Up next in 10
This episode explores why cyber insureds are demonstrating enhanced resilience, evidenced by an overall decline in claims severity by more than 50% and a 30% drop in large loss frequency during 1H, 2025. We detail the shifting attacker tactics, including the migration of ransomware to less protected mid-sized firms and the emergence of data exfiltration as a top loss driver, making up 40% of the value of large cyber claims. Finally, we analyze how the risk landscape is broadening due to non-attack incidents, such as technical failure, supply chain dependency, and privacy litigation, which accounted for a record 28% of large claim value in 2024.
www.breached.company/cyber-security-resilience-2025-an-analysis-of-claims-and-risk-trends (http://www.breached.company/cyber-security-resilience-2025-an-analysis-of-claims-and-risk-trends)
www.compliancehub.wiki/risk-assessment-report-the-expanding-landscape-of-non-attack-cyber-incidents-and-liabilities (http://www.compliancehub.wiki/risk-assessment-report-the-expanding-landscape-of-non-attack-cyber-incidents-and-liabilities)
Show More Show Less View Video Transcript
0:00
Welcome to the deep dive. We're jumping
0:02
straight into something pretty
0:03
interesting today. Almost a
0:05
contradiction really from the latest
0:06
cyber claims data.
0:08
Uhhuh.
0:09
If you just look at insured companies,
0:11
right, for the first half of 2025, well,
0:14
claim frequency notifications stayed
0:16
flat and get this, the average severity
0:20
actually dropped by over 50%.
0:22
Yeah, on the surface that sounds great,
0:24
doesn't it? Like maybe we're finally
0:25
turning a corner.
0:26
Exactly. you'd think CISOs are nailing
0:28
it,
0:28
but uh it's a bit of a misleading
0:30
snapshot. Unfortunately, while that drop
0:32
in severity is real and it does suggest
0:34
better defenses are working for those
0:36
insured companies, the overall risk
0:38
landscape for everyone, it's actually
0:40
getting much much bigger.
0:41
Okay, so that's what we're digging into,
0:43
right? We're looking at the Alliance
0:45
commercial cyber security resilience
0:47
2025 report today. And our mission
0:50
really is to figure out why we have this
0:52
seemingly positive insurance data at the
0:55
exact same time that you know global
0:57
cyber crime is just exploding and what
1:00
even counts as a cyber loss is changing
1:02
fundamentally.
1:02
That's the puzzle. Yeah. The main
1:04
challenge seems to be the scope of
1:07
potential loss just keeps widening. It's
1:09
moving beyond those, you know, classic
1:11
direct hacks we used to focus on.
1:13
Totally. Now we're seeing huge, really
1:15
severe losses driven by things maybe we
1:18
didn't worry about as much before, like
1:20
supply chain issues, simple tech
1:22
failures, and wow, really sophisticated
1:24
social engineering.
1:25
The conversation used to be all about
1:27
intrusion prevention, firewalls, that
1:29
sort of thing. Now the risk isn't just
1:31
keeping people out. It's about managing
1:33
contracts, dealing with the human
1:34
element, navigating this really tough
1:37
regulatory environment that keeps
1:38
changing. It's definitely complex and
1:41
it's moving so fast it feels like it's
1:42
almost too much for internal teams to
1:45
handle all by themselves.
1:46
Yeah, it's a fair point.
1:47
So, before we get into how the attackers
1:48
are actually changing their game, we
1:50
should probably acknowledge that good
1:51
defense needs good resources. We want to
1:54
thank our sponsor www.seomarketplace.com
1:58
and www.seomarketplace.services.
2:01
Right. They offer specialized solutions,
2:04
expertise, things that are pretty
2:06
critical for dealing with this
2:07
complicated defense world we're talking
2:09
about.
2:09
Okay. So, the attackers playbook. The
2:12
report mentions this great migration. If
2:14
the big companies are seeing lower
2:16
severity claims, what does that actually
2:19
mean? Where are the attackers going? Are
2:21
they just giving up on the big fish?
2:23
Huh? No, not giving up exactly, but they
2:25
are thinking about return on investment.
2:27
You know, big multinational
2:29
corporations, especially in the US and
2:30
Europe, they've spent a lot hardening
2:32
the basics. Things like MFA, keeping
2:35
systems patched,
2:36
they've raised the barrier to entry.
2:38
Exactly. They've raised the bar. So,
2:40
attackers are looking for a new sweet
2:41
spot. And that sweet spot, it's
2:42
definitely looking like midsized and
2:44
smaller firms,
2:45
right? Makes sense. Probably less
2:47
resilient, maybe smaller security
2:48
budgets, fewer dedicated staff.
