Cybercrime Risk By State: New Report Reveals High Exposure And Cost Pressures

Estimated reading time: 9 minutes

Nevada Leads In State Cybercrime Exposure

Where your company operates is now a cyber risk factor. Not in theory, in underwriting questionnaires, premium calculations, and coverage terms. A new April 2026 study from Floxy analyzed cybercrime statistics, digital privacy laws, and financial losses across all 50 states. The findings land directly on the desk of every CFO, general counsel, and risk manager in the country. Nevada sits at the top of the risk index. But the findings reach every boardroom, regardless of state. Cybercrime risk by state matters.

Nevada Ranks As The Most Digitally Vulnerable State In The US

Nevada scored 99 out of 100 on Floxy’s Privacy Risk Index. Cybercrime affects 523 residents per 100,000 people. Identity theft is the biggest issue, with 1,154 reported cases per 100,000 residents. Financial losses from cybercrime reach $8.09 million per 100,000 people. Nevada also scores zero out of ten on data protection laws. This mix of high crime rates, significant financial losses, and a lack of legal framework creates a risk profile that underwriters take seriously.

The FBI’s 2025 IC3 report on cybercrime reinforces the picture independently. Nevada ranked third nationally for cybercrime losses per 100,000 residents, with $9,208 in losses per capita behind only Washington, D.C., and California. That figure comes from a completely different methodology than the Floxy index, yet it arrives at the same conclusion. The national average for most states sits between $5,000 and $6,000 per capita. Nevada’s number is nearly double that. Nevada’s cyber exposure is not a statistical quirk. It is consistent across data sources.

For business leaders operating in Nevada, the combination of weak legal protections, high identity theft rates, and above-average financial losses creates a risk profile that affects insurance pricing, underwriting terms, and vendor qualification requirements.

Florida And Alaska Follow With Elevated Risk Profiles

Florida is second on the Floxy cybercrime risk index and also lacks formal data protection laws. The state sees high levels of fraud and identity theft. Fraud incidents reach 615 per 100,000 residents. Identity theft affects more than one in 100 people. Annual losses exceed $1 billion statewide.

The FBI’s 2025 data confirms Florida’s position. The state recorded the third-highest total complaints nationally at 71,843 and the third-highest losses at $1.596 billion. Losses per 100,000 residents reached $6,802, the seventh-highest in the country. For banks, insurers, and large employers operating in Florida, that combination of complaint volume, total loss, and per capita exposure places the state in a consistently high-risk tier across multiple independent data sources.

Alaska is third overall in the Floxy index but has a different risk profile. The state has fewer people but is more vulnerable to advanced scams. Alaska’s limited experience with artificial intelligence tools makes it more open to deepfake fraud, shown by its low digital literacy score. Identity theft and fraud are still the main threats. Annual losses are over $26 million, which is significant given Alaska’s small population. The FBI’s IC3 data shows Alaska ranking second nationally for complaints per 100,000 citizens at 434.3, behind only Washington, D.C. The per capita complaint rate tells a story that total numbers alone would miss entirely.

Wyoming Highlights Legal Gaps And Financial Impact

Wyoming is fourth in the Floxy index and shows a clear link between weak laws and financial loss. The state has no real privacy laws and scores zero in that area. Residents lose $7.3 million per 100,000 people, according to Floxy, the second-highest nationwide. Identity theft remains the leading crime type. Fraud and phishing add to the losses.

The FBI’s 2025 IC3 data delivers context. Wyoming’s losses per 100,000 citizens reached $4,386, placing it 28th nationally, a moderate ranking by volume, but meaningful given Wyoming’s small population base of fewer than 600,000 people. Total losses of $25.8 million in a state of that size represent a disproportionate financial burden. The data shows that strong laws help lower risk. For business leaders, Wyoming brings extra challenges for compliance and managing risk.

California Shows Strong Laws But High Losses

California ranks fifth in the Floxy index despite strong legal protections. The state earns a 9.4 score for data protection laws, the highest in the top ten. Still, financial losses are high. The FBI’s cybercrime report confirms the scale. California led the nation in total cybercrime losses at $3.675 billion and ranked second for losses per 100,000 citizens at $9,337, the highest of any state outside Washington, D.C. It also led all states in complaint volume at 116,414. The Floxy report and FBI cybercrime data together make the same point about California: strong laws reduce overall risk but do not stop a high number of incidents. Companies face threats driven by large attack surfaces and a massive population. Cybercrime costs California $2.5 billion each year, according to some measures, and identity theft affects almost one in 100 people. The lesson for risk managers is that legal frameworks are necessary but not sufficient.

Two Minute Watch – FBI Cybercrime

Personal Cybersecurity: Why You’re More Vulnerable Than You Think

Mid-Tier States Show Mixed Risk Drivers

Delaware, Washington, Colorado, Maryland, and New Jersey round out the Floxy middle tier, each with its own mix of risk factors. Delaware reports high rates of fraud and identity theft. Washington stands out for low digital and AI literacy. The Floxy report identifies it as the most digitally vulnerable state on that specific measure.

