Ransomware Claims in 2026: What the Data Tells Underwriters About Pricing Risk

The ransomware landscape in 2026 does not look like 2021, and it does not look like 2024 either. The threat actors have evolved. The defensive tooling has improved. The regulatory environment has tightened. And the claims data is telling a story that underwriters need to understand if they are going to price risk accurately.

I have been looking at ransomware claims patterns across the European cyber insurance market, and several trends stand out. None of them are comfortable.

The Shift from Encryption to Exfiltration

Two years ago, the typical ransomware claim was about encryption — attackers locked systems, demanded payment for a decryption key, and the insured had to decide whether to pay or restore from backups.

In 2026, the dominant pattern is data exfiltration with extortion. Attackers do not need to encrypt anything. They copy sensitive data — customer records, financial details, trade secrets — and threaten to publish it. This fundamentally changes the loss dynamics:

• No decryption key to wait for. The damage is done the moment data leaves the network.
• Regulatory exposure is immediate. Under GDPR, a data breach triggers notification obligations within 72 hours, regardless of whether a ransom is paid.
• Business interruption is harder to quantify. Unlike encryption events where systems are clearly down, exfiltration events may not cause visible operational disruption — but the financial impact through fines, legal costs, and reputational damage can be larger.

For underwriters, this means traditional BI triggers based on system downtime may not capture the full loss exposure. Policies need to account for extortion costs, regulatory fines (where insurable), and third-party liability arising from data exposure — even when the insured’s operations never stopped.

Claims Frequency Is Up, Severity Is Bimodal

The overall frequency of ransomware claims has increased roughly 15-20% year over year in the European market. But the severity distribution tells a more interesting story:

Small and medium businesses (SMBs): Claims are more frequent but individually smaller. Attackers are using automated tools to target companies with revenue under €50M, demanding ransoms in the €10,000–€50,000 range. Many of these companies lack mature incident response plans, so they pay — and the claims close quickly.

Large enterprises: Claims are less frequent but significantly more severe. When a Fortune 500 or DAX-listed company gets hit, the ransom demand alone can exceed €5M, and total insured losses (including BI, data recovery, legal fees, and regulatory fines) regularly exceed €20M.

This bimodal distribution has pricing implications. A portfolio concentrated in SMB risks will see different loss ratios than one weighted toward large enterprise. Underwriters should be explicit about which segment they are pricing for and adjust their frequency/severity assumptions accordingly.

The Ransom Payment Question

One of the most contested areas in claims handling is whether to allow ransom payments. Several developments in 2026 are relevant:

1. OFAC and EU sanctions enforcement has become more aggressive. Paying a ransom to a sanctioned entity — even inadvertently — creates legal exposure for both the insured and the insurer.

2. Law enforcement disruption operations have increased. Europol and national agencies have had notable successes in taking down ransomware infrastructure, which sometimes makes payment unnecessary (data recovered through law enforcement channels).

3. The “no-negotiation” trend among large insurers. Some carriers now include policy language that discourages or limits ransom payments, instead directing insureds toward incident response firms and data recovery specialists.

For underwriters, the key question is: does your policy language adequately address the ransom payment decision tree? If the insured pays without insurer approval, is that covered? If law enforcement recovers data after payment, is there a clawback mechanism? These details matter.

NIS2 and Its Impact on Claims Behavior

The NIS2 Directive, now in its enforcement phase, is changing how organizations respond to ransomware incidents — and therefore how claims are filed:

• Mandatory reporting within 24 hours of becoming aware of a significant incident means claims are notified earlier. This is generally good for insurers (earlier intervention, better loss mitigation) but increases administrative costs.
• Management liability provisions mean that C-suite executives can be held personally liable for inadequate cybersecurity. This is driving demand for D&O coverage alongside cyber policies.
• Supply chain due diligence requirements mean that an insured’s ransomware incident may trigger claims from their customers and partners — expanding the pool of potential claimants.

Underwriters should be asking about NIS2 compliance as part of their risk assessment. Non-compliant organizations present a higher risk not because they are more likely to be attacked, but because the regulatory consequences of an attack are more severe.

What This Means for Pricing

Based on the trends above, here is how I would think about pricing ransomware risk in 2026:

The Bottom Line

Ransomware risk in 2026 is not the same risk it was three years ago. The attack vectors have shifted, the regulatory environment has changed, and the claims patterns reflect both. Underwriters who rely on 2022 vintage loss data and assumptions are likely mispricing risk.

The best underwriting approach today combines:

1. Updated frequency/severity models that reflect the exfiltration-first attack pattern
2. Explicit policy language around ransom payments, sanctions compliance, and regulatory exposure
3. NIS2 compliance assessment as a standard part of the underwriting questionnaire
4. Portfolio-level analysis that accounts for the bimodal SMB/enterprise distribution

If you are pricing cyber risk in 2026 and not adjusting for these trends, you are flying blind.