More than 95% of average data breach losses and 90% of average first-party losses are adequately covered by insurance, according to a new report by Willis.
The report, titled 'Cyber claims in focus – Getting value from cyber insurance' analyses 5,500 cyber claims occurring from January 2013 to January 2026 across 95 countries, and around $1bn in insurer payments. Data breaches are the most frequently reported cyber insurance loss, with malicious data breaches accounting for the majority of incidents. Ransomware losses register the highest financial severity, predominantly driven by the disrupted productivity and prolonged downtime that follows incidents. Third-party vendors are responsible for an increasing proportion of losses and systemic risk from single-vendor incidents impacting multiple organisations remains a critical concern.
Other findings include:
- The average ransomware event lasts 25 days and the average loss is $5.3m, with the largest single loss now exceeding $500m.
- Events where attackers target organisations’ systems directly account for 58% of ransomware notifications and 95% of total costs, while vendor-led incidents account for 42% of notifications but only 5% of costs.
- Business interruption losses and ransom payments represent the two largest cost elements for ransomware events. Average ransom demands are now $3.8m versus an actual payment of $1.5m.
- Third parties are responsible for nearly 50% of data breach losses and 29% of first party losses. Among the third parties responsible for breach events, 50% fall into the IT, tech or telecom categories, 17% involve financial institutions and 11% come from administrative services.
- Pixel-tracking litigation is the hidden cyber insurance risk, with some cases leading to substantial losses across the wider cyber insurance market.
A complex cyber risk landscape in Asia
Willis Head of Cyber in Asia Conor Keating said that across our data set, certain industries are facing increased claims activity, with healthcare businesses accounting for 20% of all cyber policy notifications, followed by financial Institutions and manufacturing, accounting for 16% and 13% respectively.
“In Asia, the cyber risk landscape is becoming more complex as businesses digitise, automate and rely more heavily on interconnected technology ecosystems. While AI has not yet emerged as a stand-alone driver of cyber insurance claims, it is already amplifying existing threats, from social engineering and deep fake phishing to ransomware. With the average ransomware event now costing businesses over $5m, insurance limit adequacy is becoming increasingly scrutinised across Asia. We are seeing more clients looking for in-depth cyber risk quantification analysis to help guide their insurance buying, adding greater confidence to their cyber risk transfer strategy,” he said.
He further emphasised that companies in Asia, must view cyber insurance as a static policy purchase, which should form part of a broader resilience strategy that helps to quantify exposures, test response plans and incorporate coverage that is aligned to real world claims scenarios most likely to affect the business.
Willis Chairman of Global FINEX Cyber and Cyber Risk Solutions Peter Foster said that cyber insurance cover varies widely, which is why organisations must understand what they have in place and ensure it aligns with their risk exposures.
“When cover doesn’t reflect reality, organisations risk critical gaps where protection is needed most, while paying for cover that offers little real value. To get the strongest value from cyber insurance, consideration must reflect the claims patterns seen across the market. Our analysis of claims and loss data provides hints to understand how cyber losses occur and what that means for organisations, helping them to prioritise the most material scenarios and design coverage around these realities,” he said.