Willis says most cyber breach losses are covered

Cyber insurance is delivering meaningful financial protection, with more than 95% of average data breach losses and 90% of average first-party losses adequately covered by insurance, according to Willis.

The findings come from the broker’s latest report, “Cyber claims in Focus, Getting value from cyber insurance”, which analysed 5,500 cyber claims from January 2013 to January 2026.

The dataset spans 95 countries and around $1bn in insurer payments.

Willis said data breaches remain the most frequently reported cyber insurance loss, with malicious data breaches accounting for the majority of incidents.

Ransomware losses showed the highest financial severity, largely driven by disrupted productivity and prolonged downtime following an attack.

The report also found that third-party vendors are responsible for an increasing proportion of losses.

Willis said systemic risk from single vendor incidents affecting multiple organisations remains a critical concern for the cyber insurance market.

The average ransomware event lasts 25 days and generates an average loss of $5.3m.

The largest single ransomware loss now exceeds $500m, according to the report.

Willis said artificial intelligence is not yet appearing as a stand-alone driver of cyber insurance claims.

However, the broker said AI is increasing risk volatility by amplifying existing threats, including social engineering, deepfake phishing and ransomware attacks.

Events where attackers target organisations’ systems directly account for 58% of ransomware notifications and 95% of total costs.

Vendor-led incidents account for 42% of ransomware notifications, but only 5% of costs.

Willis said business interruption losses and ransom payments are the two largest cost elements for ransomware events.

Average ransom demands now stand at $3.8m, compared with an average actual payment of $1.5m.

Third parties are responsible for nearly 50% of data breach losses and 29% of first-party losses.

The report also identified pixel-tracking litigation as a hidden cyber insurance risk, with some cases leading to substantial losses across the wider market.

Willis included industry spotlights on financial institutions, healthcare, transportation and manufacturing.

Peter Foster, chairman, global FINEX cyber and cyber risk solutions at Willis, said: “Cyber insurance cover varies widely, which is why organizations must understand what they have in place and ensure it aligns with their risk exposures.

“When cover doesn’t reflect reality, organizations risk critical gaps where protection is needed most, while paying for cover that offers little real value.

“To get the strongest value from cyber insurance, consideration must reflect the claims patterns seen across the market.

“Our analysis of claims and loss data provides hints to understand how cyber losses occur and what that means for organizations, helping them to prioritise the most material scenarios and design coverage around these realities,” Foster added.

The WTW report can be downloaded here.