A year defined by speed, stealth, and shifting legal risk forced cyber insurers to tally record losses as threat actors pressed advantages in remote access, cloud mimicry, and privacy litigation even as traditional email defenses tightened. The 2026 InsurSec Report from At-Bay, drawing on more than 100,000 policy years, reported a 7% rise in overall claim frequency and an all-time-high average severity of $221,000 in 2025, showing how technical and legal shocks combined to stretch response teams and balance sheets. What changed was not only attack volume but where and how attacks landed: ransomware rebounded by targeting VPNs and other edge services, financial fraud cost more while hiding behind reputable platforms, and third-party liability surged as CIPA lawsuits reframed web tracking as a front-line risk.
Ransomware’s Remote-Access Revival
Ransomware reclaimed center stage as the most financially damaging incident type, with average severity rising 16% to $508,000, and the pathway in was overwhelmingly infrastructure, not inbox. At-Bay’s data showed 87% of ransomware claims tied to remote access services; among identified intrusions, compromised VPNs drove 73%, and one-third involved a SonicWall device. Email produced no ransomware claims in the portfolio during 2025, a striking indicator that modern filtering and user awareness raised the bar enough for criminals to pivot toward faster, higher-yield routes. Akira cast the clearest silhouette of this shift, accelerating in both frequency and tempo, often moving from initial access to detonation within hours—frequently at night or on weekends when thin staffing erased response windows.
Business interruption magnified losses well beyond the cost of containment and restoration. One in three ransomware claims triggered interruption coverage; those cases averaged $510,000 in losses, compared with $168,000 where downtime did not materialize, and the largest single payout reached $5 million at the policy limit. Smaller companies, once shielded by obscurity, absorbed harder hits as infrastructure-centric campaigns swept the internet for exposed appliances regardless of logo or headcount. Firms under $25 million in revenue saw ransomware frequency rise 21% and severity jump 40% to $422,000. Industry exposure split along two lines: manufacturing’s frequency reached 2.2 times the portfolio average, reflecting operational fragility and legacy systems, while severities peaked in technology ($875,000), then finance and insurance ($731,000) and healthcare ($675,000), where data value and time sensitivity inflated negotiations and downtime.
Fraud That Hides in Plain Sight
Financial fraud held its place as the most common claim type—nearly 30% of the total—yet the money at stake climbed, revealing how social engineering and infrastructure abuse evolved faster than controls. Average stolen funds rose to $285,000, up 16%, with a single loss cresting at $9.65 million. Email remained the primary ignition point for fraud at 82% of incidents; however, the delivery mechanism increasingly rode on the trust of well-known cloud and CDN providers. Cloudflare infrastructure appeared in 69% of abused-link alerts detected by At-Bay, allowing adversaries to bypass legacy filters that lean on sender reputation and coarse blocklists. Adam Tyra, At-Bay’s CISO for Customers, cautioned that platforms enabling global content delivery are unlikely to shoulder near-term liability, which leaves enterprises accountable for filtering intent and inspecting destination behaviors rather than brand names.
Timing then decided whether stolen funds ever found a way back. When organizations notified the insurer within three days, some portion of the funds was returned 70% of the time; wait two weeks, and success dropped below 30%. At-Bay recovered $56 million in 2025 through rapid escalation, banking holds, and coordination across financial institutions, underlining how speed, not sophistication, often defined outcomes. The mitigation pattern that worked paired modern, AI-backed email security tuned to detect infrastructure misuse with straightforward human processes: fast internal reporting, out-of-band wire verification, and clear authority chains for payment changes. Without that, even thorough annual training faltered against messages that rendered perfectly through reputable services, used familiar brand styling, and steered users to convincing domains that slipped past outdated secure email gateways.
The New Liability Frontier: Privacy and Speed
While attackers pressed technical edges, courts reshaped exposure by turning web tracking into a source of third-party liability at scale. These claims grew 70% year over year, propelled largely by lawsuits under California’s Invasion of Privacy Act. CIPA-related filings accounted for 34% of third-party claims, and the target set broadened beyond Meta Pixel: 69% of 2025 cases involved trackers from non-Meta providers such as LinkedIn and TikTok. That tilt matters because violations stemmed from how tools were deployed, consent captured, and data shared—not from malicious intrusion. The legal tail also wagged behind classic security events. Class actions followed 6% of ransomware incidents and 4% of data breaches from 2023–2024, layering discovery, defense, and settlement costs long after systems came back online and backups were restored.
Building on this legal and operational pressure, speed emerged as the decisive perimeter. Akira’s frequency rose 364% in the second half of 2025, and every case in which encryption was averted had continuous managed detection and response in place. For teams without MDR budgets, Tyra emphasized enabling prevention features in EDR—blocking malicious activity automatically rather than alerting and relying on daytime analysts to catch up—and retiring vulnerable on‑prem VPN appliances for cloud or SaaS-based remote access with strong authentication. The practical playbook also favored intent-based email analysis, rehearsed wire-fraud drills, and immediate insurer engagement to maximize fund recovery. Taken together, these steps had offered a way to blunt both technical and legal losses: replace edge weak points, monitor around the clock, automate first-line defenses, validate consent and tracker use with counsel, and plan for downtime so business interruption no longer dwarfed incident response.
