Estimated reading time: 7 minutes
AI risk is giving old cyber threats a dangerous new advantage: speed. BakerHostetler, a U.S. law firm with a large cybersecurity, privacy, and incident response practice, puts AI risk at the center of its 2026 Data Security Incident Response Report. The report, based on over 1,250 incidents handled by the firm’s Digital Assets and Data Management Practice Group in 2025, offers strong value for cyber insurance readers by reflecting real client matters rather than broad survey data.
The report finds that familiar attack types still dominate, but everything is happening faster. Phishing caused 30% of incidents, network intrusions made up 47%, and business email compromise accounted for 32%. Data theft or exfiltration happened in 48% of cases. Healthcare was the most affected sector at 27%, with finance and insurance at 18%, and business and professional services at 15%.
AI Risk Starts To Reshape Claims
The new pressure point is AI risk. BakerHostetler says it reached an AI “tipping point” while preparing the report for publication. The firm writes that AI is moving beyond phishing enhancement and into social engineering support, automation, “vibe hacking,” and agentic coordination. The report also cites cases in which AI supported reconnaissance, credential harvesting, network penetration, and extortion activity. For cyber insurers, that means less time to detect intrusions and to contain losses.
Theodore J. Kobus III, chair of BakerHostetler’s Digital Assets and Data Management Practice Group, said the firm’s incident, litigation, and regulatory work gives it a “unique perspective” on cyber risk. Craig Hoffman, co-leader of BakerHostetler’s Digital Risk Advisory and Cybersecurity team, said the report delivers “clear and actionable advice” during incidents, compliance work, and technology risk planning. Their framing fits the data. The old threats still dominate. AI risk is changing its speed and scale.
AI Risk Compresses The Claims Timeline
Speed is important because timing is critical in cyber insurance. BakerHostetler found that the median time from an incident happening to discovery was three days, with containment happening immediately after discovery. Forensic investigations took 23 days on average, and notification happened 59 days after discovery. Faster investigations improved notification times, but quicker threats put pressure on every stage and leave less time for people to make decisions during an incident.
The report makes the insurance angle plain in another way. It says AI may change “speed and scale.” It also warns that AI-enabled attacks may look ordinary because attackers often use open-source tools and legitimate accounts. That creates a difficult loss environment. Insureds may not spot the intrusion early. Carriers may then face higher response, legal, and notification costs.
Data Theft Gains Ground Over Encryption
The report’s ransomware findings are important for cyber insurers. In 2025, the average ransom demand was about $4.24 million, and the average payment increased to $682,702. However, BakerHostetler points out that the main change is a move from just encrypting data to using stolen data for extortion. As the report puts it: “Stealing > Encrypting.”
Watch Our Podcast
Data Governance: Cut Cyber Breach Blast Radius + Cyber Insurance Risk
This shift affects how severe claims can be. In 2025, 43% of ransom payments were made mainly to stop stolen data from being published, while 31% were to get a decryptor. BakerHostetler also found that 71% of clients who paid to prevent publication still had to notify affected people. Paying the ransom did not remove privacy obligations. For cyber insurers, this means data theft can lead to restoration costs, legal fees, notification expenses, regulatory issues, and class-action lawsuits all in one claim.
Litigation And Vendor Exposure Add More Pressure
These extra costs are already going up. BakerHostetler reports that lawsuits followed 68 out of 482 disclosed incidents in 2025, compared to 51 in 2024. Law firms filed cases sooner and were more aggressive, using legal arguments that held up in more courts. The report also points out that even incidents with fewer than 1,000 people notified led to lawsuits if the company was well-known or had high revenue.
Vendor-related incidents are still a big issue. BakerHostetler says that 25% of the cases it handled in 2025 involved a vendor. This is important for cyber insurance underwriters because one vendor incident can impact many insured companies at the same time. These cases also make claims, responsibility, and risk assessment more complicated. The report recommends better vendor management and notes that the rise of AI means companies need to check both their vendors and how those vendors use AI.
Get The Cbyer Insurance News upload Delivered
Subscribe to our newsletter!
Regulation Broadens The Cost Of Failure
The report also notes that compliance is getting tougher. By the end of 2025, 16 states had comprehensive privacy laws in effect. BakerHostetler points to ongoing changes in SEC priorities, FTC enforcement, healthcare privacy, and state AI rules. California’s cybersecurity audit requirements are also pushing companies to prepare early, ahead of the 2028 deadline. For insurers, more rules mean higher costs for weak controls and a greater chance that a cyber incident turns into a governance problem.
What The Market Should Take Away
For cyber insurers, the message is straightforward. The threat mix still includes phishing, account compromise, ransomware, privacy litigation, and vendor failures. Those are familiar loss drivers. AI risk changes the tempo. It sharpens social engineering, accelerates intrusions, and shrinks the time available to stop a claim from worsening. BakerHostetler’s report does not suggest a new universe of cyber loss. It shows a faster one. In insurance terms, that may prove just as costly.
FAQ – Key Questions On AI Risk, Cyber Insurance, And BakerHostetler’s 2026 DSIR Report
It is BakerHostetler’s annual Data Security Incident Response Report. The 2026 edition draws on more than 1,250 incidents handled in 2025 and highlights cyber trends, litigation, vendor risk, and compliance issues.
It reflects real incident response work, not survey opinions. That makes it useful for understanding claims trends, underwriting pressure, and breach costs.
The report says AI reached a tipping point in cyber incidents. It links AI to faster social engineering, automation, reconnaissance, credential theft, and extortion activity.
AI can speed up attacks and shorten response time. That can increase claim severity by raising forensic, legal, notification, and business interruption costs.
Yes. Phishing remained the top root cause, and network intrusion remained the leading incident type. AI changes the pace of those threats rather than replacing them.
FAQ – What BakerHostetler’s 2026 DSIR Report Means For AI Risk And Cyber Insurance
The report shows a shift toward data theft and extortion without encryption. Threat actors increasingly use stolen data as leverage.
Data theft can trigger many costs at once. Those can include breach response, notification, regulatory scrutiny, lawsuits, and reputational damage.
A quarter of the incidents BakerHostetler handled involved a vendor. That shows how third-party failures can widen cyber exposure.
Yes. The report says lawsuits followed 68 of 482 disclosed incidents in 2025, up from 51 in 2024. Larger organizations remained attractive targets for plaintiffs.
The threat landscape still looks familiar, but it moves faster now. Organizations need stronger controls, faster response planning, and better vendor oversight as AI risk grows.
Related Cyber Insurance Posts
- Converge Expands Cyber Liability Insurance Capacity With Lloyd’s Support
- Cyber Insurance Market Size to Approach $120 Billion by 2032? So Says Bullish New Report on Growth in Cybersecurity Insurance
- Cyber Liability Insurance Gains Clarity as CISOs Race Toward Passwordless Security | Portnox 2026 Report
- Cyber Risk, Leadership, and the CISO: Why Adaptive Change Now Defines Resilience – NEW PODCAST
- Deepfake Defense: Reality Defender Launches Real Suite for Day-One Enterprise Protection
