatively small number of large-scale events drive the majority of total losses. Incidents exceeding $10 million represent only around 5% of claims by volume, yet account for close to 90% of total cost, underscoring the materiality of tail risk in cyber portfolios. While certain industries are targeted more frequently, no organisation or industry is immune to cyber incidents,” Parrant said.
Parrant cited Australia as an example of escalating post-incident consequences, pointing to increased regulatory scrutiny, greater class action exposure, and costs associated with remediation, customer notification, and business disruption. “As the threat landscape continues to intensify, the impact is being felt not only in the frequency, severity, and velocity of cyber events, but also in the expanding blast radius and persistence of attacks. In response, organisations are increasingly adopting cyber risk quantification to support both control investment and insurance purchasing decisions, ensuring that programs are calibrated not only to expected losses, but to increasingly volatile and interconnected tail-risk scenarios,” Parrant said.
Healthcare entities accounted for 20% of all cyber policy notifications in the dataset, followed by financial institutions at 16% and manufacturing at 13%. Parrant noted that while certain sectors see higher claim activity, no organization or industry is immune to cyber incidents.
Peter Foster, chairman of global FINEX cyber and cyber risk solutions at Willis, said differences in how policies are constructed leave some organizations exposed in areas where they most need protection. “Cyber insurance cover varies widely, which is why organisations must understand what they have in place and ensure it aligns with their risk exposures. When cover doesn’t reflect reality, organisations risk critical gaps where protection is needed most, while paying for cover that offers little real value. To get the strongest value from cyber insurance, consideration must reflect the claims patterns seen across the market. Our analysis of claims and loss data provides hints to understand how cyber losses occur and what that means for organisations, helping them to prioritise the most material scenarios and design coverage around these realities,” Foster said.
Conor Keating, head of cyber in Asia at Willis, said the risk environment across Asia is growing more layered as businesses automate and expand their reliance on third-party technology systems, adding a regional dimension to the coverage alignment concerns raised elsewhere in the report. “While AI has not yet emerged as a stand-alone driver of cyber insurance claims, it is already amplifying existing threats, from social engineering and deepfake phishing to ransomware,” Keating said.
Keating said limit adequacy is drawing greater scrutiny across Asia given that the average ransomware event now costs businesses more than US$5 million. More clients, he said, are seeking cyber risk quantification analysis to inform their insurance purchasing and strengthen their risk transfer strategies. Insureds are also working with brokers to embed cyber policies within existing incident response plans, with pre-agreed vendor engagement and regular testing enabling faster action during active events. “For companies in Asia, the message is clear: cyber insurance should not be viewed as a static policy purchase. It should form part of a broader resilience strategy that helps to quantify exposures, test response plans, and incorporate coverage that is aligned to real-world claims scenarios most likely to affect the business,” Keating said.
