More than 95% of average data breach losses and 90% of average first-party losses are adequately covered by insurance, according to a new report by Willis, a WTW business.
The report, Cyber claims in Focus – Getting value from cyber insurance, analyses 5,500 cyber claims from January 2013 to January 2026 across 95 countries, covering about US$1 billion in insurer payments.
Willis said data breaches are the most frequently reported cyber insurance loss, with malicious breaches accounting for most incidents. The report found ransomware claims have the highest financial severity, largely driven by productivity disruption and prolonged downtime following incidents.
The analysis also points to a growing role for third-party vendors in cyber losses, and highlights systemic risk where a single vendor incident impacts multiple organisations.
Key findings cited in the report include an average ransomware event duration of 25 days and an average loss of US$5.3 million, with the largest single loss exceeding US$500 million. It also found that attacks directly targeting an organisation’s systems account for 58% of ransomware notifications but 95% of total costs, while vendor-led incidents represent 42% of notifications but 5% of costs.
Business interruption and ransom payments were identified as the two largest cost components in ransomware events. The report said average ransom demands are US$3.8 million, compared with an average payment of US$1.5 million.
Third parties were responsible for nearly 50% of data breach losses and 29% of first-party losses, according to the report. Among third parties linked to breach events, 50% were in IT, technology or telecommunications, 17% involved financial institutions, and 11% were administrative services.
The report also flagged pixel-tracking litigation as an emerging cyber insurance risk, noting some cases have contributed to substantial losses across the wider cyber insurance market.
“Our analysis highlights a consistent pattern: while the average claim value is approximately $3.3 million, a relatively small number of large-scale events drive the majority of total losses. Incidents exceeding $10 million represent only around 5% of claims by volume, yet account for close to 90% of total cost, underscoring the materiality of tail risk in cyber portfolios. While certain industries are targeted more frequently, no organisation or industry is immune to cyber incidents.
“In Australia, large-scale incidents have reinforced the reality of escalating regulatory scrutiny, increasing class action exposure, and the significant downstream costs associated with remediation, customer notification and business disruption.
“As the threat landscape continues to intensify, the impact is being felt not only in the frequency, severity and velocity of cyber events, but also in the expanding blast radius and persistence of attacks. In response, organisations are increasingly adopting cyber risk quantification to support both control investment and insurance purchasing decisions, ensuring that programs are calibrated not only to expected losses, but to increasingly volatile and interconnected tail-risk scenarios,” said Michael Parrant, Director, Cyber & Technology Practice, FINEX Pacific, Willis.
Peter Foster, chairman, global FINEX cyber and cyber risk solutions at Willis, added: “Cyber insurance cover varies widely, which is why organisations must understand what they have in place and ensure it aligns with their risk exposures. When cover doesn’t reflect reality, organisations risk critical gaps where protection is needed most, while paying for cover that offers little real value. To get the strongest value from cyber insurance, consideration must reflect the claims patterns seen across the market. Our analysis of claims and loss data provides hints to understand how cyber losses occur and what that means for organisations, helping them to prioritise the most material scenarios and design coverage around these realities.”
You can read the full report here.