2:51
That's generally the case. Yeah. And the
2:53
data really backs this up. Look at the
2:55
difference. Ransomware was involved in
2:56
what 88% of data breaches at small and
2:59
medium firms. Compare that to only 39%
3:01
at large firms. That's a huge gap.
3:04
Wow. 88 versus 39.
3:06
Yeah. And for smaller companies, cyber
3:08
incidents, they're now ranked as the
3:10
absolute number one risk in the Alliance
3:13
riskometer. They're just seen as the
3:16
path of least resistance.
3:17
And the tactics themselves are changing
3:18
too, right? It's less about just
3:20
encrypting everything and demanding a
3:21
ransom,
3:22
right? We're hearing double extortion
3:23
all the time now. data theft,
3:24
excfiltration, that's often the main
3:26
event, then maybe encryption.
3:28
So, if stealing the data is the goal,
3:31
Mhm.
3:31
doesn't that kind of flip the script for
3:33
CISOs, like maybe data mapping and
3:35
tracking become even more important than
3:37
just guarding the perimeter?
3:38
Absolutely. Data exfiltration is driving
3:40
the big losses now because frankly, it's
3:43
often easier and quicker for the
3:44
attackers than trying to encrypt an
3:46
entire complex corporate network.
3:48
Oh, okay.
3:48
The implication is huge. Like you said,
3:50
you've got to secure the data wherever
3:52
it goes, not just where it sits. And
3:54
look at the cost impact for the first
3:56
half of 2025. 40% of the really big
3:59
cyber claims over a million euros
4:01
involved data theft. That's up quite a
4:03
bit from 25% the year before.
4:05
40%. And I think I saw something even
4:07
more striking.
4:08
Yeah. The value, right?
4:09
The losses involving data theft were
4:11
more than double the value of those that
4:13
didn't involve it. Double.
4:15
Exactly. And then you add on the
4:17
potential fines, the regulatory heat
4:19
from privacy breaches. It all pushed the
4:22
average global data breach cost to a
4:24
record high. Almost $5 million US in
4:28
2024.
4:29
$5 million. I mean, for a lot of midsize
4:32
companies, that is their entire annual
4:34
IT budget. Puts the stakes right there,
4:36
doesn't it?
4:37
It really does. So, okay. If encryption
4:39
is maybe taking a backseat sometimes and
4:41
the focus is on getting in quick and
4:43
grabbing data, that brings us right back
4:44
to that perennial weak link.
4:46
The human element.
4:47
Bingo. Around 60% of breaches in 2024
4:50
involved a human element somehow. Often
4:53
super targeted social engineering or
4:55
maybe exploiting a vulnerability at one
4:57
of their suppliers.
4:58
It's all about getting the keys to the
4:59
kingdom, isn't it? Compromised
5:01
credentials, usernames, passwords may be
5:04
fished or fished out of someone. That's
5:06
now the top way in, way ahead of
5:08
malware. Now,
5:08
the shift is really stark. 80% of
5:10
attacks in the past year were apparently
5:12
malware free. Think about that. Up from
5:13
just 40% back in 2019.
5:15
80%. Wow.
5:16
It tells you the sophistication isn't
5:18
necessarily in complex code anymore.
5:21
It's in manipulating people
5:22
and the speed they operate at.
5:24
Oh yeah, that's what's really
5:25
concerning. It's often helped by these
5:27
access brokers who just sell the initial
5:29
foothold. You look at groups like
5:31
Scattered Spider. They hit retailers,
5:32
casinos. They showed they could go from
5:35
getting one person's account login to
5:37
deploying ransomware across the network
5:39
in less than 24 hours
5:41
under a day. That's terrifying speed.
5:43
It is. Their success comes down to
5:46
finding that one weak link, that one set
5:49
of credentials, and exploiting trust
5:51
really, really quickly.
5:53
And this just feeds into the whole AI
5:55
accelerator discussion, doesn't it?
5:56
Generative AI isn't just helping craft a
5:59
slightly more convincing fishing email.
6:02
No, it's about scale. Massive scale of
6:05
hyperpersonalized attacks. We're talking
6:07
attackers potentially using deep fake
6:09
voices for vision calls or highly
6:11
individualized messages sent out
6:13
automatically to thousands. It just
6:14
dramatically increases the chances of
6:16
that 60% human vulnerability being
6:19
exploited
6:20
which demands more specialized defenses.
6:21
Right.
6:22
It does. And if you look at where the
6:24
big claim money has gone since 2020
6:26
sector-wise, manufacturing is way out
6:29
front at 33%. Then professional services
6:31
at 18% and retail at 9%.
6:34
Why retail specifically right now in the
6:37
first half of 2025?
6:39
Well, think about it. High revenues,
6:41
usually huge volumes of customer data.
