A new Cowbell Cyber claims report says the U.S. cyber insurance market is seeing higher loss activity even as premium volume has declined. Readers should note that the statistical trends in the report reflect Cowbell’s own insured population and, where noted, third-party industry sources—not the broader market as a whole.
On the market-level premium and claims picture, Cowbell drew on AM Best data—not its own claims experience—to report that U.S. cyber insurance premiums declined for the first time, to $9.14 billion, while industry-wide claims rose 40%. Cowbell described that combination as signaling “increased loss activity despite reduced premium volume.” Unless otherwise specified, Cowbell’s own claims data in the report covers incidents from the last 18 months.
Ransomware Remains Significant, But Payments Are Falling
Ransomware continues to account for a meaningful share of Cowbell’s claims experience, representing 19% of Cowbell claims between 2022 and 2025. At the same time, Cowbell said average ransom payments have decreased by approximately 44%, a decline it attributed to stronger negotiation strategies and more effective claims handling.
The report does not suggest ransomware risk has disappeared. Rather, Cowbell said extortion-based attacks are changing. In addition to traditional encryption events, the report points to “double-extortion” and “data-only” schemes, in which attackers threaten to disclose sensitive information if payment demands are not met.
A related shift is occurring in how ransom payments are being composed. The report notes that decryption payments—where victims pay to unlock encrypted data—are declining as organizations improve their backup practices and incident response capabilities. At the same time, data extortion and suppression payments are rising, driven by double-extortion tactics in which attackers threaten to publish stolen data even after providing a decryption key. The practical implication for insured organizations is that paying a ransom no longer guarantees restoration of normal operations or containment of the incident.
The report also identifies the specific groups responsible for a disproportionate share of severe incidents from Cowbell’s claims experience. Among cases with identified threat actors, more than two-thirds involved seven groups, with Akira and Qilin accounting for more than half of those cases. Akira represented 38.8% of identified threat-actor cases and Qilin 14.2%. The remaining five—RansomHub, Lynx, InterLock, PLAY (PlayCrypt), and INC Ransom—each accounted for between 3% and 3.7% of identified cases. Akira targets small and mid-sized enterprises primarily through VPN and remote access vulnerabilities; Qilin operates as a ransomware-as-a-service group that pairs data exfiltration with encryption against higher-value targets.
Looking ahead, the report predicted that increased law enforcement pressure on dominant groups such as Akira and Qilin will likely give rise to smaller, younger threat actors motivated by financial gain and notoriety. That dynamic could mean a more fragmented ransomware landscape in the second half of 2026, with opportunistic attacks replacing the more predictable patterns associated with established groups. For agents advising smaller commercial clients, this underscores that cyber exposure is not limited to organizations large enough to attract sophisticated, targeted campaigns.
Data Breaches And Cybercrime Drive Claim Frequency
Cowbell’s report says three incident categories accounted for most reported claims: data breaches, cybercrime, and extortion events.
The report’s incident-type breakdown showed:
- Data breach: 33.5%
- Cybercrime: 31.8%
- Extortion event: 18.3%
- Other: 16.4%
Cowbell described data breaches as incidents involving unauthorized access or disclosure of sensitive information, often stemming from stolen credentials and system vulnerabilities. Cybercrime claims typically involved financial or data theft through phishing, business email compromise and funds transfer fraud. Extortion events included ransomware and related schemes affecting operational stability.
For agents and brokers advising commercial insureds, the breakdown is notable because the largest categories are not limited to ransomware. The report emphasizes that phishing, social engineering, business email compromise, supply-chain vulnerabilities and credential-based attacks remain central cyber claim drivers.
Human Error Remains A Common Entry Point
Cowbell said human error and manipulation remain the most common entry points for threat actors. The report cited 2025 APWG data identifying approximately 3.8 million phishing attacks globally and said phishing and spoofing remain prevalent cyber threats.
The report also said threat actors are using artificial intelligence to make phishing and related messages more credible and harder to detect. Cowbell identified smishing, or text-message phishing, and vishing, or phone-based attacks, as related tactics used to exploit trust and urgency.
Cowbell cited multi-factor authentication, employee training, rapid response, email security and proactive threat detection as practical measures for reducing exposure.
“Cyber Friday” And The Timing Of Claims
The report identifies “Cyber Friday” as Cowbell’s busiest claim day, a label that reflects a deliberate attacker strategy rather than coincidence. Threat actors time weekend attacks to exploit reduced monitoring capacity at most organizations: IT and security staff are typically less available on Fridays and over long weekends, giving attackers more time to move through systems before detection. The result, according to the report, is elevated claim activity on Fridays and on the Mondays immediately following long weekends, when the full scope of a weekend intrusion becomes apparent.
