Cyber Security Resilience 2025: An Analysis of Claims and Risk Trends

Executive Summary

The 2025 cyber risk landscape presents a dual narrative: insured organizations are demonstrating increased resilience, yet the threat environment is expanding and evolving in complexity. Analysis of claims data from the first half of 2025 indicates that while the overall severity of claims has declined by over 50% and the frequency of large losses is down by approximately 30%, attackers are adapting their strategies with significant effect.

Key takeaways from the current landscape include:

• Shifting Ransomware Tactics: Ransomware remains the primary driver of cyber claims, accounting for 60% of the value of large claims. However, threat actors are increasingly targeting less-protected mid-sized and smaller firms, particularly in Asia and Latin America, as large corporations in the US and Europe harden their defenses.
• Dominance of Data Exfiltration: Attackers are favoring data exfiltration over encryption. In the first half of 2025, 40% of large claims involved data theft, a significant increase from 25% in 2024. These incidents result in losses more than double the value of those without data exfiltration.
• The Human Element as the Weakest Link: Social engineering and credential-based intrusions have overtaken malware as the primary attack vectors. An estimated 80% of attacks in the past year were malware-free. Attackers are exploiting employees and third-party suppliers, with 60% of breaches involving a human element and third-party involvement doubling to 30%.
• Expanding Scope of Loss: The risk landscape is broadening beyond direct attacks. Non-attack incidents—including technology failures, outages, and privacy litigation—accounted for a record 28% of the value of large claims in 2024. Contingent business interruption (CBI) from supply chain events is also a key emerging threat, constituting 15% of large claim values in the first half of 2025.
• The AI Double-Edged Sword: Artificial intelligence is being leveraged by attackers to create more sophisticated and convincing social engineering campaigns. Simultaneously, AI-powered detection and response tools are proving transformative for defense, with organizations using them saving an average of US$2.2 million in breach costs.
• Widening Resilience Gap: A clear and widening gap in cyber resilience exists between insured and uninsured organizations. Insured entities benefit from heightened risk awareness, mandated security controls, and access to expert incident response services, which demonstrably mitigates the financial impact of cyber events.

Claims and Loss Trends: An Evolving Threat Landscape

Analysis of Allianz Commercial's cyber claims reveals that while insureds' investments in security are yielding positive results, threat actors are continuously adapting, creating new challenges related to attack vectors, targets, and supply chain dependencies.

Claims Activity and Severity

In the first half of 2025, the overall frequency of cyber claim notifications (around 300) remained stable compared to the previous year. However, there was a marked improvement in loss outcomes:

• Overall Claims Severity: Declined by more than 50% during 1H 2025.
• Large Loss Frequency (>€1mn): Decreased by approximately 30% in the same period.

“The positive trend we see so far in 2025, particularly with regards to large cyber claims activity, is likely the result of insureds’ cumulative investments in cyber security, detection and response, as well as trends in ransomware attacks, which tend to favor those companies which are well-protected and prepared.” — Michael Daum, Global Head of Cyber Claims, Allianz Commercial

The Migration of Ransomware

Ransomware continues to be the most significant driver of cyber claims by both frequency and value, accounting for roughly 60% of the value of large claims (>€1mn) in the first half of 2025. While law enforcement disruptions have had an impact on major groups like LockBit, the number of threat actors is growing, with 26 new groups identified in 2024 alone.

A key strategic shift is the targeting of more vulnerable organizations:

• Target Profile: Attackers are moving from well-protected large corporations to mid-sized and smaller firms, as well as companies in regions with historically lower cyber maturity like Asia and Latin America.
• SME Impact: According to Verizon, ransomware was a factor in 88% of data breaches at small and medium firms, compared to just 39% at large firms.
• Top Risk: Cyber incidents rank as the top risk for smaller companies in the Allianz Risk Barometer.

“The sweet spot for attackers is a company with large revenues, lots of personal records and that is easy to penetrate. But these targets are becoming harder to find, so they are moving down the chain where companies are less well protected.” — Michael Daum, Global Head of Cyber Claims at Allianz Commercial

Data Exfiltration as the Premier Loss Driver

Attackers have increasingly shifted from pure encryption to "double extortion" tactics that prioritize data theft. This method is often faster and easier for attackers and increases the likelihood of a ransom payment.

• Claim Value: Losses involving data exfiltration were more than double the value of those without. 40% of the value of large cyber claims in 1H 2025 included data theft, up from 25% for the full year 2024.
• Breach Costs: The average cost of a global data breach hit a record high of nearly US$5 million in 2024, driven partly by stricter data privacy regulations.
• Encryption Decline: Data encryption rates in attacks fell to a six-year low, with only 50% of attacks now resulting in encryption, down from 70% in 2024 (Sophos).

Social Engineering and Credential-Based Attacks

The human element remains the most exploited vulnerability. Attackers are using sophisticated social engineering, phishing, and compromised credentials to bypass technical defenses.

• Attack Vectors: Compromised credentials are now the most common attack vector. Approximately 60% of breaches in 2024 involved a human element, and 80% of attacks in the past year were malware-free, a significant increase from 40% in 2019 (CrowdStrike).
• Threat Actor Tactics: Groups like Scattered Spider impersonate employees to IT help desks to reset passwords and multi-factor authentication (MFA), enabling rapid network access.
• The Role of AI: Generative AI is amplifying this trend by helping threat actors create highly convincing and personalized phishing emails and vishing (voice phishing) calls.

“Social engineering is now a prominent driver of cyber claims. For threat actors, it is easier to effect, especially with AI. In the past, it was easier to spot with mistakes and unusual language, but now there are fewer obvious red flags.” — Caitlin Ewing, Complex Claims Analyst at Allianz Commercial

Most Impacted Industry Sectors

While cyber threats are universal, certain sectors are experiencing a higher impact based on analysis of large claims (>€1mn) by value since 2020. Retail has emerged as the most targeted sector in the first half of 2025.

