Carriers see fewer cyber claims but soaring average ransomware losses force product redesigns

Carriers see fewer cyber claims but soaring average ransomware losses force product redesigns

By [Staff Writer]

Who: Major commercial insurers and reinsurers across North America and Europe, including primary carriers and reinsurance firms.
What: While overall cyber-claim frequency has fallen in recent reporting periods, the average cost of ransomware-related losses has risen sharply, prompting insurers to redesign cyber products and tighten underwriting.
When: Trends and actions documented in reports and market commentaries from 2024 through mid-2025.
Where: Markets in the United States, the United Kingdom and the European Union are the primary focus of the shift.
Why: Attackers have shifted tactics toward high-value, data-exfiltration and business‑interruption events that produce very large individual losses; at the same time, improved defenses, law‑enforcement pressure and changes in attacker economics have reduced the number of smaller, opportunistic claims—creating a market with fewer but far costlier losses. (coalitioninc.com)

Insurers are responding by rewriting policy wordings, tightening underwriting gates, imposing sublimits and co‑insurance for extortion losses, and demanding stronger operational controls from buyers — a redesign that underwriters and reinsurers say is necessary to keep cyber insurance viable as a commercial line. Market participants and published portfolio data show the industry now faces an unusual combination: falling frequency of claims but a heavier concentration of loss dollars in a smaller number of “mega‑loss” ransomware incidents. (businesswire.com)

What the data show
Industry incident and claims datasets from insurers and specialist response firms diverge on exact magnitudes, but point to the same pattern. Coalition, a large cyber insurer, reported that overall cyber-notification frequency fell year‑over‑year even as ransomware severity spiked in earlier periods — the company said ransomware severity rose “substantially” in the first half of 2024 and has remained a leading driver of insured loss. (coalitioninc.com)

Resilience, which publishes a midyear 2025 cyber‑risk review of its portfolio, documented a steep decline in claim notifications in some portfolios — a drop in notice frequency as large as 50% in the first half of 2025 in the firm’s data — while noting that ransomware now accounts for the lion’s share of incurred loss dollars and that average ransomware losses per paid claim have climbed. The firm calculated that ransomware‑related claims in its books averaged more than $1.18 million per claim in 2025 to date, compared with roughly $1.01 million in the first half of 2024. (theclm.org)

Ransomware incident‑response and intelligence firms report increases in demand and in single‑event payouts even as the overall flow of paid ransoms has shown quarter‑to‑quarter volatility. Coveware, a specialist in ransomware incident response, reported an average ransom payment in early 2025 of about $552,777 in Q1 and documented a substantial quarter‑to‑quarter rise in some subsequent quarters driven by a handful of large corporate payouts; Coveware’s data show that a minority of cases — often those that involve extensive data exfiltration and prolonged operational disruption — account for outsized payouts. Separately, Chainalysis tallied more than $800 million in cryptocurrency ransom payments for 2024 — a marked decline from 2023 totals, but still a number that reflects meaningful scale and concentrated payouts. (veeam.com)

Why fewer claims, but larger losses?
Claims frequency has softened for several reasons, according to insurers and analysts. Firms and administrators say better detection, more routine offline/immutable backups, broader adoption of endpoint detection and response (EDR) tools, and increased internal preparedness — including tested incident‑response plans — have made it easier for many organizations to contain and recover from incidents without triggering an insurance claim or without paying a ransom. Law‑enforcement pressure and public guidance discouraging ransom payments have also lowered payment rates in some periods, shifting attacker economics. (businesswire.com)

At the same time, attackers have evolved from mass opportunistic encryption campaigns to a “big‑game hunting” model that prioritizes large organizations, third‑party service providers and supply‑chain choke points whose compromise yields high business‑interruption (BI) exposure or valuable exfiltrated data. Reinsurer and insurer analytics show that business interruption — not merely the extortion demand itself — now makes up the largest share of costs in many ransomware claims. Munich Re’s analysis puts business interruption at roughly half of ransomware loss costs in recent years, and notes that one or two very large incidents can dominate loss tallies for whole portfolios. (munichre.com)

“Ransomware was the leading cause of cyber insurance losses,” Munich Re analysts wrote, noting that business interruption accounted for roughly 51% of the cost components in ransomware losses and that a handful of large attacks (including vendor or supply‑chain incidents) are capable of producing multi‑hundred‑million‑dollar tails. “The cyber risk landscape shows an increase in the scale and impact of cyber‑attacks and cybersecurity incidents,” Munich Re said. (munichre.com)

How those losses force product redesigns
The mismatch between frequency and severity — fewer claims but larger average payouts — has altered insurers’ economics and underwriting posture. Market‑wide responses fall into three linked categories: stricter submission standards, narrower coverages or explicit sublimits, and capital/reinsurance repositioning.

