2026 Cyber Claims Report (summary)
A data-driven view of the evolving cyber threat landscape based on real insurance claims
https://proactiverisk.com/coalition-2026-cyber-claims-report.pdf
The Coalition 2026 Cyber Claims Report provides a data-driven view of the evolving cyber threat landscape based on real insurance claims. The findings point to a paradox: while cyber incidents continue to rise modestly, organizations are becoming more effective at mitigating financial damage, resisting attackers, and recovering from incidents.
Claims Trends: More Incidents, Lower Losses
The report identifies a slight increase in overall claims frequency, rising by approximately 3% year-over-year. However, the average financial impact of incidents declined significantly, with severity dropping by roughly 19%.
This divergence reflects improved cybersecurity practices, stronger incident response capabilities, and more proactive risk management. Organizations are experiencing more attacks, but the consequences are increasingly contained.
Ransomware: Higher Demands, Lower Payments
Ransomware remains the most financially damaging form of cyberattack, but its dynamics are shifting. Initial ransom demands increased sharply—by nearly 50%—indicating more aggressive attacker behavior.
At the same time, organizations are far less willing to pay. Approximately 86% of victims refused ransom demands, signaling a major shift in response strategy. This trend is supported by better backup systems, stronger recovery capabilities, and insurer guidance discouraging payment.
Rise of Double Extortion
The report highlights that around 70% of ransomware incidents now involve “double extortion,” where attackers both encrypt systems and steal data.
This evolution increases pressure on victims by introducing reputational, legal, and regulatory risks tied to data exposure. Incidents involving data exfiltration are consistently more costly and complex to resolve.
Email-Based Fraud Dominates Volume
Despite the attention on ransomware, the majority of claims stem from email-driven attacks. Business Email Compromise (BEC) and Funds Transfer Fraud (FTF) together account for roughly 58% of all claims.
These attacks rely on social engineering rather than technical vulnerabilities, making them persistent and difficult to eliminate. Over half of funds transfer fraud cases originate from compromised or spoofed email communications.
Financial Impact by Attack Type
Ransomware remains the most severe category, with the highest average losses. Funds transfer fraud represents a mid-tier financial risk, while BEC incidents are more frequent but typically involve smaller losses.
This distribution underscores the need to address both high-impact, low-frequency events and lower-impact, high-frequency threats.
Incident Response and Financial Recovery
A key finding is the importance of rapid response. Coalition reports recovering over $21 million in stolen funds, with substantial average recoveries per case.
Speed in detecting and reporting incidents significantly increases the likelihood of recovering financial losses, particularly in fraud-related cases.
Risk Distribution by Organization Size
Larger organizations, particularly those with revenues above $100 million, experience significantly higher claim frequency—up to five times greater than smaller firms. They also face higher average losses, though these are declining.
This reflects their larger attack surface, more complex systems, and greater attractiveness to attackers.
Improved Outcomes and “Zero-Cost” Claims
Notably, approximately 64% of claims were resolved without any out-of-pocket loss to the insured organization.
This reflects a broader shift toward proactive cyber risk management, including continuous monitoring, early intervention, and integrated insurer support—sometimes described as “active insurance.”
NUMBERS
Claims frequency: +3% year-over-year
Claims severity: −19% (average loss ≈ $116K)
Initial ransom demands: +47% YoY
86% of organizations refused to pay
But victims increasingly resist, aided by backups, incident response, and insurer support
About 70% of ransomware cases involve data theft + encryption
Incidents with data exfiltration are much more expensive
Business Email Compromise (BEC) and Funds Transfer Fraud (FTF) dominate incident volume
BEC + FTF Together account for ~58% of claims
52% of FTF originates from BEC
Ransomware: most expensive (~$269K average loss)
BEC: more frequent, lower severity (~$27K avg loss)
FTF: mid-range (~$141K avg loss)
Coalition recovered $21.8M in stolen funds
Average recovery ≈ $202K per case
Companies with >$100M revenue had:
5× higher claim frequency
Highest losses (~$268K avg), though declining
64% of claims closed with no out-of-pocket cost