Revealed - what's changing about cyber claims

Coalition has reported a sharp rise in ransomware demands but a growing reluctance among victims to pay, in findings that underline how insured organizations and their carriers are changing the economics of cyber extortion.

According to the MGA's 2026 Cyber Claims Report, initial ransom demands surged 47% year-on-year in 2025. Despite this, a record 86% of businesses targeted in ransomware incidents refused to pay, with Coalition pointing to improved back-ups, tested incident response plans and insurer-supported negotiation as key factors. 

Ransomware remained Coalition’s most expensive claim type in 2025, with an average loss of $269,000. However, it accounted for a minority of notified events.

According to the report, business email compromise (BEC) and funds transfer fraud (FTF) together made up 58% of cyber incidents, with 52% of FTF claims originating from BEC. That mix reinforced the importance of how BEC, FTF and social engineering are defined and sub‑limited in policy wordings – an area that has been heavily renegotiated between insurers, brokers and insureds in recent renewal cycles.

“Understandably, ransomware generates headlines, and while we’re encouraged to see more organisations willing to walk away from extortion demands, our claims data shows that old‑fashioned email‑based crime hasn’t gone anywhere,” said Rob Jones (pictured), Coalition’s global head of claims. “BEC and FTF are still powered by social engineering, which targets the individual, and those attacks can be just as damaging to businesses.”

For brokers, the data underlines the need to probe how carriers treat social engineering and funds transfer losses. For example, whether cover is contingent on dual‑authorization protocols, call‑back procedures or specific training requirements.

Overall claims frequency across Coalition’s book rose 3% year‑on‑year in 2025, but average severity decreased 19% to US$116,000. BEC frequency increased 15%, while average loss fell 28% to $27,000. FTF frequency decreased 18%, and severity declined 14% to an average loss of $141,000.

Coalition also reported clawing back US$21.8 million in stolen funds for policyholders, with an average recovery of $202,000, and stressed that early notification significantly improves recovery prospects.

Dual‑extortion ransomware – where threat actors both encrypt systems and exfiltrate data – accounted for 70% of Coalition’s ransomware claims in 2025, with data‑theft incidents more than twice as expensive as encryption‑only events.

From an insurance perspective, that extra cost reflects not just technical recovery but also breach notification, regulatory investigations, third‑party liability, PR support and potential group actions. The trend also places emphasis on limits, sub‑limits and aggregation controls for privacy, regulatory and media liability within cyber programs.

Businesses with more than $100 million in revenue experienced cyber claims at a rate five times higher than smaller organizations, reflecting their broader attack surface and more complex IT estates. According to Coalition, average loss for this group fell 7% year‑on‑year to $268,000, and has been trending down since 2024.

The figures suggest that while large corporates are targeted more often, investment in controls and incident responses is improving containment. For SMEs, which lack comparable in‑house capability, the report will reinforce the case for more prescriptive minimum standards and bundled security services within SME cyber products.