The FBI’s 2025 data adds precision to the Washington picture. The state ranked sixth nationally for complaints per 100,000 citizens at 320.2 and eleventh for total losses at $458 million. Colorado and Maryland have moderate crime rates but different levels of legal protection. New Jersey sees steady fraud and a medium financial impact, though the FBI data shows New Jersey ranking fifth nationally for total losses at $660 million, a figure that reflects the state’s concentration of financial services firms and high-value targets.

The main point for risk managers: organizations should look at laws, education, and demographics together. Crime rates alone do not tell the whole story.

Digital Literacy Emerges As A Key Risk Factor

The Floxy report puts a strong focus on digital literacy, measuring how well people can spot phishing and fraud. States with lower digital literacy are more likely to fall for scams, even if their overall crime rates are only moderate. The study also looks at internet access and the number of older residents, who face disproportionate risk.

The FBI’s cybercrime data makes the age dimension concrete. Adults over 60 filed 201,266 complaints in 2025, a 37% increase from 2024, and reported $7.748 billion in losses, up 59% year over year. The average loss for a victim over 60 was $38,500. For organizations with older employee populations or customer bases in lower digital literacy states, those numbers translate directly into training program priorities and incident response planning.

Legal Frameworks Shape Financial Outcomes

The Floxy analysis shows a clear link between laws and financial loss. States without privacy laws lose more money per person. Nevada, Florida, and Wyoming all lack key protections, and each ranks among the most vulnerable states in both the Floxy index and the FBI’s per capita loss data.

Aimen Hallou, Chief Technology Officer at Floxy, states that states without privacy laws leave residents exposed. “States without privacy laws on the books are essentially leaving residents to absorb that damage without any structural protection. A strong legal framework doesn’t guarantee safety, but the absence of one makes things measurably worse.” said Hallou. The FBI’s data supports that observation with hard numbers. The three-year loss comparison in the 2025 IC3 report shows business email compromise losses rising from $2.77 billion in 2024 to $3.046 billion in 2025. Investment fraud jumped from $6.57 billion to $8.648 billion in the same period. These are not static risks. They are accelerating ones, and states with weaker regulatory systems provide less friction for the attackers driving them.

Implications For CFOs And General Counsel

The findings give business leaders a lot to think about. CFOs need to consider regional risk differences when planning finances. Cyber insurance pricing often reflects regional risk states, with higher exposure meaning higher premiums and stricter underwriting requirements.

The FBI cybercrime report adds one number that belongs in every CFO briefing. The average loss per IC3 complaint in 2025 was $20,699. For organizations in high-exposure states like Nevada, Florida, or Alaska, that average reflects a floor, not a ceiling. Legal teams need to check compliance rules in every state where the organization operates. Even states with weak laws can expose companies to lawsuits following an incident.

Moving data across state lines adds complexity. Companies should match their controls to the highest standard required across their operating footprint. Using the strictest applicable rules helps lower compliance risk across the board.

Rising Costs Demand Strategic Response

Cybercrime losses are rising in every state. The Floxy report shows billions of dollars lost each year across the country. The FBI’s 2025 IC3 report puts a precise number on the national scale: $20.877 billion in total reported losses, a 26% increase from 2024, with complaints crossing one million for the first time in the center’s 25-year history.

Organizations need to improve internal controls, monitor vendors closely, invest in employee training, and plan for incident response. Insurance remains a key risk transfer tool. However, insurers now require stronger controls and evidence of resilience before binding coverage, a shift documented in both the Floxy findings and broader market data.

The report makes one thing clear: cyber risk varies by state, but no area is safe. Every organization needs to take action against cyber threats, no matter where they operate.

FAQ Cybercrime By State

Which state has the highest cybercrime risk?

Nevada ranks highest due to strong crime rates, high financial losses, and weak legal protections.

Why does cybercrime risk vary by state?

Risk varies due to crime rates, digital literacy, population factors, and state privacy laws.

How do privacy laws affect cyber risk?

Strong laws reduce exposure and losses. Weak laws increase financial and legal risk.

What role does digital literacy play in cybercrime?

Higher literacy helps people spot scams. Lower literacy increases vulnerability to fraud.

How should CFOs respond to state-level cyber risk?

CFOs should factor regional risk into insurance, budgeting, and financial planning decisions.

Do strong laws eliminate cybercrime risk?

Strong laws reduce risk but do not prevent incidents or financial losses.

Which industries face the highest exposure?

Financial services, healthcare, and retail face higher exposure due to sensitive data.

How does cybercrime affect insurance costs?

Higher risk states often lead to higher premiums and stricter underwriting standards.

What is the biggest type of cybercrime in high-risk states?

Identity theft ranks as the most common and costly cybercrime.

What steps can companies take to reduce risk?

Companies should train employees, improve controls, and maintain strong incident response plans.

Related Cyber Liability Insurance Posts

• Canada Tops FBI Cybercrime Complaints But Only 18% Of Small Businesses Have Cyber Insurance
• New Nevada Iaw Requires Cyber Insurance For HOAs(Opens in a new browser tab)
• Cybercrime Trends 2025: Small Businesses Face Rising Threats(Opens in a new browser tab)
• State of Nevada Has Enough Government Cyber Insurance to Cover Costs of Recent Hack(Opens in a new browser tab)
• The Small Business Cyber Insurance And Cyber Security Reality Check – NEW PODCAST