1. Stricter underwriting gates and evidence‑based underwriting.
   Carriers now require much more documentation of controls at submission and renewal: enforced multi‑factor authentication (MFA) on key accounts, EDR on endpoints, immutable offline backups with restore testing, formal patching programs, and documented incident‑response plans. Brokers and technical advisors describe underwriting as increasingly “evidence‑based,” where screenshots, logs and restore‑test reports replace checklist assertions. Firms that cannot demonstrate those controls face higher premiums, higher retentions or outright declinations. (blog.cyberadvisors.com)

2. Narrower coverage, exclusions and sublimits.
   To manage aggregation and limit tail exposure, many policies now include explicit sublimits for extortion payments or BI tied to a ransomware event, coinsurance provisions requiring policyholders to bear a share of ransom/BI costs, and tightened third‑party vendor exclusions or contingent‑business‑interruption language that restricts payouts for losses traceable to specific outsourced providers. Some markets are also experimenting with parametric or resilience‑linked products as top‑up layers rather than broad first‑loss cyber policies. Publicly available commentary from market analysts and carrier reports indicate these product design shifts are well underway. (commercial.allianz.com)

3. Reinsurance, modeling and capacity discipline.
   Reinsurers and modelers have updated accumulation models to better capture vendor concentration and BI accumulation; reinsurers say they are more selective on capacity and want demonstrable underwriting discipline from primary carriers. Munich Re and other reinsurers have warned that tail risk from ransomware and vendor concentration requires stricter portfolio management and capital buffers. That has translated into higher reinsurance costs for cyber and limits on the capacity available at standard terms, putting additional pressure on primary carriers’ product design and pricing. (munichre.com)

Carriers and market actors: public lines and quotes
Industry executives and claims leaders are explicit about the problem. Rob Jones, head of Coalition’s claims unit, said in Coalition’s mid‑year communications that the use of ransomware as an attack strategy decreased in some periods, but that severity and demand amounts had “spiked,” driven by particular variants and attacks on larger targets. Coalition’s data also highlight the role of business email compromise and social engineering as continuing sources of loss. (coalitioninc.com)

Michael Daum, global head of cyber claims at Allianz Commercial, told the company’s own market analysis that improved detection and response capabilities among larger companies had, in some data, coincided with a decrease in insured losses in certain reporting windows — but he warned that data exfiltration and vendor incidents were amplifying the severity of large claims. “Every step an attacker progresses, and every minute that they are in the system, the impact goes up exponentially,” Daum said. (commercial.allianz.com)

Thomas Blunck, CEO Reinsurance at Munich Re, framed the change as structural: the market is “further maturing and is stable,” he said, but insurers must exercise discipline because large suppliers, systemic vendors and supply‑chain exposures produce accumulation risks that simple per‑client pricing cannot capture. “Good judgement and discipline are mandatory for all players in the face of the enormous loss potential,” Munich Re wrote in an industry note. (munichre.com)

Practical consequences for buyers
The redesign has made cyber insurance more transactional and more like a risk‑management badge: buyers who can demonstrate modern control stacks and tested recovery plans can still secure coverage, sometimes at favorable rates; organizations without evidence of adequate controls find it harder to obtain renewal or face steep price increases and reduced limits.

Brokers report longer placement cycles, with underwriters spending weeks or months validating control evidence and in some cases requiring remediation prior to binding. For many small and mid‑sized firms the business case for implementing the controls that insurers now require — EDR, immutable backup solutions and detailed logging — is difficult but increasingly unavoidable if they wish to remain insurable. Industry‑facing guidance has begun to call for companies to treat such controls as investment rather than a compliance chore. (ctresources.com)

Insurer‑side economics: why carriers cannot write unlimited risk
A central actuarial reality drives the product changes: even though total numbers of claims may shrink, the loss distribution is becoming more fat‑tailed — that is, a small number of incidents produce a disproportionate share of dollars lost. Ransomware events that cause prolonged business interruption, regulatory fines and third‑party liability can pile costs across multiple lines and push a single event into the tens or hundreds of millions of dollars — an outcome that standard cyber portfolios, especially for carriers without diversified accumulation controls or reinsurance protection, struggle to support. Munich Re’s models show that accumulation potential for extreme cyber events remains material and that underwriters must price and control for it. (munichre.com)

