6 Key Findings from the 2025 InsurSec Rankings Report (and What Businesses Can Do About Them)

At-Bay’s 2025 InsurSec Rankings Report analyzed over 100,000 policy years of cyber insurance claims from 2021 through Q1 2025. The findings reveal a cybersecurity landscape where AI has fundamentally altered how email attacks work and where the remote access tools many businesses depend on have become critical vulnerabilities.

The report focuses on two areas that together accounted for roughly 60% of all At-Bay claims in 2024: email and remote access tools. Of course, most businesses rely on email and remote access to function. The question is which tools to use and how to configure them. 

By sharing our findings about how different business tools perform against today’s threats, At-Bay aims to help organizations make smarter, evidence-based technology investments. Following are the key findings from the report and the action items for businesses looking to reduce their risk.

Finding #1: Email Claims Jumped 30% in 2024

Email-based claims more than doubled in 2023, then surged another 30% in 2024. Email remains the most common entry vector for attacks, accounting for 43% of all incidents, and the financial impact is severe. In 2024, the average fraudulent wire transfer was $286K, with the largest single incident topping $5M.

AI-powered financial fraud drives this trend. A staggering 83% of fraud attacks begin with email, and these aren’t your typical phishing attempts. Modern fraud emails contain no malicious links or attachments — they’re polished, grammatically perfect messages about invoices and wire transfers that look identical to legitimate business communications.

What to do: Implement mandatory voice or in-person verification for any email requesting payment changes or fund transfers. Also consider upgrading to AI-powered email security solutions, like MDR for Email, that can analyze conversation context and detect subtle manipulation attempts that traditional tools miss.

Finding #2: Manufacturing Saw a 62% Increase in Email Claims Frequency Year-Over-Year

While email attacks rose across all sectors, manufacturing emerged as the most consistently targeted industry. The sector faced email-based attacks at 3X the rate of the lowest-frequency industry (technology).

Why manufacturing? Global supply chains create complex vendor networks, high-value invoices flow constantly across borders and time zones, and pressure to process payments quickly creates operational urgency that attackers exploit. Add in legacy systems, lean IT budgets, and slower adoption of advanced defenses, and you have an industry uniquely vulnerable to email fraud.

What to do: If you’re in manufacturing or professional services, treat email security as a top-tier risk, not an IT checkbox. Conduct fraud-specific employee training that goes beyond generic phishing awareness. Use real examples of invoice fraud and business email compromise relevant to your industry. Establish clear protocols for payment changes, especially for international transactions. 

If you’re an At-Bay Cyber or Tech E&O policyholder, you can meet with a Cyber Advisor to improve your security posture — at no additional cost.

Finding #3: Google Workspace Remained the Most Secure Email Provider, but Even They Struggled

For the third consecutive year, Google Workspace users experienced the lowest email claims frequency among major email providers — 29% below average. However, even Google couldn’t fully stem the tide: Their customers saw email claims frequency triple year-over-year.

Microsoft 365 performed worse, with businesses using Microsoft seeing claims frequency increase 65% and landing 13% above average. The overall message is clear: While some email providers offer better native security than others, no provider alone can adequately defend against modern AI-powered fraud tactics.

What to do: Don’t rely solely on your email provider’s built-in security, regardless of which platform you use. Both Google Workspace and Microsoft 365 need additional security layers to effectively counter modern fraud. Evaluate whether your current email security solution is keeping pace with AI-driven threats, or whether you’re depending on outdated rule-based detection that attackers have already learned to bypass.

Finding #4: Nearly Every Email Security Solution Saw Worse Performance in 2024

Overall email claims frequency for customers using email security solutions increased 53% year-over-year, and nearly every Secure Email Gateway (SEG) product in the analysis showed declining effectiveness due to the increased volume of modern email-based fraud. Customers using Intermedia and Appriver saw email claims frequency roughly double. Even Proofpoint and Mimecast — historically strong performers — showed increased claims, though both remained in the top three. 

While these solutions excel at blocking malware and phishing links, they’re not built to detect the subtle contextual indicators of modern financial fraud.

What to do: If your business is using a traditional SEG product, understand its limitations. These tools remain effective against malware and link-based phishing, but they’re largely blind to modern fraud tactics. 

Consider the newer generation of Integrated Cloud Email Security (ICES) solutions, which connect via API and can analyze entire email conversations for context. Look specifically for solutions with native Natural Language Processing capabilities — the ability to understand tone, detect language pattern changes, and spot subtle manipulations that rules-based systems miss. Sophos, Proofpoint, and Mimecast currently lead.

Finding #5: Organizations Using Cisco or Citrix VPNs Were 6.8X More Likely to Fall Victim to Ransomware

In 2024, 80% of ransomware attacks against At-Bay insureds originated from remote access tools, and 83% of those involved VPN appliances. The risk isn’t evenly distributed. Organizations using VPNs from Cisco or Citrix faced the highest danger and were 6.8X more likely to experience an attack compared to businesses without a detectable VPN. But even other on-premise VPN solutions showed 3.7X higher risk.

What to do: If your business is using on-premise VPN appliances, especially from Cisco or Citrix, the safest path forward is migration to Secure Access Service Edge (SASE) tools. These eliminate the exposed “front door” that VPN appliances create, and centralized cloud-based patching means no laggards putting your organization at risk.

If immediate SASE migration isn’t feasible, ensure your organization’s VPN is fully patched, configured to minimize attack surface, integrated with enterprise-wide MFA, and — critically — monitored 24/7 by a professional Managed Detection and Response (MDR) service.

Finding #6: Managed EDR Was Critical to Preventing Ransomware Encryption

In Q3 2025, At-Bay observed a 300% increase in Akira ransomware cases involving SonicWall devices, with ransom demands averaging $958K — 104% higher than Q2. Of these cases, 91% resulted in full encryption. But every single company that avoided encryption had one thing in common: a professionally managed Endpoint Detection and Response (EDR) solution that was properly configured and actively monitored.

What to do: If your organization has EDR deployed, audit whether it’s truly being managed effectively and properly configured. Is someone monitoring alerts 24/7? Are responses happening in minutes, not hours or days? Can your team distinguish between noise and genuine threats? If the honest answer to any of these questions is “no” or “maybe,” you don’t have effective EDR. Consider a managed EDR or MDR service where security experts handle monitoring, triage, and response around the clock.

Making Data-Driven Security Decisions

Many of the security tools businesses have relied on for years are no longer adequate against modern threats. AI has fundamentally changed email attacks, and VPN complexity has outpaced most organizations’ ability to secure these devices.

But the data also shows what works. AI-powered email security solutions are catching fraud that traditional tools miss. SASE-based remote access eliminates the attack surface that VPN appliances expose. And professionally managed detection and response services are the difference between intrusion attempts and actual breaches.

The complete 2025 InsurSec Rankings Report includes detailed vendor rankings, comprehensive methodology, vulnerability data, and additional insights from over 100,000 policy years of cyber claims analysis.