At-Bay’s analysis of more than 6,500 claims documents how Akira ransomware and a single VPN brand reshaped the cyber insurance loss landscape in 2025.
Estimated reading time: 8 minutes
Cyber insurance claims hit record highs in 2025. Frequency rose 7% year-over-year. Average severity climbed to an all-time high of $221,000. Those are the headline numbers. The story behind them is more specific and more alarming. One ransomware group, Akira, accounted for more than 40% of all ransomware claims in At-Bay’s portfolio. One device type, SonicWall, was present in 86% of Akira’s attacks. One entry vector, VPNs, drove 73% of all ransomware incidents. At-Bay CISO Adam Tyra said the data signals “a decisive shift” in how attackers operate. The 2026 InsurSec Report, drawn from over 100,000 policy years of claims data, documents that shift in full.
The VPN Problem Reaches A Tipping Point
Remote access tools now dominate ransomware entry vectors by a wide margin. VPNs accounted for 73% of all ransomware attacks with an identified entry vector in 2025, up from 38% just two years earlier. Combined with Remote Desktop Protocol, remote access tools triggered 87% of all ransomware claims. Email, once a significant ransomware entry point, produced zero ransomware claims in At-Bay’s 2025 portfolio. Attackers went where the openings were. In 2025, those openings were almost exclusively in remote access infrastructure. This represents a shift from At-Bay’s 2025 InsurSec Rankings Report, which identified Cisco and Citrix VPNs as the highest-risk products for ransomware and found that self-managed on-premise VPNs carried 3.7 times the risk of cloud-based alternatives. The 2026 data confirms that the warning was well-founded and that the threat has since concentrated further.
Akira: A Ransomware Group That Changed The Rules
Akira chose its victims based on their infrastructure, not their industry or revenue. Any organization using a SonicWall device was at risk. This approach made Akira especially effective, causing a 53% jump in ransomware cases in the second half of 2025. The group’s ransom demands averaged $1.2 million, which was 50% higher than other groups. Most attacks happened at night or on weekends, and most victims had no monitoring in place when the attack started. The report found that every business that avoided encryption during an Akira attack had 24/7 Managed Detection and Response. Tyra put it simply: “Even the best security tools still need skilled professionals to operate them.”
Small Businesses Took The Hardest Hit
Ransomware attackers also targeted small companies. Businesses with less than $25 million in revenue saw ransomware cases rise by 21% and the average loss jump 40% to $422,000, the biggest increase among all revenue groups. The idea that small businesses are less likely to be attacked is no longer true. Akira found SonicWall devices in organizations of all sizes, so a $10 million company faced the same risk as a $200 million one. This trend builds on At-Bay’s earlier findings. In 2024, we reported that mid-sized companies were seeing more ransomware attacks. The 2026 data shows that now even the smallest businesses are under pressure.
Business Interruption: The Loss Multiplier CFOs Miss
Ransom demands get the headlines, but business interruption causes the biggest financial losses. Ransomware claims with business interruption coverage averaged $510,000, three times higher than claims without it. In 2025, one in three ransomware victims experienced business interruption, and one in ten had downtime lasting over 30 days. The largest business interruption claim reached $5 million, the policy limit, and the real loss was likely even higher. For CFOs and General Counsel, business interruption turns cyber risk into a financial issue. While ransom amounts can be negotiated, lost revenue from downtime cannot. At-Bay created coverage to address this, launching InsurSec solutions in late 2025 with zero retention on ransomware incidents and automatic flat renewals, responding to the rising severity now confirmed in this report.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Financial Fraud: The Most Common And Most Misunderstood Threat
Financial fraud was the most common incident in 2025, making up 30% of all claims. The average amount stolen rose 16% to $285,000, with the largest theft at $9.65 million. Email was used in 82% of these cases. Attackers now use advanced social engineering, sending malicious links through trusted platforms instead of simple phishing. Cloudflare was involved in 69% of abused infrastructure alerts tracked by At-Bay from September 2025 to March 2026. Generative AI has made it easier to create convincing fraud emails, and most older email security tools are not stopping them. We have previously reported on these weaknesses, and the 2026 InsurSec Report shows they still exist. Quick action after a fraud incident is crucial. Policyholders who contacted At-Bay within three days recovered funds 70% of the time, while those who waited over 30 days recovered only 27%. In 2025, At-Bay recovered $56 million in stolen funds for its clients.