Retailers are attractive targets due to high revenues, large volumes of personal data, and high vulnerability to business interruption, all of which provide leverage for extortion demands.

The Rise of Non-Attack and Supply Chain Incidents

The threat landscape is expanding beyond malicious attacks to include significant losses from technology failures, privacy regulation, and complex supply chain dependencies.

Contingent Business Interruption (CBI) and Supply Chain Threats

Dependency on third-party IT suppliers for critical services is a major and growing vulnerability.

• Claim Contribution: CBI events accounted for 15% of large cyber claim values in 1H 2025, a steep rise from 6% in 2024.
• Incident Sources: These losses can stem from both cyber-attacks on a supplier (e.g., CDK Global, Blue Yonder) or from technical faults at a service provider.
• Cloud Risk: Cloud intrusions saw a 136% increase in the first half of 2025 compared to all of 2024 (CrowdStrike).
• Control Challenges: While companies have improved their own security, controlling the risk of breaches at IT suppliers and partners remains a significant challenge.

"Many companies have done a great job of boosting cyber security controls... But there remains the risk of breaches at their IT suppliers and partners. That is much harder to control." — Michael Daum, Global Head of Cyber Claims, Allianz Commercial

Technology Failures and Outages

For the first time in 2024, business interruption due to technical failure appeared as a source of large losses, accounting for around 10% of claim value. These incidents can be caused by software bugs, flawed updates, human error, or system misconfigurations and can have a cascading effect comparable to a major ransomware event. The 2024 CrowdStrike outage, which affected an estimated 8.5 million systems worldwide, is a prime example of this risk.

Privacy Regulation and Litigation

Non-attack data breaches and privacy-related actions are an increasingly significant source of loss, driven by an evolving regulatory landscape and an active plaintiff's bar, particularly in the United States.

• Claim Value: These incidents accounted for a record 18% of large claim values in 2024, triple their share from three years prior.
• Litigation Volume: Data privacy litigation reached "unprecedented levels" in 2024, with approximately 1,500 data privacy class actions filed in the US alone.
• Emerging Risks: Litigation is expanding to new areas, including biometrics, genetic information, and the use of web-tracking technologies. The adoption of AI is expected to create new liability exposures related to the unauthorized collection and use of data.

Strategies for Resilience: Detection, Response, and Training

The data clearly shows that proactive measures in cyber hygiene, preparedness, and response are critical in mitigating the financial and operational impact of a cyber incident.

The Value of Early Detection and Response

Effective detection and response can drastically reduce the cost of an incident, potentially by a factor of 1,000. Analysis shows that in over 80% of large claims, the insured company's decisions significantly influenced the size of the loss.

• Cost Example: A contained attack on a single employee's computer might cost €20,000 for forensics and restoration. If the same attack goes undetected and leads to full system encryption and extortion, the total loss—including a two-week business interruption—could reach €20 million.
• BI Mitigation: Business interruption is the largest single driver of loss, accounting for over 50% of cyber claim values. Its impact is directly correlated to early detection and robust business continuity planning.

The Widening Resilience Gap

There is a growing divergence in outcomes between insured and uninsured companies. In Germany, for example, the loss impact for cyber insureds increased by ~70% over four years, while the overall economic impact of cybercrime grew by 250% in the same period. This gap is attributed to the fact that insured organizations typically have:

• Heightened risk awareness.
• Mandatory implementation of key security controls (e.g., MFA).
• Access to insurer-provided risk prevention services, advice, and incident response expertise.

Key Preparedness Tools

• Tabletop Exercises: These exercises prepare response teams for incidents, build confidence in response plans, and help embed cyber resilience into the company culture.
• Business Interruption Workarounds: Companies should pre-define mechanisms and workarounds that would enable the business to continue operating and supplying customers in the event of a major IT disruption.

The Transformative Role of AI in Defense

While attackers use AI, its adoption for defense provides a significant advantage.

• Cost Savings: Organizations that used AI and automation in their security operations saved an average of US$2.2 million in breach costs compared to those that did not (IBM).
• Enhanced Capabilities: AI-enabled tools can analyze potential phishing emails, spot patterns in malware code, identify anomalous user behavior, and automate threat response, drastically reducing the time between detection and containment.

Regulatory and Market Outlook

The cyber risk environment is being shaped by new regulations and a growing insurance market, both of which are expected to elevate resilience standards across industries.

Regulation Raising the Bar

New regulations, particularly in the EU, are set to enforce higher cyber security standards across critical sectors and their supply chains.

• NIS2 Directive: This directive expands security and incident reporting requirements to 18 critical sectors, aiming to establish a common high-level framework across the EU. It will particularly impact mid-sized companies that may currently lack mature risk management systems.
• DORA (Digital Operational Resilience Act): This act focuses on strengthening the digital resilience of financial entities by mandating robust IT risk management and testing.

“[NIS2] represents a paradigm shift in the way EU governments treat cyber risks... The average mid-sized company lacks well established management systems in the cyber realm. Companies that bounce back are those that have strong cyber security and digital resilience baked into their culture.” — Robin Kroha, Chief Information Security Officer & Head of Global Protection and Resilience at Allianz Services

Insurance Market Trends

The global cyber insurance market is projected to more than double, reaching nearly US$30 billion by the end of the decade. This growth is driven by increasing digitalization and a rising awareness of cyber threats. Demand is increasing, especially among mid-sized firms and in regions with previously low uptake. Insurers are in a strong position to manage this growth, supported by improved underlying risk quality from insureds' security investments, advanced risk modeling, and reinsurance protection.