Estimated reading time: 6 minutes
The Breach Nobody Saw Coming
Imagine it’s Tuesday morning. The CFO gets a call: systems are locked, and a ransom note appears on the screen. The attacker didn’t break in physically; they used a stolen password. This happened to seven out of ten organizations Sophos surveyed last year. The State of Identity Security 2026 report, based on input from 5,000 IT and cybersecurity leaders in 17 countries, shows just how serious identity-driven risks have become. For underwriters, brokers, CFOs, and General Counsel involved in cyber insurance, this report feels more like a preview of future claims than a simple survey.
The Scale Of The Problem
Sophos found that 71% of organizations had at least one identity-related breach in the past year. On average, affected organizations faced 3.1 attacks. One in twenty reported six or more breaches in a single year. No region was spared. Even Germany, with the lowest national breach rate at 62.6%, saw most organizations affected. Switzerland had the highest rate at 88.7%, followed by Mexico at 83.3% and Italy at 80%. The UK’s rate was 65.3%, below the global average but still significant. The energy, oil, gas, and utilities sector had the highest industry rate at 80.3%, while financial services matched the overall average at 71%.
Smaller organizations face a particular detection problem. Among firms with 100 to 250 employees, 19.4% could not stop their most significant identity attack before damage occurred — nearly double the rate of organizations with 1,001 to 3,000 employees. Sophos X-Ops noted that identity-related attacks drove “67% of all incidents investigated by Sophos Incident Response and Sophos MDR in 2025.” That figure lines up with our earlier coverage of the Sophos Active Adversary Report, which found attackers logging in rather than breaking in as the dominant pattern across 661 cases.
The Identity-To-Ransomware Pipeline
One of the report’s most important findings is that two-thirds of ransomware victims 66.5% said the ransomware attack was the same event as their biggest identity breach. This means identity compromise is now a main way ransomware spreads. For organizations that suffered a full breach, data theft (48.8%) and ransomware (48.4%) were almost equally common. Financial theft affected 46.7% of victims, and 43.9% faced extortion. Most breaches led to more than one serious consequence.
Watch our Podcast featuring Sophos’s Global GM of Cyber Insurance, Jessica Newman
The Silent Threat: Non-Human Identities
Human error led to all root causes at 42.7%, close behind sits a problem most boardrooms have not yet named: weak non-human identity management, cited in 40.6% of breaches. Non-human identities API keys, service accounts, OAuth tokens, and AI agents can outnumber human credentials at ratios above 100:1. They rarely expire. They are rarely audited. Only 34% of organizations rotate, or audit service accounts, on a weekly basis or more often, and just 11% do so continually. Sophos X-Ops observed that “MFA was unavailable on the targeted system in 59.5% of MDR cases” analyzed for its 2025 Active Adversary report. Agentic AI makes this worse. Every AI agent needs its own credentials. Agents can spin up sub-agents autonomously, each generating new access rights without human oversight. Security frameworks built for human users were never designed for this.
Organizations that do not manage non-human identities well pay a price. They experience financial theft rates 28% higher than average and extortion rates 24% higher. Their total recovery costs are almost $150,000 more than organizations with better controls.
The Financial Reckoning
When an identity breach happens, the costs are significant. The global average recovery cost was $1.64 million, with a median of $750,000. Almost three-quarters of affected organizations reported costs of $250,000 or more. Companies with 3,001 to 5,000 employees faced average costs of $2.45 million. Even the smallest firms, with 100 to 250 employees, averaged $1.13 million. No organization escapes high costs.
The Hygiene Gap Is Staggering
The report looked at five key identity management practices. The findings are especially useful for those creating underwriting questions. Only 24% of organizations monitor for unusual login attempts all the time. More than half check only once a quarter or less. Just 11% regularly rotate or audit non-human identities, and only 10.5% continually review identity governance policies. One third review these policies no more than quarterly, and another third do so every six months. These gaps give attackers opportunities.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
What This Means For Cyber Insurance Underwriting
This report lands at a moment when the industry is actively rethinking how it assesses risk. Our podcast with Sophos Global GM of Cyber Insurance Jessica Newman made the same argument Newman has pressed across the market: underwriters need verifiable evidence, not self-reported checkboxes. The identity hygiene data in this report is precisely the evidence gap she described. An applicant who says they monitor logins continually but actually checks quarterly represents a different risk category entirely. The Sophos and Spektrum Labs FastTrack program is one structural response to this problem, connecting MDR telemetry directly to underwriting workflows. The report gives that initiative a sharper urgency. Identity security hygiene is measurable, auditable, and directly correlated with breach outcomes and recovery costs. Carriers that build this into their underwriting criteria will price risk more accurately than those relying on annual forms. For CFOs and General Counsel, the message is equally plain. A $1.64 million average recovery cost changes the conversation about cyber insurance spend. Identity controls are now a balance sheet issue, not an IT checkbox.
FAQ — Identity Security And Cyber Insurance
Identity security covers how organizations manage access for employees, contractors, and automated systems. Attackers now target login credentials more than software vulnerabilities. Insurers increasingly treat identity controls as a core underwriting factor.
Non-human identities are digital credentials assigned to software, systems, and automated processes, including AI agents, API keys, and service accounts. They can be stolen and misused like passwords. Most organizations audit them rarely, which creates exploitable gaps.
Stolen credentials give attackers legitimate access to systems. From there, they move across networks, reach critical infrastructure, and deploy ransomware. Sophos found that two-thirds of ransomware victims traced the incident to an identity breach.
Organizations with weak identity controls face higher breach rates and higher recovery costs. Carriers that factor identity hygiene into underwriting will differentiate risk more precisely. Strong controls, continual monitoring, regular NHI audits, and enforced MFA may support better terms.
Start with MFA coverage and configuration. Verify it actually works across all systems. Then audit non-human identities: how many exist, who manages them, and how often credentials rotate. Both are measurable, addressable, and directly linked to breach probability and cost.
Related Cyber Insurance Posts
- Brit Puts SME Cyber On The Acturis Fast Track – And The Strategy Is Bigger Than One Platform
- Sophos And Cowbell Partner On Cyber Insurance in the UK(Opens in a new browser tab)
- Non-Human Identity Sprawl Is a Cyber Liability Insurance Problem Now(Opens in a new browser tab)
- AI Risk Grows As Firms Sacrifice Identity Security For Speed(Opens in a new browser tab)
- Cybercrime Trends 2025: Small Businesses Face Rising Threats(Opens in a new browser tab)
