Cyber insurance claims data from leading cyber risk company Resilience reveals a dramatic evolution in the economics of cybercrime. An analysis of claims across Resilience’s client portfolio in 2025 showcases a remarkable shift in how threat actors execute prolonged attacks on organizations, while painting an increasingly common picture of the material consequences of cyber incidents, both in their immediate aftermath and in the shockwaves that follow.
Based on claims data and research from Resilience’s Risk Operations Center (ROC), Resilience’s 2025 Cyber Risk Report details a particularly complex challenge for organizations—and provides a unique look into how they can best mitigate material loss. In 2025:
- Extortion demands to suppress stolen data comprised less than half (49%) of all extortion claims in the first half of the year, then grew to nearly two-thirds (65%) in the second half. Across the entire year, data theft-only attacks accounted for more than half (57%) of all attacks, as hackers look to bypass organizations’ increasingly strong backup practices.
- Infostealers harvested more than 2 billion credentials and were frequently observed in victim organizations’ environments before ransomware attacks occurred, meaning that infostealer activity should be treated as a critical early warning signal requiring immediate action to prevent credential harvesting and prevent follow-on attacks.
- Threat groups like Interlock continued to find victim organizations’ cyber insurance policies among stolen data to better calibrate their ransom demands—maximizing payouts while staying below coverage limits.
- Vendor risk was the second-highest loss category across Resilience’s portfolio, representing nearly one-fifth (18%) of total losses. Threat actors are successfully leveraging password reset attacks and are increasingly infiltrating open-source code repositories that serve as the foundation for enterprise applications; this opens the door to an industry-wide cascade of short- and long-term disruption following the compromise of a critical vendor.
Taken together, the data points to a concerning new reality for organizations. Cyberattacks are more calculated, strategic, and well-planned; resulting losses can extend well beyond the moment they happen and accumulate over months and even years.
“Cyber risk is constantly changing. As cybercriminals shift their tactics, a new reality is setting in: the real risk is about more than a security incident’s immediate disruption, it’s about the long-tail aftershocks that follow,” said Vishaal “V8” Hariprasad, Co-Founder and CEO of Resilience. “Claims data gives us the best and most granular insight into the real-world costs of those shockwaves. Understanding the materiality of the full lifecycle of a cyber incident is the only way to meaningfully arm ourselves against advanced new tactics and grow more resilient to inevitable threats.”
Resilience’s report recommends that organizations work to meaningfully mitigate material losses by prioritizing investments in data loss prevention systems and zero-trust architecture, credential monitoring, vendor incident contingency plans, tabletop exercises, and comprehensive insurance coverage that reflects 2025’s severity levels rather than mere historical averages.
“Looking at the increasing professionalization of the threat landscape, it can be tempting to assume that there’s no recourse. But our latest findings give us incredibly useful insight into the incentives behind the incidents—and how we can best fight back,” said Judson Dressler, Head of Resilience’s Risk Operations Center (ROC). “For instance, to mitigate infostealer activity, our ROC team proactively hunts for stolen credentials on the dark web or new exploits or vulnerabilities that affect their environment and alerts our clients to these critical findings. That’s one example of what it looks like in practice to adjust to the reality that we’re facing an ‘everything, everywhere, all at once’ model of cyber risk.”
Resilience’s 2025 Cyber Risk Report leverages data from the company’s ROC and claims in their insurance portfolio to analyze trends in cybercrime and industry responses throughout the year. To read the full report, see here.
