Agency Checklists

Massachusetts Insurance News & Job Opportunities

You are here: Home / Latest News / Are you Prepared? Ranked Costs of Cyber Losses

Are you Prepared? Ranked Costs of Cyber Losses

by

10 Types of Cyber Losses Insurance Entities Face: Ranked by Severity— Cybersecurity Month Special Report

The insurance industry sits at a unique intersection of cyber risk: not only do these entities handle massive amounts of sensitive data, but they also bear the financial burden of cyber incidents across their entire client base. As we observe Cybersecurity Month, understanding the most severe cyber losses facing insurance-related entities has never been more critical.

Recent data reveals a sobering reality. While larger insured companies have improved their cyber defenses, the overall threat landscape continues to expand. The ‘Average Loss’ figures in this report vary significantly because they are based on different types of cyber events, ranging from individual fraud attempts to catastrophic, systemic data breaches. Here are the ten most severe types of cyber losses insurance entities face today, ranked by financial impact and frequency.

1. Ransomware Attacks: The Apex Predator

Average Loss: $292,000–$294,000 per incident

Ransomware remains the single most devastating cyber threat to insurance entities. These attacks don’t just demand ransom payments; they create cascading costs that can cripple operations for weeks or months.

The numbers tell a stark story. In 2024, the Change Healthcare breach alone cost UnitedHealth Group approximately $2.4 billion, while the CDK Global attack resulted in collective losses estimated at $1 billion. For insurance companies processing claims and managing policyholder data, ransomware attacks can bring operations to a standstill.

Beyond the ransom itself, organizations face an average $102,000 in business disruption costs, $58,000 for forensic investigation, and $18,000 for digital asset restoration. Ransomware accounts for roughly 60% of large cyber claims and approximately 21% of all cyber insurance claims.

Key Insight: Early detection is everything. Organizations that catch ransomware attacks early can reduce costs by a factor of 1,000 compared to those where attackers progress to data theft and encryption.

2. Business Email Compromise (BEC) and Fund Transfer Fraud

Average Loss: $35,000–$185,000 per incident

Business Email Compromise represents one of the most insidious threats facing insurance entities. These attacks exploit the one vulnerability that’s hardest to patch: human trust.

Between 2021 and 2023, BEC attacks caused $3 billion in losses globally, affecting 22,000 victims. For insurance companies, where financial transactions and sensitive communications are constant, BEC attacks have proven particularly damaging.

Fund transfer fraud shows even higher average losses at $185,000 per incident, though this represents a 46% reduction from 2023’s $340,000 average. The decrease reflects changing tactics by both attackers and financial institutions, with threat actors requesting smaller amounts that are less likely to trigger fraud detection systems.

In the insurance sector specifically, social engineering attacks, including BEC, account for 7% of major loss triggers. For manufacturing organizations in the insurance supply chain, that number jumps to 30%.

Warning Sign: BEC attacks accounted for 29.7% of all cyber insurance claims in recent reports, making them nearly as common as ransomware while often flying under the radar.

3. Data Breaches: The $5 Million Problem

Average Loss: $5 million per breach

Data breaches reached an all-time high in 2024, with the global average cost per incident nearly $5 million. This high average reflects a simple statistical reality. While most breaches are relatively minor, the financial consequences of a major incident can be so catastrophic that they significantly raise the overall average. For insurance entities handling policyholder information, medical records, financial data, and claims history, the exposure is enormous.

The cost breakdown reveals why these breaches are so financially damaging:

  • Forensic Costs: 21%
  • Defense and Legal Fees: 18%
  • Credit Monitoring & Identity Theft Services: 14%
  • Legal Advice & Cybersecurity Experts: 13%

Within the insurance sector, the risk is particularly acute. Malicious data breaches account for 39% of the major losses, while accidental breaches contribute an additional 35%. Combined, this means that nearly three-quarters of all major cyber incidents in the insurance industry involve some form of data compromise.

This high frequency of breaches collides with an unforgiving regulatory landscape. Stricter data privacy laws now impose not just notification expenses but also the risk of massive regulatory fines and class-action lawsuits. This threat is not theoretical—as Agency Checklists documented in its September 22, 2025 article, “XS Brokers’ Data Breach,” class-action lawyers were actively advertising for clients affected by the MGA’s breach almost immediately after it was announced.

Critical Factor: Data breach costs have been driven higher by factors including stricter data privacy regulations and the shift to double extortion ransomware attacks that combine encryption with data theft.

4. Business Interruption: When Operations Grind to a Halt

Average Loss: $102,000+ per incident

Business interruption has ranked either first or second in global business risk surveys for the past decade, and cyber-related interruptions are becoming the dominant driver.