Cowbell said its hotline is monitored around the clock, including weekends and holidays, and that urgent matters such as ransomware are typically addressed within one hour after claim submission. The company said initial acknowledgment generally occurs within one hour, with first contact after claim submission typically within 24 hours.
For agencies handling commercial cyber accounts, that point is practical rather than theoretical: incident reporting procedures, after-hours contacts and escalation steps should be clear before a client has a suspected event.
Sectors Facing Higher Exposure
Cowbell identified Professional, Scientific and Technical Services; Construction; Manufacturing; Health Care and Social Assistance; and Wholesale Trade as industries with elevated exposure due to their systems, data, operations, and supply chain dependencies.
For professional services firms, including law firms, Cowbell cited the volume of sensitive client data, personally identifiable information and proprietary information. For construction businesses, the report pointed to decentralized operations, subcontractors and complex supply chains. For manufacturers, Cowbell emphasized reliance on production systems, where an attack can cause downtime and financial loss.
Although the report is national and based on Cowbell’s claims data, the sector discussion is relevant for Massachusetts and New England agents with commercial clients in professional services, construction, manufacturing, healthcare and wholesale trade.
Systemic Events And Business Interruption Exposure
The report points to large-scale incidents involving PowerSchools, Change Healthcare, TriZetto—a healthcare transaction processing platform—and SonicWall, a widely used network security vendor, as examples of how a single vulnerability in a shared platform or vendor can cascade into simultaneous losses across hundreds of unrelated organizations. These events are not isolated to any one industry or size of business; they affect any organization that relies on a compromised vendor or platform, regardless of its own security posture.
For the remainder of 2026, Cowbell said business interruption and contingent business interruption claims remain primary drivers of insurance losses. The report said those losses are being driven by cyberattacks, complex supply-chain dependencies and climate-related events, and can be amplified by inflationary pressures on repair costs and extended downtime.
Litigation And Social Engineering Risks Expected To Grow
The report forecast continued growth in litigation exposure following cyber incidents. Third-party claims and class actions are expected to increase, particularly where companies are alleged to have had inadequate security or failed to disclose breaches promptly. That litigation risk is not theoretical in Massachusetts: the Commonwealth’s data security law, M.G.L. c. 93H, and the Attorney General’s regulations at 201 CMR 17.00 impose specific security program requirements on any business that handles personal information of Massachusetts residents, and regulatory enforcement and civil litigation following a breach are both realistic exposures for commercial insureds of all sizes.
The report also predicted a rise in advanced social engineering, including attacks that move beyond email and use AI-enhanced phone impersonation and multi-channel tactics to steal credentials.
Broker Takeaway
The report frames cyber risk less as a single ransomware issue and more as a broader operational exposure involving credentials, employee behavior, vendors, supply chains, incident response and business interruption.
For agents and brokers, the practical implications are straightforward: clients should understand how to report a suspected cyber event, who to contact after hours, whether multi-factor authentication and backup practices are in place, and how business interruption or contingent business interruption coverage may respond under the specific terms of their policies. Cowbell reported that its claims team reduces ransom amounts by an average of 65% through negotiations with threat actors, though the company acknowledges that actual results vary significantly based on individual circumstances, the behavior of the specific threat actor, and the particulars of each negotiation. That figure is a reminder that the quality and responsiveness of a carrier’s claims operation is itself a material component of a cyber policy’s value—one worth discussing with commercial clients when placing or renewing coverage.
The report also emphasizes that the broker’s role in cyber insurance should extend beyond placing the policy. Cowbell argues that agents who educate clients about the risk-mitigation resources that carriers often provide—penetration testing, managed detection and response, incident response planning, and cybersecurity awareness training, many at no additional charge—will see better client outcomes and fewer severe claims. That message translates directly for Massachusetts agents: understanding what a carrier’s policy includes beyond coverage limits is increasingly part of the service proposition.
Cowbell noted in the report that its statistics, examples and case references are based on internal claims data and external sources believed to be reliable, but that accuracy and completeness are not guaranteed. It also said claim outcomes, response times, financial impacts and negotiation results vary by circumstance and that coverage is subject to the terms, conditions, limitations and exclusions of the applicable policy.
Free Report Access: You can download the full Cowbell 2026 Claims Report for free here: Cowbell Data Reports.
About Cowbell and its 21 thousand agents
Cowbell is a prominent provider of cyber insurance for small and mid-sized enterprises (SMEs) through its more than 21,000 appointed insurance agents and brokers across the U.S. As an “Insurtech,” its business interest lies in leveraging data-driven insights and AI-powered risk assessment to provide “standalone” cyber coverage. By publishing this and similar reports, Cowbell aims to demonstrate the efficacy of their proactive “resiliency services”—such as their Micro Penetration Testing—which they claim has prevented claims in over 95% of policyholders who utilized the service.
