One brokerage firm’s analysis of 13 years of claims reports insights into insurance coverage, ransomware severity, third-party losses, and response planning.
Based on a data analysis of an cyber brokerage firm’s claims dataset covering about 5,500 incidents* some findings on claims coverage and loss patterns have been shared with the media.
First, the broker’s analysis indicated that policies in this dataset had reimbursed more than 95% of the average data breach loss and 90% of the average first‑party loss, based on the firm’s proprietary, non‑public methodology.
Second, the same dataset indicated that ransomware events had registered the highest financial severity, with an average event duration of 25 days and an average loss of US$5.3m, and the largest single ransomware loss in the sample had exceeded US$500m.
Other findings
Third, the analysis indicated that incidents where attackers had targeted organizations’ own systems directly had accounted for 58% of ransomware notifications and 95% of total ransomware costs in the sample, while events traced to vendors had accounted for 42% of notifications and 5% of costs. Also:
- Business-interruption losses and ransom payments were reported as the two largest cost components for ransomware events in this dataset, with average ransom demands of about US$3.8m and average payments of about US$1.5m.
- Third parties were reported as responsible for nearly 50% of data breach losses and 29% of first‑party losses in the sample, with around 50% of those third‑party breach events involving IT, technology or telecom providers, 17% involving financial institutions and 11% involving administrative services providers.
- The materials also flagged pixel‑tracking‑related litigation as a “hidden” source of cyber insurance exposure, without publishing separate quantified results for that subset of claims.
Conor Keating, Head of Cyber (Asia), Willis Towers Watson, the firm that shared its internal data analysis, opined that “cyber insurance should not be viewed as a static policy purchase but as part of a broader resilience strategy that helps to quantify exposures, test response plans and incorporate coverage that is aligned to real‑world claims scenarios most likely to affect the business.”
*data from incidents reported between January 2013 and January 2026 across 95 countries, totaling around US$1bn in insurer payments. Statistics attributed to WTW summarize the firm’s proprietary dataset of cyber insurance claims from 2013 to January 2026; the full report does not publish sufficient methodological detail to allow independent evaluation of the dataset’s representativeness and applicability beyond WTW’s cyber insurance business.