6:43
Often their security maturity isn't
6:45
quite at the level of say banking and
6:47
they are incredibly vulnerable to
6:49
business interruption, especially during
6:51
peak shopping times. They're attempting
6:53
target. So, you've got these complex
6:55
third-party risks. The constant threat
6:58
against employees, AI making attacks
7:00
smarter and faster. It really does feel
7:02
like relying just on your internal team
7:04
isn't enough anymore.
7:05
It's a huge ask for any single
7:07
organization. You really need
7:09
specialized help, robust platforms to
7:11
stay ahead. Navigating this new
7:13
environment, it really requires
7:14
strategic access to external solutions,
7:16
expert advice.
7:17
Absolutely. And to effectively handle
7:19
things like AI scaling threats or
7:21
managing those critical supplier
7:22
connections, having the right resources
7:24
is key.
7:25
Which is why if you are looking for
7:26
those professional services, tools,
7:28
solutions designed for these complex
7:30
challenges, it's worth checking out our
7:32
sponsor www.seomarketplace.com
7:36
and www.seomarketplace.services.
7:39
Okay, so let's zoom out a bit. Now,
7:41
we've talked about attackers, but the
7:43
report also highlights this expanding
7:45
risk landscape. Mhm.
7:47
Stuff that's not driven by external
7:49
attacks at all, but still causes massive
7:52
losses.
7:52
Yeah, this is super important for
7:54
understanding the kind of breadth of
7:55
coverage companies need now. These
7:58
non-attack incidents could be anything
7:59
from a tech failure to a big regulatory
8:02
fine. They accounted for a record 28% of
8:04
the value of large claims analyzed in
8:06
2024.
8:07
28%. So nearly a third of the big money
8:10
losses weren't even traditional hacks.
8:12
Exactly. And the biggest single driver
8:13
in that category, supply chain
8:15
catastrophe. Contingent business
8:17
interruptions CBI related to supply
8:19
chains. That shot up to 15% of large
8:21
claims value in the first half of 2025.
8:23
Just the year before, it was only 6%.
8:25
It's a huge jump, almost tripled.
8:27
It's pretty scary because these CBI
8:29
losses can come from an attack on a
8:31
supplier or just a technical fault at a
8:33
key supplier. The report mentioned a
8:36
136% increase in cloud intrusions in the
8:39
first half of 2025.
8:40
Wow. And it's just incredibly hard for
8:43
any company to really control the
8:45
operational stability of a major IT
8:47
vendor, right? If your core cloud
8:50
provider, your SAS platform, whatever it
8:53
is, if it goes down because of a bug, a
8:55
misconfiguration, or yes, a hack,
8:58
yeah,
8:58
your business might just stop dead.
9:00
And it's not just suppliers causing
9:01
internal issues, technical faults, plain
9:04
old human error. They're showing up as
9:05
major loss drivers, too. Made up 10% of
9:08
large claims value in 2024. Yeah, that
9:10
massive crowd strike outage last year,
9:12
perfect example,
9:13
right? That wasn't malicious, it was a
9:14
technical issue, but it caused chaos
9:16
globally across so many sectors,
9:18
healthcare, transport, it proved that
9:20
sometimes a glitch could be just as
9:21
costly, maybe even more so than a big
9:23
ransomware attack.
9:24
And then layering on top of all this
9:25
risk, you have the litigation surge,
9:27
data privacy rules, and the lawsuits
9:29
that follow. Yeah.
9:30
They now account for 18% of large claims
9:33
value. That's triple what it was just
9:34
three years ago.
9:35
Triple.
9:36
Yeah. Litigation hit crazy levels in
9:38
2024. Something like 1,500 data privacy
9:42
class actions filed in the US alone.
9:45
Companies are really struggling to keep
9:46
up not just with all the different state
9:48
privacy laws, but also these emerging
9:50
risks like potential AI liability around
9:53
how data is collected and used.
9:55
Okay, so the backdrop is definitely
9:57
getting darker, broader, but we started
9:59
this conversation with that little
10:01
glimmer of hope, right? The stable
10:03
frequency and falling severity for
10:05
insured companies,
10:06
right? It really suggests that investing
10:08
in resilience, getting those controls in
10:09
place, it really is paying off. That
10:12
stability for insureds looks very
10:14
different from the what was it 16.6
10:17
billion in internet crime losses
10:19
reported to the FBI last year overall.
10:21
It really highlights this widening gap.
10:23
Insured companies seem to be maturing
10:25
faster, probably because the insurance
10:27
process forces certain standards. There
10:29
was a stat in the report about Germany.
10:30
I think loss impact for insured
10:32
companies rose about 70% over four
10:34
years. But the overall economic impact
10:37
of cyber crime in Germany up 250% in the
10:41
same period. So being insured, having
10:43
those controls, it really seems to
10:45
mitigate the exposure significantly.
