Learning Lessons from Cyber Insurance Claims

Jeremy Gittler

|

July 24, 2025

Behind every cyber insurance claim is a story that goes beyond what happened, how it began and how much financial loss the claim incurred. Cyber claims can offer insight that can help organizations mitigate future losses. By showing vulnerabilities and areas for improvement, claims can ultimately help organizations smooth their path to resilience.

Recent cyber claim trends show incident costs—the total of all types of costs or expenses associated with a cyber event—remain alarmingly high for enterprises of all sizes. The most recent edition of the NetDiligence Cyber Claims Study, for example, shows a five-year average incident cost of $937,000 for small- to medium-sized enterprises (those with less than $2 billion in annual revenue) and $36.1 million for large companies (those with more than $2 billion in revenue).

The sources of incident cost to organizations can include: self-insured retentions; business interruption; crisis services costs such as breach coaching, forensics, notification and public relations; and legal and regulatory expenses such as lawsuit defense expenses, settlements and regulatory fines.

Across businesses of all sizes, ransomware was the top driver of claims over the past five years, followed by business email compromise and hacking. Across organizations of all sizes, business interruption accounts for a significant proportion of incident costs, NetDiligence found. The five-year average business interruption cost of $464,000 for small to medium sized enterprises was almost 50% of the average incident cost of $937,000. Among large companies, the five-year average business cost of $26.1 million was more than 72% of the average incident cost of $36.1 million.

Given these costs and the evolving nature of cyberrisks, it is imperative for risk professionals to help their organizations identify and address exposures in their systems and business operations. A good way to do that is to learn from previous cyber claims and apply those lessons to the organization’s resilience to future incidents.

A Tale of Two Claims

Consider two actual cyber claim examples. In early 2025, two organizations in different industries were victims of a ransomware attack in the same week. The attacks involved the CHAOS variant, a new form of malware at the time. Each organization had the same amount of cyber insurance and both had identical self-insured retentions. Each also faced a multimillion-dollar ransom demand, which the organizations were inclined to pay. That is where the similarities end.

The first victim organization, a business services company, was concerned about maintaining confidentiality—a key requirement for its clients—and considered paying the ransom to prevent the threat actor from releasing sensitive data. This response strategy is known as “data suppression,” and it is not recommended because there is no effective way to verify a threat actor has deleted all the exposed information. Rather than spending funds on a ransom, the money can be used for legal defense expenses in the event the release of sensitive data results in a lawsuit. Nevertheless, the organization sought to negotiate with the threat actor.

A factor that worked in the organization’s favor is that it maintained viable backups of its data. Viable backups enabled the organization to continue operating with minimal downtime. Because of this, the organization did not require a decryption key from the attacker. The organization could therefore take more time in the negotiating process, which ultimately gave it leverage to reduce the ransom demand.

The second organization, a manufacturer, was in a different situation. The company needed a decryption key because its data backups were compromised, causing significant delays in its business operations. This organization was concerned about mounting expenses and urgently wanted to resolve the extortion demand.

Negotiating with threat actors over cyber extortion is a delicate process conducted by professionals who often possess law enforcement and hostage negotiation skills. Knowledge of the malware variant used in a ransomware attack is also helpful to negotiators because it can offer clues to the threat actor’s tendencies and inform negotiation tactics.

In the recent cases, however, there was no such information about the CHAOS variant or potential ransomware groups using it. In fact, since the response time to each victim organization’s outreach differed, the threat actors behind each attack may have been different people. One organization heard back from the threat actor quickly, while the other did not get a response for days.

After 10 days of negotiation, the first victim organization reduced the threat actor’s extortion attempt to 15% of the initial demand and the threat actor agreed to destroy the data it held. The second victim organization needed four days of negotiating to settle the extortion attempt for less than one-third of the threat actor’s initial demand, receive a decryption key and recover access to its data.

Despite different approaches to resolving the two ransomware claims, each policyholder was able to reach a favorable outcome and resume business operations due to their cyber insurance policies and associated resources.

Examining the Root Causes 

Risk professionals should look at cyber incidents through a risk-based lens to identify the root causes of the loss. Knowing the point of failure—how a threat actor succeeded in launching malware to conduct a cyberattack—is critical to loss control efforts.

In the two claims described above, the organizations looked closer at their cyberrisk management programs and learned the CHAOS ransomware was unwittingly installed by employees through phishing/social engineering schemes. The threat actor used telephone and online video conference spoofing techniques to make employees at the victim organizations believe they were communicating with information technology team members. The IT impersonators then sent instructions to employees to download and install the malware that launched the attacks.

These claims provided an opportunity for the victim organizations to examine their incident response plans, vulnerabilities and security measures. Based on how the threat actors gained access to launch the attacks, additional training for employees was also warranted.

Some questions risk professionals should consider in analyzing cyber claims are:

  • What was the nature of the incident? Was it malicious or non-malicious?
  • What was the point of failure?
  • What weaknesses in cybersecurity or organizational processes led to the incident or amplified its impact?
  • What was the actual impact of the incident?
  • How did the organization respond to the incident?
  • How might the incident have been mitigated or prevented?
  • Where are areas for improvement, and how should the organization prioritize those?

Securing Effective Insurance

An organization that experiences a cyber insurance claim is best positioned to understand its own people and processes, but risk and insurance advisors can also help analyze the claim and address the conditions that led to it.

Many cyber policies offer expert services, such as forensics, breach coaching, crisis communications and data restoration. Broad coverage that applies to a wide set of potential loss scenarios is valuable. Risk professionals should seek the broadest available cyber coverage that suits their organization’s needs, with the assistance of qualified risk and insurance advisors.

For example, coverage for cyber extortion is available, but not all cyber insurance policies include it. Risk professionals should look for insuring agreements that define extortion as a threat to: alter, destroy, damage, delete or corrupt data; perpetrate unauthorized access or use of computer systems; prevent access to computer systems or data; steal, misuse or publicly disclose data, personally identifiable information, or third-party information; introduce malicious code into computer systems or third-party computer systems; and interrupt or suspend computer systems.

Policies offering extortion loss coverage should provide for reasonable and necessary expenses incurred to prevent or respond to an extortion threat with the insurer’s prior written consent.

It is also important to identify individuals and companies that can assist in strengthening incident response plans before a claim arises. Prudent risk professionals should invest time in developing these relationships to improve cyber incident response and derive the most benefit from their cyber insurance.

Jeremy Gittler is global head of claims at cyber risk management firm Resilience.