For insurance entities, operational downtime means claims can’t be processed, policies can’t be issued, and customer service grinds to a halt. The financial impact extends far beyond immediate revenue loss to include reputational damage, regulatory scrutiny, and long-term customer attrition.

What makes business interruption particularly dangerous is its multiplier effect. A single cyber incident can cascade through an organization’s systems, affecting multiple departments and functions simultaneously. Recovery isn’t instantaneous either; even after systems are restored, organizations face weeks of catch-up work and process normalization.

Incidents such as wrongful collection or processing of data and system outages accounted for a record 28% of the value of large claims in 2024, highlighting how non-attack events can be just as disruptive as malicious breaches.

Emerging Threat: The rise of “living-off-the-land” attacks, where intruders use legitimate software to carry out malicious operations, makes business interruption incidents harder to detect and prevent.

5. Supply Chain and Third-Party Breaches

Average Loss: $42,000 per incident (but can reach billions in aggregate)

Contingent business interruption from supply chain events accounted for 15% of large cyber claims in the first half of 2025, up from just 6% in 2024. This dramatic increase reflects the insurance industry’s growing dependence on third-party vendors, cloud services, and interconnected IT systems.

The Change Healthcare ransomware attack exemplifies this risk perfectly. More than 90% of U.S. pharmacies were affected, creating ripples throughout the healthcare insurance ecosystem. Policyholders who submitted claims had an average claim severity of $22,000, but the total estimated impact approached $2.87 billion.

Costs from software supply chain attacks globally are projected to grow from $46 billion in 2023 to $60 billion in 2025. For insurance companies, the risk is compounded by the fact that they often have less control over third-party security practices than their own systems.

According to recent surveys, 41% of companies have been affected by a third-party cyber incident. Small and medium-sized suppliers are increasingly targeted as entry points to attack their larger customers.

Risk Reality: The emergence of claims related to growing dependencies on IT supply chains represents a key emerging trend that insurance executives must address with robust vendor management programs.

6. Privacy Violations and Regulatory Actions

Estimated Cost: Highly variable, from thousands to millions

The regulatory and legal landscape around data privacy has transformed dramatically, and insurance entities find themselves at the epicenter of this change. Privacy violations now account for situations that many organizations never considered risky: wrongful collection of data, improper processing, inadequate consent mechanisms, and data retention failures.

Data and privacy breach-related elements were present in two-thirds of large cyber insurance claims. Even more concerning, the share of non-attack data privacy-related class action litigation claims has tripled in value in just two years.

For insurance companies, this creates a double exposure. Not only must they protect their own operations from privacy violations, but they also face liability when their policyholders experience privacy-related claims.

Technology and media professional indemnity claims, many involving alleged breaches of privacy regulations, accounted for a quarter of large cyber claims by value in the first half of 2025, up from 21% in 2024.

Regulatory Pressure: Stricter data privacy regulations worldwide, including GDPR in Europe and various state laws in the U.S., mean that privacy violations can trigger substantial fines, legal fees, and remediation costs that rapidly accumulate.

7. Technology and System Failures

Impact: Can rival major attacks in scope and cost

Not all catastrophic cyber losses come from malicious actors. Technology failures can be equally devastating, as demonstrated by the July 2024 CrowdStrike incident.

A faulty software update from the cybersecurity service provider caused one of the largest IT outages on record, hitting critical operations in airlines, banks, stock exchanges, technology companies, and healthcare services. While not a malicious attack, the effects brought into sharp focus the vulnerability of our interconnected digital infrastructure.

For insurance entities, system failures can occur from:

  • Failed software patches or updates
  • Hardware malfunctions
  • Human error in system configuration
  • Incompatible system integrations
  • Cloud service outages

These incidents accounted for a record 28% of large claim values in 2024 when combined with wrongful data collection incidents. The trend toward providing broader protection for businesses affected by significant technology failures reflects insurers’ recognition of this growing risk.

Prevention Focus: While malicious attacks get the headlines, insurance companies must invest equally in preventing system failures through robust testing, change management, and redundancy planning.

8. Data Exfiltration: The Silent Escalator

Impact: Doubles the cost of cyber incidents

Data exfiltration has emerged as a critical escalation factor in cyber attacks. Forty percent of large cyber claims during the first half of 2025 included data theft, up from 25% in 2024. Attack-driven losses involving data exfiltration were more than double the value of those without data theft.

For insurance entities, data exfiltration is particularly dangerous because:

  • It’s easier and faster for attackers than encryption
  • It significantly increases the likelihood of ransom payments
  • It triggers regulatory notification requirements
  • It exposes organizations to long-term liability, as stolen data can be weaponized for years

The shift from purely extortion-based ransomware to double extortion (combining encryption with data theft) reflects attackers’ recognition that data exfiltration provides better leverage and multiple monetization opportunities.