Third-Party Liability: The Delayed Fuse
Third-party liability claims jumped 70% in 2025, the largest increase of any incident type. At-Bay tracks. This category covers class action lawsuits and litigation arising from data breaches, with California’s Invasion of Privacy Act driving 34% of third-party liability claims, up from 7% in 2023. Class actions are arriving faster and with lower thresholds than before. Plaintiffs’ attorneys now file suits with far fewer affected individuals than historically required. Multiple class actions filed simultaneously for the same incident increase both cost and complexity. The financial risk persists well beyond the incident. A company that rebuilds its systems after a ransomware attack can still face a class action lawsuit months later, adding years of legal proceedings, defense costs, and public or reputational scrutiny. Ransomware claims were the most likely to generate class action suits, with 6% eventually triggering legal action. For General Counsel, third-party liability transforms a security incident into a multi-year legal liability. We previously reported on how small and mid-market businesses confront rising cyber risk exposure without the legal infrastructure larger enterprises use to manage it. The third-party liability data in this report puts hard numbers on that exposure.
What The Data Tells Underwriters
At-Bay’s report has clear takeaways for underwriters. Three main trends now shape cyber risk. First, unpatched, on-premise VPNs remain the top way ransomware gets in, and this is unlikely to change soon. Second, financial fraud is increasing in both frequency and average loss, driven by AI tools that defeat older email defenses. Third, third-party liability carries long-term risks that can cost more than the incident itself. The report shows that outcomes depend on choices made before a crisis: which tools are used, who monitors them, and how quickly a company responds. Every business in At-Bay’s portfolio that faced an Akira attack and avoided encryption had one thing in common: 24/7 human-led Managed Detection and Response. This single factor made the difference between a manageable event and a disaster.
FAQ At-Bay 2026 InsurSec Report
What were the biggest ransomware trends in 2025 according to At-Bay?
At-Bay’s 2026 InsurSec Report found that Akira ransomware accounted for more than 40% of all ransomware claims — the highest single-strain concentration At-Bay has ever recorded. VPNs drove 73% of ransomware entry vectors, up from 38% in 2023. SonicWall devices were present in 86% of Akira attacks. Average ransomware severity rose 16% to $508,000.
Why did small businesses face higher ransomware losses in 2025?
Akira’s infrastructure-driven targeting model attacked any organization running a SonicWall VPN appliance, regardless of size. Companies with under $25 million in revenue saw ransomware frequency jump 21% and severity surge 40% to $422,000. Smaller businesses are less likely to have dedicated security staff or 24/7 monitoring, making them easier targets once attackers gain initial access.
What is the business interruption risk from ransomware attacks?
One in three ransomware claims triggered business interruption coverage in 2025. Claims with business interruption averaged $510,000 in severity — three times the $168,000 average for claims without it. One in ten ransomware victims faced downtime exceeding 30 days. The largest single business interruption claim reached $5 million, the policy limit for that insured.
How does Managed Detection and Response protect against ransomware?
Every At-Bay policyholder that faced an Akira attack and avoided full encryption had 24/7 human-led Managed Detection and Response in place. MDR teams can identify lateral movement within minutes and contain threats before encryption completes. Not a single At-Bay MDR customer filed an Akira claim in 2025. EDR tools alone — without human monitoring — did not prevent encryption: 60% of Akira victims had a leading EDR solution deployed.
Why are third-party liability claims rising so fast?
Third-party liability claims jumped 70% in 2025, driven by class action lawsuits and litigation under California’s Invasion of Privacy Act (CIPA). CIPA liability arises from website tracking technologies that capture user data without proper consent. Class action thresholds have dropped, plaintiffs’ attorneys are organizing faster, and multiple lawsuits are now commonly filed simultaneously for a single incident — increasing both cost and legal complexity.
What should underwriters take from the At-Bay 2026 InsurSec Report?
Three structural risks now define the claims environment: unpatched on-premise VPN appliances as the dominant ransomware entry point; AI-assisted financial fraud outpacing legacy email defenses; and third-party liability creating long-tail exposure after primary incidents are resolved. Underwriters should treat VPN inventory, MDR coverage, and third-party liability limits as core underwriting variables rather than supplementary disclosures.
Related Cyber Liability Insurance Posts
- Global Cyber Insurance Rates Fall 5% In Q1 2026 As New Buyers Enter The Market
- What Your Cyber Insurance Policy Misses – And What Attackers Find First – NEW PODCAST
- Retail Ransomware Demands Double to $2M — Why Ransomware Cyber Insurance Matters Now
- NATO’s Cybersecurity Warning: Maritime Ports at Risk as Digital Threats Escalate
- Identity Theft – What to Do When Your Identity Has Been Stolen
