Article
5 Key Findings From the InsurSec Report — and What You Can Do About Them
At-Bay’s 2026 InsurSec Report reveals that the full cost of an incident — and what actions companies can take to protect themselves
When we talk to businesses about cyber risk, they’re often most concerned about the moment of impact: Was ransomware deployed? Were funds stolen? Was data exfiltrated? These are real, concrete losses, and they’re getting worse. But At-Bay’s 2026 InsurSec Report, which draws on more than 100,000 policy years of claims data, documents a more complete picture to show the damage that goes beyond the attack itself.
Ransom payments, stolen funds, the costs of rebuilding compromised systems — these are the numbers that make headlines. What can often be a surprise are the costs that compound in the weeks and months that follow: the revenue lost while operations are dark, the funds that slip beyond recovery because the fraud wasn’t reported quickly enough, the class action lawsuits that arrive just as a company thinks it has turned the corner. These are consistent patterns in our claims data, and they carry significant potential for additional financial damage.
The decisions organizations make before an attack about who’s watching their network, who they call first, and what partners they have in place are what determine the total cost on the other side.
Here’s what the data shows:
Finding #1: Cyber Risk Reached a New Watermark in 2025
Claim frequency rose 7% year-over-year to the highest rate At-Bay has recorded since 2021. Average claim severity climbed to an all-time high of $221K. This marks the third consecutive year that both metrics worsened, and this is a sustained expansion of risk that cuts across industries, company sizes, and attack types.
Smaller businesses are no longer escaping the notice of attackers. Companies with under $25M in revenue saw a 26% increase in average claim severity, the steepest jump of any segment and part of a three-year upward trend. This reflects a structural shift in how attackers operate: When a threat group like Akira identifies a vulnerable technology stack and exploits it at scale, the companies running that technology get hit, regardless of how large or small they are.
What to do: Build your cyber risk planning around the assumption that you are a target, no matter your revenue size. Threat actors increasingly select victims by the infrastructure they run, not by their revenue or industry profile. An honest audit of your remote access tools, endpoint security, and incident response plan is the starting point. With At-Bay Stance™ Advisory Services, At-Bay Cyber and Tech E&O policyholders get access to a team of security experts who can help you assess and improve your security posture, all at no additional cost.1
Finding #2: The Ransomware Story of 2025 Was Really the Akira Story
Ransomware frequency returned to 2021 levels in 2025, with a dramatic acceleration in Q3 and Q4. Akira, a Ransomware-as-a-Service operation that has run since 2023, drove a 53% increase in ransomware frequency in the second half of the year and ultimately accounted for more than 40% of all ransomware claims in At-Bay’s portfolio for the full year. This is the highest concentration ever recorded for a single strain.
Akira’s campaign was almost entirely focused on companies operating SonicWall appliances. Eighty-six percent of Akira attacks occurred in environments where a SonicWall device was present, and attacks often went from initial access to full ransomware deployment in hours or minutes rather than days. Akira ransom demands averaged $1.2M, which is 50% higher than the non-Akira average. Two-thirds of Akira attacks occurred on nights or weekends.
The shift toward infrastructure-targeted, automated exploitation has been building for years. Organizations running exposed remote access appliances of any kind face elevated risk, not just from Akira but also from the growing range of groups adopting the same playbook.
What to do: Migrate to a cloud or SaaS-based remote access solution, and stop relying on remote access provided by an on-premise network appliance (e.g., a firewall with VPN functionality, etc.). If full migration to cloud-based remote access isn’t feasible now, ensure your devices are fully patched and paired with enterprise-wide MFA. Then, ensure that your on-premise appliance is monitored for abuse. If you can’t keep attackers out of your network appliances, the next best thing you can do is catch them quickly when they come in.
Given that two-thirds of Akira attacks happened on nights and weekends, “monitored-during-business-hours security” isn’t enough. Not a single At-Bay MDR customer filed an Akira claim in 2025 — because when an attack starts at 1:00 a.m. on a Saturday, the only thing that changes the outcome is whether someone is watching and ready to respond. At-Bay Stance™ MDR provides 24/7 expert-led monitoring and response at a fraction of the cost of an in-house SOC.
Finding #3: Business Interruption Makes a Ransomware Attack Exponentially Costlier
For many businesses hit by ransomware, being unable to operate can make an already-painful incident catastrophic. In 2025, one in three ransomware claims triggered business interruption coverage. Those that did averaged $510K in severity, compared to $168K for ransomware claims without business interruption. That’s a 3X difference, driven by lost revenue, emergency operations, and system rebuilds while the business is dark. The largest single business interruption claim hit $5M, the policy limit, and the actual cost was likely higher.
Though most disruptions were resolved within a month, roughly one in 10 ransomware incidents caused downtime exceeding 30 days. For a small manufacturer or a mid-market professional services firm, weeks of operational shutdown can create losses that outlast the incident itself.
The window to prevent business interruption is the window between initial intrusion and encryption, and it’s often measured in hours, not days. Ransomware doesn’t lock down an environment instantly. Threat actors move through a network, escalating privileges and conducting reconnaissance before deploying malware. These activities are detectable. Whether anyone sees them in time is often a matter of whether anyone is watching.
What to do: Evaluate your company’s technology to identify key solutions that are necessary for operations. These critical dependencies should be broken through a combination of steps to establish redundancy and increase resilience. For the former, identify alternatives that could be quickly deployed in a failover situation, especially in cases where the critical solution is sourced from a third party. Payment processors are a great example of a key solution where redundant options are readily available (e.g., supplement Square with Stripe, etc.).