Insurance companies store some of the most valuable data imaginable: detailed personal information, financial records, medical histories, and proprietary business intelligence. Once exfiltrated, this data can fuel identity theft, fraud, and competitive intelligence gathering indefinitely.

Strategic Response: Organizations must assume breach and focus on data loss prevention, encryption at rest, and rapid detection of unusual data access patterns.

9. Social Engineering Attacks

Frequency: 7%–30% of incidents, depending on sector

Social engineering attacks exploit psychology rather than technology, making them remarkably effective against even well-defended organizations. These attacks have evolved far beyond simple phishing emails.

Recent trends include:

  • Vishing (voice phishing) using AI-generated voices
  • Sophisticated impersonation of executives and trusted partners
  • Vendor Email Compromise targeting B2B relationships
  • Insider threat operations leveraging compromised employees

For manufacturing organizations, social engineering accounts for 30% of cyber insurance claims. In the broader insurance industry, these attacks represent 7% of major loss triggers but are trending upward.

The FBI estimates that global losses from these attacks over the last decade have exceeded $55 billion. What makes social engineering particularly insidious is that approximately 500,000 people work as scammers in fraud factories, primarily in Southeast Asia, creating an industrial-scale operation.

The advent of generative AI has made these attacks more dangerous. AI tools can now create extremely targeted, personalized attacks at scale, mimicking writing styles, voices, and even video appearances of trusted individuals.

Human Factor: In over 80% of large claims, insureds’ unsuspecting decisions significantly influenced loss size, underscoring the critical importance of employee training and security awareness programs.

10. Notification and Response Costs

Estimated Cost: $50,000–$200,000+ per incident

Often overlooked in initial breach assessments, notification and response costs can quickly spiral into substantial expenses that strain insurance budgets.

These costs include:

  • Forensic investigations: Identifying the attack vector, scope of compromise, and affected data
  • Legal fees: Navigating regulatory requirements and potential litigation
  • Customer notification: Identifying affected individuals and sending required breach notifications
  • Credit monitoring services: Providing identity protection for affected policyholders
  • Call center operations: Handling customer inquiries and concerns
  • Public relations: Managing reputational damage and media response
  • Regulatory consultation: Working with state and federal agencies during investigations

For insurance entities dealing with large policyholder bases, notification alone can become a massive logistical challenge. State laws vary widely on notification requirements, timelines, and methods, creating a complex compliance landscape.

The costs don’t end with initial notification. Organizations may face ongoing obligations to provide credit monitoring, identity restoration services, and dedicated support channels for affected individuals. These expenses can continue for years after the initial breach.

Compliance Complexity: With data breach notification laws in all 50 states plus federal regulations like HIPAA, insurance companies must navigate a maze of requirements while under intense time pressure.

The Path Forward: Building Resilience

The cyber threat landscape facing insurance entities continues to evolve in sophistication and severity. However, the data reveals a crucial insight: organizations that invest in robust cybersecurity, early detection, and incident response capabilities can dramatically reduce their losses.

Detection and response capabilities can reduce claim costs by a factor of 1,000. This isn’t hyperbole; it’s the difference between catching an intrusion early versus allowing attackers to progress through your systems undetected.

The cyber resilience gap between insured and uninsured organizations is widening dramatically. In Germany, insurance industry figures show that the loss impact on cyber-insured entities increased by around 70% over four years, while the economic impact of cybercrime increased by 250%. This 3:1 resilience gap reflects insured entities’ heightened awareness and proactive mitigation efforts.

Key Takeaways for Insurance Entities:

  1. Ransomware remains the top threat, but it can be mitigated with early detection
  2. Human factors drive many incidents through BEC and social engineering
  3. Third-party risks are growing rapidly and require robust vendor management
  4. Non-attack incidents like system failures and privacy violations are rising
  5. Investment in cybersecurity pays dividends through dramatically reduced losses

As we observe Cybersecurity Month, it’s worth reflecting on an uncomfortable irony: insurance professionals spend their days helping clients protect against cyber risks, yet the industry itself remains a prime target.

The data tells a sobering story. Insurance entities handle some of the most sensitive data imaginable: policyholder information, medical records, financial details, and claims histories. This makes them exceptionally attractive targets for cybercriminals. The very expertise that positions insurance professionals to understand these risks can create a dangerous false confidence that “it won’t happen to us.”

Cyber resilience isn’t just something you sell to customers—it’s a business imperative that directly impacts your bottom line, regulatory compliance, and long-term viability. As these ten loss types demonstrate, the question isn’t whether insurance entities will face cyber threats, but when and how prepared they’ll be to respond.

This article is part of our Cybersecurity Month series at Agency Checklists.