Newsletters
Risk Central
Digital EditionRansomware and Third-Party Vendors Drive Highest Cyber Insurance Losses, Willis Report Finds
Cyber insurance is covering more than 95% of the average data breach loss and 90% of the average first-party loss for policyholders, according to a new report from Willis.
The report identifies ransomware, third-party vendor failures, and the amplifying effects of artificial intelligence as forces shaping cyber insurance losses, and notes that organizations whose policy limits and response plans do not reflect their actual risk profile face heightened exposure.
“Cyber insurance cover varies widely, which is why organizations must understand what they have in place and ensure it aligns with their risk exposures,” said Peter Foster, chairman, global FINEX cyber and cyber risk solutions at Willis. “When cover doesn’t reflect reality, organizations risk critical gaps where protection is needed most, while paying for cover that offers little real value.”
The report draws on approximately 5,500 claims from more than 95 countries and roughly $1 billion in insurer payments spanning 2013 to January 2026.
Ransomware Losses Exceed Expectations and Policy Limits
Ransomware carries the highest financial severity of any cyber event category in the Willis dataset, with costs largely driven by disrupted productivity and prolonged downtime. The report noted that organizational disruption from ransomware is often greater than anticipated, which can lead to underinsurance, particularly for businesses that rely on time-sensitive systems.
A case study in the report illustrated the exposure: attackers encrypted critical systems across multiple production sites at a global manufacturing company, and although the business disconnected affected plants within two hours, operations were disrupted for several weeks. Total costs exceeded $80 million, with business interruption costs alone reaching the maximum the manufacturer’s cyber policy could pay out.
Manufacturing accounts for roughly 13% of all cyber notifications in the Willis dataset, with ransomware identified as the top driver of the most costly and damaging events in that sector. The report also notes that direct attacks on an organization tend to be discovered faster than vendor-originating ransomware events, meaning third-party incidents can add days to total incident duration and complicate recovery.
The report recommends that organizations develop ransomware-specific response plans that incorporate their cyber insurance details, including insurer-approved incident response vendors and notification requirements. It also recommends identifying and quantifying specific ransomware scenarios, including what a 25-day ransomware incident would cost, to confirm that policy limits are adequate.
Third-Party Vendor Exposure Extends Beyond Technology Providers
Third-party vendors account for an increasing proportion of cyber losses in the Willis dataset, and the report warns that exposure is not confined to technology vendors. Administrative and support service providers represent another source of risk, and a single third-party incident can simultaneously affect multiple organizations.
A case study involving a major international transportation provider illustrated the gap between contractual protection and actual financial exposure. When a key third-party service provider experienced a cyber issue, the resulting loss exceeded the contractual indemnity provisions. Willis cyber specialists structured the organization’s cyber insurance coverage to pick up where the contract stopped, lowering upfront costs and covering most of the damage, the report said.
The report recommends that organizations regularly identify and monitor business-critical third-party vendors, review the extent of cyber coverage for third-party events, and confirm where liability sits contractually before an incident occurs. It also recommends checking vendors’ own cyber insurance.
Health care is particularly affected by third-party and data breach risks. The sector drives the highest share of cyber notifications in the dataset at 20%, with data breaches accounting for 45% of health care notifications. Ransomware incidents now represent 18% of health care notifications overall, with costs driven by business interruption, the report said.
AI and Regulation Are Reshaping Cyber Risk Exposures
AI is not yet appearing as a standalone driver of cyber insurance claims, the report found, but it is amplifying existing threats such as social engineering and ransomware, Willis said. Current cyber policies generally do not distinguish between AI-enabled and non-AI-enabled events and do not typically include AI exclusions. However, certain AI-related costs — including revenue loss from AI hallucination or data drift without a covered network outage, and the cost of retraining a compromised machine-learning model — are less likely to be covered under standard cyber policies.
Regulatory risk is also increasing costs, particularly for financial institutions. Loss severity for that sector is largely driven by regulatory and settlement costs, which account for nearly 70% of total losses incurred, according to the report. The average loss for financial institutions is $6.9 million, more than twice the average across all other claims in the dataset.
Obtain the full report here. &
