Average initial ransom demand (based on all cases with ransom demand) in 2019: $7.77 million.

Between 2019 and 2023, other sectors experienced large losses primarily from ransomware (53.1%), followed by data breaches (25.0%) and other causes (21.9%).

Between 2019 and 2023, healthcare experienced large losses primarily from ransomware (57.1%), followed by data breaches (28.6%) and other causes (14.3%).

Healthcare, retail, and manufacturing remained the most targeted sectors.

Companies with revenues between $250M and $500M had an average relative frequency of large claims on primary policies of 1.19.

In 6.4% of cases since 2019, the attackers themselves disclosed the breach.

Privacy and cyber security coverage was triggered in 13.2% of all claims, with a higher prevalence in excess claims(22.2%) compared to primary claims (9.4%).

In 42.9% of cases prior to 2019, breaches were first flagged by outside parties such as security firms, regulators, or customers.

In 10.2% of large ransomware claims, the attack vector was either different or unknown.

On average, businesses across all industries experienced 69 days of operational disruption due to ransomware attacks.

In 7.1% of cases prior to 2019, the hackers themselves revealed the breach.

In 10.6% of cases since 2019, the source of detection was unknown or other.

Across all data breach cases combined, the average time to notice an attacker was 45 days since 2019.

In 2020, organizations took an average of 54 days to restore operations after a ransomware attack.

For data breach cases where the attacker was detected by internal IT staff or an outsourced cybersecurity provider (OCP), it took an average of 35 days to notice the attacker since 2019.

For data breach cases where the attacker was detected by a third-party, it took an average of 91 days to notice the attacker since 2019.

Data breach response / crisis management coverage was triggered in 24.5% of all claims overall, with a slightly higher incidence in excess claims (26.7%) compared to primary claims (23.6%).

Extortion coverage was triggered in 11.9% of all claims, showing a significant difference between primary claims(15.6%) and excess claims (3.3%), indicating it is far more common at the primary layer.

Other insuring agreements (average) were triggered as the main driver of loss in 1.6% of claims, triggered with some loss impact in 1.4%, triggered with no loss impact known in 0.5%, and not triggered in 96.6%.

2018: 46.2% of large losses came from other causes, 37.9% from data breaches, and 15.9% from ransomware. Ransomware started to emerge as a meaningful driver of big cyber claims.