Large losses that have shaped market memory — and policy language — include a string of vendor and software‑supply incidents in recent years that created multi‑jurisdictional downtime and litigation exposure for customers. Munich Re highlighted examples — including healthcare and software‑service incidents — where total economic impact far exceeded the immediate ransom demand because of cascading service outages, regulatory actions and customer litigation. Those incidents helped crystallize underwriter demand for vendor‑risk clauses and contingent‑BI language that specify what the insurer will and will not pay when a supplier is the root cause. (munichre.com)

Where the market may be headed
Insurers and market analysts point to several likely next steps:

• Continued discipline around evidence‑based underwriting: carriers will increasingly require logs, restore test reports, MFA screenshots and other hard evidence at application and renewal. (blog.cyberadvisors.com)
• More scaled or layered cyber products: simple primary policies will carry lower limits or narrower coverages, and separate resilience or parametric layers may be sold to cover specific types of BI or to top up event limits. Reinsurers are actively evaluating such structures to better distribute tail risk. (munichre.com)
• Greater focus on vendor concentration: underwriters will add contract language and physical‑evidence tests to track exposures to common suppliers and cloud providers; buyers with substantial vendor reliance will face higher scrutiny or placement in specialized facilities. (munichre.com)
• Continued investment in claims negotiation and incident response: carriers with in‑house negotiation teams (or affiliated incident‑response partners) report they can materially reduce ransom payments and overall claim costs, reinforcing the insurer case for mandating certain controls and response protocols. Coalition and others report significant negotiation leverage when the insurer can provide experienced incident response. (businesswire.com)

Voices in the market
Underwriters and reinsurers emphasize the need for balance: maintain a market that transfers genuine, unpredictable cyber risk while encouraging — and rewarding — good security hygiene.

“Good judgement and discipline are mandatory for all players in the face of the enormous loss potential,” Munich Re wrote in its 2025 cyber outlook, urging portfolio managers and primary carriers to combine evidence‑based underwriting with revised accumulation modeling. (munichre.com)

“At the same time, improved detection and response capabilities are helping to stop some attacks at an early stage,” Michael Daum of Allianz Commercial told clients, while cautioning that data exfiltration and vendor incidents have increased the potential for very large claims — a dynamic that will continue to shape product design. (commercial.allianz.com)

Industry watchers say the redesigns are not solely about reducing capacity to insureds: they are about aligning price and coverage with real, measurable security postures — and about keeping the insurance market sustainable so that firms of all sizes can obtain meaningful protection when they need it.

What buyers should do now
Policyholders and risk managers face choices. Market‑accepted steps that improve insurability include universal MFA on critical accounts, complete EDR deployment and evidence of active monitoring, encrypted immutable backups with documented restore tests, periodic tabletop incident exercises, and attention to vendor contracts and logging. For larger organizations, mapping vendor concentration and carrying vendor‑specific continuity measures are becoming underwriting expectations rather than optional best practice. Several industry guidelines and carrier underwriting checklists now reflect these items as baseline prerequisites. (inteltech.com)

The outlook for rates and availability
Pricing and capacity will remain a function of portfolio discipline, regained market capacity, and reinsurers’ appetite for cyber accumulation. Some carriers with robust underwriting frameworks and strong reinsurance support will continue to provide meaningful limits for well‑prepared buyers, while others will retreat from specific sectors or tighten limits if they cannot control for accumulation and tail exposures.

The market is entering a second phase of maturation: the centering of operational resilience and vendor governance in underwriting — and the explicit recognition that a small number of catastrophic incidents can dominate loss outcomes. If carriers and reinsurers can align pricing, evidence‑based underwriting and alternative capacity structures, the cyber insurance market can continue to grow in a controlled way; if not, buyers should expect continued tightening and higher costs for uncovered or poorly protected exposures. (munichre.com)

— Reporting contributed with data and public statements from Munich Re, Coalition, Resilience, Coveware and Allianz. Sources: Munich Re “Cyber Risks and Trends 2025”; Coalition 2024–2025 Cyber Claims reporting; Resilience Midyear 2025 Cyber Risk Report; Coveware ransomware incident reports and post‑incident statistics; Allianz Commercial Cyber Risk Trends 2025. (munichre.com)