For business processes where redundancy is unavailable or impractical, resilience can be created by deploying additional security controls to monitor for abuse and contain malicious activity when necessary. For example, we consistently see threat actors making a deliberate effort to identify and target backup solutions before deploying ransomware into victim environments. Their intent is to improve the chance that the victim will pay the demanded ransom once they realize their backups are no longer viable.
You can deny this tactic by ensuring your backups are mirrored to a cloud-based or off-site storage location logically separated from the main network and that backups are immutable (i.e., cannot be altered or destroyed before their intended end-of-life).
Then, resilience can be further enhanced by configuring security tools to pay special attention to activity related to those systems that are business critical. In this way, you can improve the likelihood that an attack against a critical system will be detected and contained before it can create a business interruption.
Finding #4: In Financial Fraud, the Clock Starts the Moment Funds Leave
Financial fraud was the most common incident type for the third consecutive year, accounting for 30% of all claims. The average amount stolen reached $285K, up 16% from the prior year and up significantly from $199K in 2023. The single largest fraud loss in 2025 hit $9.7M.
The more urgent story, though, is what happens after fraud is reported. The sense of disbelief that fuels an urge to investigate internally before calling your insurance provider costs time that can’t be recovered. Attackers count on it. However, when At-Bay was notified of an incident within three days, policyholders recovered some funds 70% of the time. Beyond that window, the likelihood of recovery dropped significantly as funds moved, converted to cryptocurrency, or crossed international banking channels.
At-Bay’s Claims team recovered $56M in stolen funds in 2025. One in five victims achieved a full recovery. Nearly all of these successes occurred during incidents that were escalated quickly, where the clawback process could begin while funds were still traceable and freezable.
What to do: Establish your response protocol for financial fraud before you need it, and ensure that employees who handle funds know the warning signs of fraud. Clarify who should contact your insurance provider the moment fraud is suspected. That call needs to happen in hours, not after an internal review. The speed of your escalation is the single most important variable in whether your money comes back.
To reduce the likelihood of fraud reaching your employees in the first place, At-Bay policyholders have access to Stance Fraud Defense at no additional cost.2 This AI-powered email security tool uses insights from real-world fraud incidents to rapidly identify threats that get through legacy email security solutions.
Finding #5: Cyber Incidents Are Increasingly Followed by Lawsuits, Sometimes Even Years Later
Third-party liability claims jumped 70% in 2025, the largest year-over-year increase of any incident type in the report. Two dynamics drove the surge: CIPA3 litigation arising from tracking technologies on company websites accounted for 34% of third-party liability claims, up from 26% in 2024, as plaintiffs’ attorneys expanded their focus from Meta Pixel to a broader array of tools including LinkedIn and TikTok integrations. Class action lawsuits tied to ransomware and data breaches also became more common and more aggressive.
These lawsuits often arrive six to nine months after the underlying incident. A company that has spent months rebuilding systems and managing customer notifications can find itself served with a class action just as business is returning to normal, then face years of defense costs, discovery, depositions, and public scrutiny before resolution.
The class action threshold is dropping. Plaintiffs’ attorneys are organizing faster. Cases that once required hundreds of thousands of impacted individuals are now being filed with far smaller classes. Multiple suits for the same incident are increasingly common.
What to do: Audit your website’s tracking technology and the consent mechanisms around it — cookie banners that appear compliant may not meet the legal standards attorneys are successfully arguing in court. More broadly, factor litigation exposure into your cyber risk modeling. Insurance that includes experienced legal counsel embedded in the claims response from the start can significantly shape litigation outcomes.
The Consistent Finding Across the Report
The 2026 InsurSec Report covers a lot of ground, but a single theme runs through all of it: Outcomes are not randomly distributed.
The businesses that avoided encryption had MDR. The businesses that recovered stolen funds reported fraud within days. The businesses managing their litigation exposure got ahead of the compliance risk before the lawyers came knocking.
Cyber risk is getting harder to avoid and more expensive to absorb. The conditions that drove 2025’s claims environment — infrastructure-based ransomware targeting, AI-assisted fraud, and aggressive plaintiffs’ attorneys — are structural. What the data shows is that the right decisions, made before a crisis begins, consistently change what happens after it. That’s the case this report makes, and it’s the case for investing in the controls, partnerships, and insurance that make those better outcomes possible.
The complete 2026 InsurSec Report includes full analysis of ransomware trends, financial fraud data, third-party liability findings, and comprehensive methodology drawn from more than 100,000 policy years of At-Bay cyber claims.
1. Access to certain At-Bay Stance offerings, including Stance Advisory Services, are available through your insurance policy placed by At-Bay Services, LLC. Please refer to your policy form [Embedded Security Endorsement] for details and contact your authorized insurance representative for additional information concerning your policy.
2. At-Bay Stance Fraud Defense is an email security solution for Microsoft 365 and Google Workspace customers. Access to Stance Fraud Defense is available to insureds with policies placed through At-Bay Insurance Services, LLC that include an Embedded Security Endorsement. It is at the sole discretion of the Named Insured to engage with any of the policy’s risk mitigating Embedded Security offerings. Eligibility, rules, and limitations will vary based on your risk profile and security requirements.
3. The California Invasion of Privacy Act (CIPA) is a 1960s law being leveraged by plaintiffs’ attorneys to skirt the limitations of modern privacy laws, “alleging that using website tracking technologies without obtaining user consent infringes on privacy rights.”
