Short introduction In a landscape where cyber threats evolve at a relentless pace, understanding the latest trends in cyberattacks and cyber insurance is crucial for businesses and insurers alike. Today, we’re joined by Simon Glairy, a renowned expert in insurance and Insurtech, with deep expertise in risk management and AI-driven risk assessment. With his finger on the pulse of cyber risk, Simon offers invaluable insights into the shifting dynamics of ransomware, vendor vulnerabilities, and the financial fallout of breaches. In this conversation, we explore why cyber losses are becoming more severe despite fewer claims, the persistent dominance of ransomware, and the emerging tactics cybercriminals are using to exploit weaknesses.
Can you walk us through what’s meant by a ‘return to operational equilibrium’ in the context of the 53% drop in cyber insurance claims reported recently?
Thanks for having me, Benjamin. The ‘return to operational equilibrium’ refers to a stabilization in the cyber risk landscape after years of volatility. The 53% drop in claims suggests that organizations are seeing fewer incidents escalate into significant financial losses, possibly due to better cybersecurity measures or quicker incident response. However, it’s not all good news. This drop doesn’t necessarily mean fewer attacks are happening—it could also reflect underreporting or incidents not reaching the threshold for claims. Many companies are also becoming more self-reliant, handling smaller breaches internally without involving insurers. But when attacks do break through, the damage is often far worse, as we’re seeing with the severity of losses spiking.
What do you think is driving the increased severity of losses from successful cyberattacks, even as the number of claims declines?
The rise in severity comes down to attackers becoming more strategic. Cybercriminals are focusing on high-value targets—think critical infrastructure, large enterprises, or supply chain linchpins—where a single breach can cause massive disruption. This ties directly to the 17% increase in ransomware claim losses. Attackers are also leveraging more sophisticated methods, like double or triple extortion, where they not only encrypt data but threaten to leak it or target additional systems. This multi-layered approach amplifies the financial and reputational damage, pushing losses higher even if fewer incidents are reported as claims.
Ransomware continues to dominate, accounting for a staggering 76% of incurred losses. Why is it still such a persistent threat compared to other types of cyberattacks?
Ransomware’s dominance stems from its direct path to monetization—attackers can lock up a company’s data and demand payment with immediate impact. Unlike other attacks, like data theft, which might take time to turn into profit, ransomware creates instant leverage. It’s also incredibly adaptable; attackers keep evolving their tactics to bypass defenses. Certain sectors, like healthcare and manufacturing, are particularly vulnerable due to their reliance on uptime and sensitive data. Smaller companies often lack robust defenses, making them easy targets too. Even with fewer ransom payments, reducing losses is tough because the cost of downtime, recovery, and reputational harm often dwarfs the ransom itself.
Speaking of payments, only 14% of ransomware victims paid extortion demands in 2025. What’s behind this significant drop in payment rates?
This drop reflects a growing resilience among organizations. Many are investing in better backup systems and recovery plans, allowing them to restore operations without paying. There’s also a cultural shift—companies are increasingly unwilling to give in, recognizing that payment doesn’t guarantee data recovery and may invite future attacks. Government regulations and law enforcement advisories discouraging payments play a role too. Even with tactics like double or triple extortion adding pressure, businesses are leaning on cyber insurance and incident response teams to navigate these crises without capitulating.
One alarming trend is attackers accessing copies of cyber insurance policies to tailor their ransom demands. How are they managing to get their hands on this information?
This is a sophisticated and troubling development. Attackers often gain access through initial breaches—think phishing or exploiting a weak vendor system—where they rummage through internal documents, emails, or shared drives for policy details. Sometimes, they target insurers or brokers directly. Once they have the policy limits, they calibrate their demands to match or exceed coverage, maximizing pressure. It’s a stark reminder of how interconnected and exposed digital environments are. Companies and insurers need to treat policy details like any other sensitive data, limiting access, encrypting files, and scrutinizing how information is shared with third parties.
Vendor-related risks are another major concern, often leading to significant losses. Why are third-party vendors proving to be such a weak link in cybersecurity?
Vendors are often a weak link because they’re an extension of a company’s attack surface, but not always under the same level of control or scrutiny. Many vendors, especially smaller ones, lack the resources for top-tier cybersecurity, making them easy entry points for attackers. When a vendor is compromised, the ripple effect can hit multiple clients, amplifying the damage. Software providers, IT service firms, and cloud platforms are frequent targets due to their access to client systems. Companies need to enforce stricter vendor risk assessments, demand transparency on security practices, and build contractual safeguards to mitigate these risks.
Phishing remains a common entry point for attacks, driving nearly half of incurred losses. How are evolving tactics like AI-powered social engineering making this threat even harder to combat?
Phishing has always been effective because it exploits human error, but AI-powered social engineering takes it to another level. Attackers now use tools like voice synthesis to impersonate executives or browser-based phishing to bypass traditional email filters. SIM swapping lets them intercept two-factor authentication codes, and AI helps craft hyper-personalized messages that are tough to spot. This has led to an explosion in credential compromises, as people are tricked into handing over access. Defending against this requires a mix of advanced tech, like behavioral analytics to detect anomalies, and ongoing employee training to recognize these increasingly convincing scams.
What’s your forecast for the future of cyber risk, especially as attackers continue to target critical sectors and refine their methods?
Looking ahead, I expect cyber risk to become even more systemic as digitization deepens across sectors like healthcare, supply chains, and public services. Attackers will keep honing their focus on high-impact targets, using AI and real-time social engineering to exploit vulnerabilities faster than defenses can adapt. Ransomware isn’t going away—it’ll likely evolve with new extortion tactics. For insurers, pricing this risk will be a challenge as losses grow less predictable. My forecast is that we’ll see more collaboration between businesses, governments, and insurers to build collective defenses, but it’s going to be a race against increasingly agile and resourceful adversaries.
