New cyber insurance claims data from cyber risk and insurance company Resilience shows a fundamental shift in how cybercriminals operate and make money.
According to a statement from its 2025 Customer Portfolio, the company’s latest analysis shows that threat actors are conducting longer and more planned campaigns against organizations. The findings also make it clear that the financial damage caused by cyber incidents increasingly extends far beyond the initial breach and often lasts for a long time.
The 2025 Cyber Risk Report, based on claims data and research from Resilience’s Risk Operations Center (ROC), describes a more complex threat environment and outlines steps organizations can take to limit material damage.
In the first half of 2025, ransom demands aimed at preventing the exfiltration of stolen data accounted for 49% of all ransom-related claims. This figure climbed sharply to 65% in the second half of this year. For the full year, data theft attacks alone accounted for 57% of all incidents, indicating that attackers are adjusting their strategies to bypass increasingly powerful backup systems.
The report also found that information-stealing malware stole more than 2 billion credentials during the year. In many cases, information stealers are detected in victim environments before ransomware is deployed, indicating that such activity should be considered a serious early warning sign. Taking prompt action to prevent credential theft can reduce the likelihood of subsequent attacks.
Some threat groups, including Interlock, have been observed extracting cyber insurance policy information from stolen data. By reviewing coverage details, attackers are able to tailor ransom demands to maximize potential payouts while staying within policy limits.
Supplier-related incidents emerged as another major contributor to losses. Within Resilience’s portfolio, supplier risk accounts for 18% of total losses, making it the second-largest category. Attackers are increasingly exploiting the password reset process and compromising the open source code repositories that form the backbone of many enterprise applications. A breach affecting a critical supplier can have cascading operational and financial consequences across multiple organizations and industries.
Taken together, these data suggest that cyberattacks are becoming more strategic and systematic. The resulting losses are not limited to the moment of disruption but can accumulate gradually, sometimes over months or years.
“Cyber risks are constantly changing. As cybercriminals change their tactics, a new reality is emerging: the real risk is not just the immediate disruption of a security incident, but the long-tail aftershocks that follow,” commented Vishaal “V8” Hariprasad, co-founder and CEO of Resilience.
“Claims data gives us the best, most granular understanding of the real-world costs of these shockwaves. Understanding the importance of the entire life cycle of a cyber incident is the only way to effectively arm yourself against advanced new tactics and increase your ability to respond to inevitable threats.”
The report recommends that organizations focus on practical measures to reduce material exposure. These include strengthening data loss prevention capabilities, implementing a zero-trust architecture, closely monitoring credentials, developing vendor incident contingency plans, conducting tabletop exercises and ensuring insurance coverage aligns with current severity trends rather than relying solely on historical averages.
“Given the increasing specialization of the threat landscape, it’s easy to think there’s no recourse. But our latest findings give us insight into the motivations behind incidents and how we can best fight back,” added Judson Dressler, director of Resilience’s Risk Operations Center (ROC).
“For example, to reduce information theft activity, our ROC teams proactively look for stolen credentials on the dark web or new vulnerabilities or vulnerabilities impacting their environments and alert our customers to these critical findings. This is an example of adapting in practice to the reality of the ‘everything, everywhere, simultaneously’ cyber risk model we face.”