3 Key Takeaways From the 2025 InsurSec Report

At-Bay’s 2025 InsurSec Report dropped last week, and it’s packed with a variety of insights for risk leaders. Once again, cybercrime of all types is on the rise. Yesterday’s ransomware and phishing risks are now joined by significant new threats from third-party relationships (e.g., indirect ransomware) and financial fraud. 

Indeed, the sheer volume of data we’ve shared about how our insureds across revenue tiers and industry segments are experiencing losses from cyberattacks makes the full implications of the report difficult to digest. That said, three key takeaways are clear for all businesses. 

1. Most of the controls you already have work, but only if they’re deployed properly and maintained over time

Overall claims frequency rose by 16% year over year, including a nearly 20% increase in ransomware specifically. This marks a return to 2021 levels for ransomware after a dip in 2022. We attribute this, in part, to criminal groups, once distracted by the Russia and Ukraine war, returning to their usual activities. 

For businesses, this means continued security efforts are paramount. The average severity for a ransomware attack in 2024 was $468K, a cost no company wants to incur.

However, these efforts don’t necessarily need to be in the form of technology spend.

The claims data that At-Bay collects and analyzes to develop knowledge products like the InsurSec Report has another story to tell about things that don’t happen among our insureds. Specifically, while we can make inferences about the relative effectiveness of security solutions based on how often we see them in place when a claim occurs, we can also make inferences based on control configuration and deployment scenarios that we don’t see among our claims. 

Here are a few examples: 

• Merely having multi-factor authentication (MFA) is not enough to avoid a security incident. It’s those that have MFA comprehensively deployed across both on-premise and SaaS services and that enforce usage for all users that rarely suffer security incidents bad enough to trigger an insurance claim. 
• Companies with market-leading Endpoint Detection and Response (EDR) tools can still suffer computer intrusions and malware infections. But, companies that have a leading EDR solution comprehensively deployed throughout their environment and monitored by trained professionals tend to catch malicious activity before it has a chance to cause damage. 

The takeaway for many businesses is that they probably already have enough security controls. What’s missing isn’t more tools but the human investment required to plan, deploy, maintain, and operate the existing controls effectively. 

Before considering an additional investment, businesses should ensure that they’ve squeezed all possible value out of the investments they’ve already made. 

2. Some controls worked great yesterday but haven’t kept up with today’s threats

At-Bay’s biggest loss category for the past two years has been financial fraud, and 83% of financial fraud incidents we saw in 2024 started with a malicious email. At the same time, most of our insureds have some type of email security solution — including solutions we’ve previously recommended as highly effective. 

But, it’s clear that while threat actors are changing their tactics over time, most email security tools aren’t keeping up. Put bluntly, our data shows that many of the market’s leading email security solutions don’t work against current fraud tactics (see our 2024 InsurSec Rankings: Email Security and Fraud Report).

As stated in the section above, we are satisfied with the capabilities of most security solutions operated by our insureds, provided they are deployed and maintained effectively. However, email security is an area where we believe many companies have fallen behind without realizing it. 

Organizations that have operated the same email security solution for more than three years would benefit from a refreshed view of the options available in the market along with an independent perspective (i.e., not from the tool vendor itself) about how they stack up against today’s most prominent email-based threats — specifically, financial fraud enabled via email. 

In the meantime, businesses would do well to remind their employees of the potential catastrophic damage of a financial fraud incident, how to identify a fishy email, and best practices for fraud prevention. 

The largest single financial fraud incident we saw in 2024 amounted to $5.2M in stolen funds. While At-Bay helped policyholders recover $49M in stolen funds in 2024, getting the money back is never a guarantee. We’ve put together a list of 8 tell-tale signs you’re about to be a victim of financial fraud, which you can share with your employees and even encourage them to print out for their desk.

Additionally, remind employees in charge of financial transactions to adhere to the following:

• Voice Verification. Before authorizing any major transaction, call your trusted contact to verify all financial details.
• Warning Labels. Place language at the top wire transfer instructions reminding vendors to call and verify details.
• Vendor Due Diligence. Make sure your vendors have similar security controls and processes in place. 

3. Business relationships are hiding more cyber risk than you think   

In the 2024 edition of our InsurSec Report, we discussed the threat of indirect ransomware, which is the impact felt by organizations when a vendor or supplier experiences an outage due to a ransomware attack. We used the term “indirect” because most of the losses experienced by our insureds in these incidents were unrelated to their own security practices and controls. 

Indirect ransomware claim frequency increased for the second year in a row (+43% YoY), often attributable to aggregation events such as the attacks on MOVEit and CDK Global, and we expect that this phenomenon is here to stay.

In analyzing our claims data for this year’s edition of the InsurSec Report, we reported that our insureds are vulnerable to a greater variety of losses attributable to their business relationships. 

Besides indirect ransomware, two specific scenarios come to mind: 

• Companies are realizing damage from indirect data breaches in which they are forced to take partial responsibility to their customers for the compromise of data that was shared with a third party for the purpose of storage or processing. 
• Companies are falling victim to email-based financial fraud that was enabled by a compromise of a third party’s email system. In these scenarios, attackers use what they learn from penetrating one company’s email to target affiliates of that company with timely and realistic fraud messaging to, for example, redirect an imminent payment for an outstanding invoice. (See “Anatomy of a Business Email Compromise” in our 2024 InsurSec Email Security Report.)

Many companies implicitly assume that vendors they rely on for business-critical functions, such as payment processing, have security that is at least as good as their own, but this is often untrue. At a moment of rising third-party risks, we have two recommendations:

• First, companies need to revisit their process (or create a process) for evaluating the cybersecurity and resilience to attack of their vendors and suppliers. 
• Second, when outsourcing a critical function to another company, businesses must consider their own continuity or failover plans in case their outsourced provider becomes unavailable. 

Above all, companies must remain cognizant that every business relationship increases their own cyber risk and take steps to mitigate the incremental risk where possible.  

Get more insights in the full 2025 report — available now

We feel that the above takeaways apply to businesses of all sizes and in all industries. However, the full 2025 InsurSec Report contains much greater detail about current cyberthreats, including insights about how different segments among our insureds are experiencing losses. 

Readers who would like more information about their own segment can find the full report here, and current At-Bay insureds who would like to discuss the implications of the report for their unique circumstances may schedule a discussion with an At-Bay Cyber Advisory here.