Cyber Claims in 2026: Fewer Claims, Bigger Losses — The Severity Paradox

Something counterintuitive is happening in cyber insurance claims. Frequency is falling. Severity is exploding. And the gap between the two is widening fast enough to reshape how underwriters price risk through 2026.

Resilience’s H1 2025 Cyber Claims Report found a 53% decline in claims frequency compared to the same period in 2024. By most measures, that should signal a softening market. It does not. The same period saw average claim costs climb 23% year-over-year, with large-account severity nearly doubling. Chubb’s 2026 Cyber Market Report puts the number bluntly: the average claim for organizations with $1 billion+ revenue jumped from roughly $2.2 million to $4.4 million — a 100% increase in a single year, and a 586% increase since 2021.

This is the severity paradox. Fewer fires, but each one burns the house down.

What the Claims Data Actually Shows

The headline numbers come from multiple carriers and aggregators, and they largely agree on the direction:

Metric	2024	2025/2026	Source
Claims frequency (H1)	Baseline	-53%	Resilience
Average claim value (global)	$96K	$118K (+23%)	Coalition/Industry
Large-account avg severity	~$2.2M	~$4.4M (+100%)	Chubb
Middle-market avg severity	~$619K	~$759K (+22.6%)	Chubb
Claims denied or partially denied	15%	21%	Industry

The divergence is starkest at the top. Large accounts are filing fewer claims but each one is dramatically more expensive. Middle-market severity rose moderately. SME severity actually fell 33.9% — from ~$215K to ~$142K — suggesting the smallest organizations are either getting better at defense, settling for less, or not purchasing adequate coverage in the first place.

Ransomware Drives 76% of Incurred Losses

The severity story is, at its core, a ransomware story. NetDiligence data shows ransomware accounts for roughly 28% of claims by volume but 52% of total costs and 76% of incurred losses. The average ransomware claim now sits at $631,000 (NetDiligence), with Resilience calculating the average ransomware-related loss at $1.18 million.

Several factors are pushing ransomware severity higher:

Larger ransom demands. The average demand crossed $1 million in 2025, a 47% year-over-year jump (Coalition). NetDiligence recorded the largest ransom payment ever at approximately $75 million, with 50 separate ransom payments exceeding $10 million in a single year.

Dual extortion is now standard. Coalition’s 2026 report found that 70% of ransomware claims in 2025 involved both data exfiltration and encryption — up from roughly 50% two years prior. Dual-extortion incidents are 2x more expensive than encryption-only attacks, averaging $302K per claim.

Business interruption compounds everything. CRC Group reports the average BI loss now exceeds $1 million, with BI claims costing 650% more than non-BI claims. Ransomware drives 81% of all BI claims. The settlement timeline for BI claims? Over a year.

Real-World Claims That Defined the Trend

The raw numbers become visceral when you look at specific incidents.

Change Healthcare (February 2024): BlackCat/ALPHV ransomware. UnitedHealth Group’s subsidiary reported $2.457 billion in total response costs as of Q3 2024. The breach affected 192.7 million individuals. A second ransomware group, RansomHub, demanded additional payment for the stolen data. This was not a sophisticated zero-day exploit — it was a single compromised credential on a system without MFA. The insurance implications are still being litigated.

Marks & Spencer (April 2025): Scattered Spider used social engineering against Tata Consultancy Services’ IT helpdesk to obtain credentials, then deployed DragonForce ransomware over Easter weekend. M&S lost an estimated £300 million in operating profit. Online shopping was suspended for 46 days. The same actor hit Co-op and Harrods within days. Insurance partially offset losses, per company statements, but the total claim is expected to be one of the largest in UK cyber history.

Jaguar Land Rover (August 2025): Nearly six weeks of production shutdown across three UK factories. The Bank of England confirmed the hack shaved approximately 0.2% off UK GDP. Over 5,000 downstream organizations were affected. The UK government provided a £1.5 billion loan guarantee. This event is being classified as a Category 3 systemic event on the Cambridge Centre for Risk Studies’ 1-5 scale.

These are not edge cases. They represent the new ceiling for cyber claims severity.

Supply Chain Claims Are Accelerating

Third-party involvement in breaches doubled from 15% in 2023 to 30% in 2024-2025. Vendor-related losses now account for 15-21% of all incurred losses (Resilience), with vendor-driven ransom payments ranging from $2 million to $25 million.

The average supply chain breach remediation cost hit $4.91 million. Over two-thirds of large organizations experienced at least one third-party cybersecurity incident in the past 12 months (Munich Re). Manufacturing was hit hardest, with supply chain compromises accounting for 46% of sector losses.

For underwriters, this changes the risk model. You are no longer underwriting a single organization’s security posture. You are underwriting their entire vendor ecosystem.

Loss Ratios: Profitable But Compressed

Despite rising severity, cyber insurance remains highly profitable by P&C standards. Fitch Ratings puts the US cyber combined ratio at 65.4% in 2025 — far below the 93% industry average. Beazley reported cyber loss ratios around 49%.

But the trend is not your friend. Fitch noted a 5 percentage point deterioration in incurred direct losses, driven by rate declines and broader participation from less experienced carriers. Premiums fell approximately 6% in 2025 (Marsh/Swiss Re), with European rates dropping 12% in Q1 2025 — the steepest decline globally.

This creates a classic margin compression signal: falling premiums, rising severity, growing systemic exposure. S&P Global Ratings forecasts 15-20% premium increases in 2026 as the market corrects.

What Underwriters Should Do Differently

The severity paradox demands a different underwriting approach:

1. Stop using frequency as a proxy for risk. A declining claims count does not mean declining risk when each claim can wipe out years of premium. Price for severity, not frequency.

2. Model contingent BI exposure explicitly. The Change Healthcare and JLR incidents show that single-point-of-failure vendors can generate claims orders of magnitude larger than direct policy limits. Map concentration risk.

3. Scrutinize ransomware-specific sublimits. 58% of policies now carry ransomware sublimits capping coverage at 50-75% of the total policy limit. Given that ransomware drives 76% of incurred losses, these sublimits may be the difference between an adequate and an inadequate policy.

4. Require vendor security attestations. With supply chain claims doubling, underwriters need visibility into the insured’s critical vendor ecosystem — not just the insured’s own controls.

5. Watch for the market correction. After 2-3 years of softening, multiple factors point to a hardening cycle in 2026-2027. Early movers who re-price ahead of the curve will have healthier books.

The Bottom Line

Cyber insurance claims are getting more expensive even as they become less frequent. Ransomware severity is the primary driver, amplified by supply chain concentration and dual-extortion tactics. The current profitability of cyber lines masks a deteriorating trend that will likely force a market correction in 2026.

For underwriters, the severity paradox is not a reason to exit cyber — it is a reason to underwrite it differently. The data is clear. The question is whether the market will price it accordingly.