10:47
And there's a massive financial reason
10:48
to get it right. This brings us to that
10:51
1,00x advantage idea in the report.
10:53
Yeah, that was a powerful illustration.
10:54
They used a manufacturing company
10:56
scenario. If an attack gets detected and
10:59
shut down before the attacker gets admin
11:01
rights, maybe the cost is around 20,000
11:04
manageable, right?
11:05
Relatively. Yeah.
11:06
But if you miss it, if it escalates,
11:08
leads to business interruption, maybe a
11:10
ransom payment, huge restoration costs,
11:12
that same incident could balloon to 20
11:14
million.
11:15
From 20,000 to 20 million, that's Yeah,
11:16
that's a thousand times difference.
11:18
Exactly. A thousandfold difference
11:20
purely based on how quickly you detect
11:22
and contain it. And here's the kicker.
11:24
The report found that in over 80% of
11:26
large claims, the insured company's own
11:28
decisions or lack of action
11:30
significantly impacted how big the final
11:32
loss was.
11:33
80%. So, it really puts the focus back
11:35
on preparedness, doesn't it? Response
11:37
planning, making sure basics like MFA,
11:40
patching, network segmentation are
11:42
actually working properly.
11:44
Absolutely. And that preparedness piece
11:46
includes things like training, running
11:47
tabletop exercises, so people build that
11:50
muscle memory, that confidence. Business
11:52
interruption is still the biggest single
11:54
cost driver over 50% of claim value. So
11:57
having a BI plan that you've actually
11:59
tested, that's crucial.
12:00
And what about AI? We talked about it
12:02
helping attackers.
12:04
Does it help defenders, too?
12:05
Oh, definitely. We have to flip the
12:07
script there. The data shows
12:08
organizations using AI and automation
12:10
for their security saved on average
12:12
about 2.2 million US in breach costs
12:15
compared to those who didn't.
12:16
2.2 million saved.
12:18
Yeah. AI helps defenders speed up
12:20
detection, speed up response. Basically
12:22
narrowing that critical time gap between
12:24
when a breach happens and when you shut
12:26
it down. That's the exact factor that
12:28
determines whether you're looking at a
12:29
20,000 euro problem or a 20 million one.
12:32
Gotcha. And finally, regulation. You
12:34
mentioned NIS2 and DORA in Europe,
12:36
right? These are imposing pretty serious
12:38
security requirements across critical
12:40
sectors and importantly across their
12:42
supply chains, too. This kind of
12:44
regulatory floor should hopefully raise
12:46
the minimum standard for everyone,
12:48
which should especially help those
12:49
midsize companies that are, as you said,
12:51
the new favorite target right now.
12:53
Exactly. It benefits them
12:55
disproportionately if the baseline
12:56
everywhere gets higher. So you see this
12:58
convergence, regulation, insurance
13:00
requirements, companies investing in
13:02
tech, it all pushes towards better
13:04
resilience. And as everything keeps
13:06
getting more digital, that global cyber
13:08
insurance market is expected to more
13:10
than double by the end of the decade,
13:11
nearly $30 billion. The need for expert
13:15
tools, services, advice, it's only going
13:17
up.
13:18
Which brings us back to thanking our
13:19
sponsor one last time for supporting
13:21
this deep dive. www.cisomarketplace.com
13:24
and www.isomoarketplace.services.
13:28
Building that resilience clearly
13:30
requires ongoing effort and access to
13:32
the best resources and professional help
13:33
you can get. So
13:36
if we try to synthesize all this, what's
13:38
the main takeaway? I think it's that the
13:40
positive data for insured companies,
13:42
it's real proof that investing in mature
13:45
controls and preparedness genuinely
13:48
reduces the financial hit from big
13:50
losses. But the strategic shift needed
13:53
now for everyone is moving beyond just
13:55
trying to prevent breaches because some
13:57
will inevitably happen and really
13:59
focusing on rapid detection, fast
14:01
containment, and having plans to manage
14:03
these non-attack risks, the CBI from
14:05
suppliers, the tech failures, and this
14:08
relentless rise in privacy litigation.
14:10
Okay, so we'll leave you, the listener,
14:12
with a final thought to maybe chew on
14:14
for your own strategic planning. We know
14:16
AI is being adopted fast by both
14:17
attackers and defenders. We know the
14:19
share of big claims coming from privacy
14:21
litigation has already tripled. So
14:23
what's the next big compliance or
14:24
liability headache likely to be driven
14:26
by AI systems themselves? Maybe systems
14:29
that help collect or use data in ways
14:30
that turn out to be unauthorized, right?
14:32
Could that become the next major
14:33
non-attack loss driver you need to start
14:35
budgeting for? Something to keep an eye
14:36
on as you assess your risk.