Estimated reading time: 9 minutes
The U.S. cyber insurance market faces a stark new reality. Premiums fell for the first time to $9.14 billion, according to AM Best, just as cyber insurance claims jumped 40%. Cowbell’s 2026 Claims Report, built on 18 months of incident data, maps the forces driving this divergence. This market shift is critical for every CFO and general counsel buying or renewing coverage in 2026.
The Premium-Claims Paradox
Claims are now higher than premiums, which means the market is riskier. Ransomware is a major factor, making up 19% of Cowbell’s claims from 2022 to 2025. Average ransom payments dropped by 44% thanks to better negotiation and faster claims handling. Proactive negotiation reduced Cowbell‘s average ransom demands by 65%. Still, results vary a lot depending on who is behind the attack, how sensitive the data is, and how quickly the situation is contained.
Three Incident Types Drive Most Losses
A closer look at losses shows three main types in Cowbell’s cyber insurance claims: data breaches (33.5%), mostly from stolen credentials and system weaknesses; cybercrime (31.8%), often caused by phishing, business email compromise, and funds transfer fraud; and extortion events, mainly ransomware (18.3%). The other 16.4% comes from different incident types. Business email compromise deserves special attention from finance and legal teams, since these attacks use impersonation and AI-generated messages to steal money. In 2026, BEC remains one of the most costly cybercrimes.
The Human Error Problem
The report shows that human error is involved in 74% to 95% of breaches. In 2025, attackers launched 3.8 million phishing attacks worldwide, highlighting a gap between risk and prevention efforts. Multi-factor authentication, employee training, and quick incident response are still the best defenses. Cowbell’s data also shows that training leads to better results. Lili Knushaj, Director of Claims at Cowbell, put it simply: “Taking ownership of your cyber resiliency does reflect the underwriting decision.” Companies that train all computer users get broader coverage, higher limits, and discounts on premiums. Regulators and lawyers are more likely to see a lack of training as a sign of negligence.
Seven Groups, Most Of The Damage
Cowbell identified seven ransomware groups behind 69% of attributed attacks. Two groups dominate. Akira accounts for 38.8% of identified cases. It targets small and mid-sized businesses by exploiting VPNs and weaknesses in remote access. Qilin accounts for 14.2%. It operates as a ransomware-as-a-service platform aimed at high-value enterprise targets. RansomHub, Lynx, InterLock, PLAY, and INC Ransom account for the remainder. Ransomware attacks surged 45% in 2025. Qilin and Akira overtook RansomHub and Lynx by mid-year, targeting manufacturing and SMEs through unpatched SonicWall devices and remote desktop vulnerabilities. The two groups also behave differently at the negotiating table. Akira shows moderate flexibility in negotiations. Qilin holds tighter positions when data leverage is high. Law enforcement actions create disruption, but Knushaj cautions against overestimating the impact of enforcement. “The group itself is not limited, which means that disruptions are short lasting.” New affiliates absorb the infrastructure and resume operations quickly.
Sectors Facing The Highest Exposure
Five sectors have more cyber insurance claims than average. Professional services firms, like law firms, handle a lot of sensitive client data and often use older systems with weak security, making them top targets in 2026. Manufacturing companies rely on production systems that attackers can shut down, causing direct financial losses. Healthcare organizations face higher ransom demands because their critical care systems need quick solutions. Construction companies work with many subcontractors and complex supply chains, which increases their risk. Wholesale trade companies are open to fraud and disruption because of their connected supply chains and high transaction volumes. Industries with the most sensitive data usually face higher ransom demands and take longer to recover.
“Cyber Friday” And The Timing Of Attacks
Cowbell consistently observes a surge in new cyber insurance claims every Friday, driven by threat actors exploiting weekends to evade detection. Consequently, businesses often uncover incidents upon employees’ return on Monday or after extended holidays. This trend necessitates that legal and finance teams’ incident response plans incorporate robust after-hours escalation protocols with explicit decision rights. Cowbell’s claims hotline operates 24/7/365, ensuring initial claim acknowledgment and ransomware first response within one hour.
Watch Our Podcast featuring Trent Cooksley, Cowbell COO
Ransom Dynamics Shift Toward Data Extortion
Ransomware demands have changed. Attackers now often skip encryption and focus on stealing data, asking for payment to keep or destroy stolen information instead of giving back a decryption key. This change brings new challenges for handling claims and writing policies. Cowbell now focuses its claims process on data classification, regulatory risk, and third-party liability. As Knushaj explains, the main problem is that “data deletion is unverifiable,” so paying for suppression carries financial and legal risks. These payments are considered carefully, along with the full costs of response and legal preparation. To manage these risks, policy language is being updated to cover disclosure threats. Sub-limits for data extortion payments are more common, and separate coverage for response costs, breach notification, and regulatory defense is becoming standard in top cyber insurance products.
What Business Leaders Should Expect Through 2026
Cowbell’s report highlights six key trends shaping this year’s cyber insurance claims. As law enforcement puts more pressure on big groups, smaller and more flexible threat groups are expected to appear. Professional services firms will still be main targets. AI-powered phone scams will increase social engineering risks, expanding attacks beyond email. Litigation risk will go up if breach disclosures are lacking. Business interruption, listed as a top-three global risk by the Allianz Risk Barometer 2026, will keep causing losses. Ransom strategies will focus more on data suppression payments instead of encryption, making coverage and claims harder to resolve.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
The Strategic Takeaway
Business leaders should see this report as a sign for pricing strategy. In 2026, CFOs and general counsel need to react to lower premiums and higher claims, which will lead to stricter renewal terms. Investing in employee training, strong backups, and required MFA leads to better coverage and security. Cowbell’s data shows that being prepared directly affects premiums and claim severity. The results are clear: preparation works.
