The first half of 2025 brought a paradox to the cyber insurance world: fewer overall claims, but far more punishing losses when attacks succeeded.
A new Midyear Cyber Risk Report from Resilience shows that cyber insurance claim notifications fell 53 percent compared with the same period last year, suggesting what the firm calls “a return to operational equilibrium.” But ransomware attacks – and especially those tied to third-party vendors – grew sharper, more targeted, and costlier, leaving insurers and policyholders with little room for complacency
“The 53% drop in claims doesn’t tell the whole story,” said Jeremy Gittler, Resilience’s global head of claims. “Yes, we’re seeing fewer incidents escalate to incurred losses, but when they do hit, they’re hitting harder. The 17% increase in ransomware claims losses shows that cybercriminals are becoming more selective and more devastating in their approach.”
Ransomware remains the most damaging form of cyberattack, accounting for 76 percent of incurred losses in the first half of 2025. When vendor systems are targeted with ransomware, that figure jumps to 91 percent of overall losses
The average ransomware claim this year has topped $1.18 million, up from $705,000 in 2024. In one of the more alarming developments, Resilience observed attackers hunting down copies of cyber insurance policies and using those limits to calibrate ransom demands
Payment rates have fallen – just 14 percent of ransomware victims in Resilience’s portfolio paid extortion in 2025 so far – but new techniques like “double” and even “triple” extortion continue to spread.
Vendor-related risk has emerged as one of the most persistent threats. In 2024, third-party incidents accounted for 22 percent of incurred losses in Resilience’s portfolio; in the first half of 2025, they made up 15 percent. That decline masks the severity of individual incidents: when a vendor failed, losses for affected clients rivaled those caused by direct ransomware.
The recent breach at Farmers Insurance, which stemmed from a third-party vendor and compromised over a million records, illustrates the scale of the exposure. So does the ransomware attack that forced Nevada’s Division of Insurance offline in August, disrupting regulatory operations and delaying consumer filings.
If ransomware remains the top cause of financial loss, phishing remains the most common point of failure. Phishing attacks drove 49 percent of incurred losses in Resilience’s customers in the first half of 2025. The firm also highlighted the growing effectiveness of AI-powered social engineering: browser-based phishing attacks, SIM swapping, and voice synthesis are fueling what it called an “800 percent increase” in credential compromises since January.
The report underscores the growing prominence of the Scattered Spider group, which targeted retailers like Marks & Spencer and Harrods this spring, knocked Qantas offline in July, and is now reportedly pivoting toward the insurance industry. The gang’s use of real-time social engineering makes it especially hard to defend against.
For insurers, the picture is fraught. The decline in claims frequency may offer short-term relief, but the growing intensity of successful attacks points to rising systemic risk – especially as supply chains, healthcare systems, and public agencies are increasingly digitized.
As the Jaguar Land Rover shutdown last week showed, even industrial stalwarts are not immune. For the insurance sector, the challenge now is to anticipate – and price – risks that are becoming less predictable, more targeted, and harder to contain.
