The cyber risk landscape is not static; it evolves, often in ways that defy conventional wisdom. The latest data from cyber insurer Coalition for 2025 paints a clear picture: Business Email Compromise (BEC) has emerged as the leading type of cyber incident, accounting for 31% of all claims. This isn't merely a change in ranking; it signals a fundamental recalibration of the threat environment, one where the sheer volume of low-impact events increasingly defines the operational challenge.
BEC now outpaces funds transfer fraud (27%) and ransomware (21%), with miscellaneous first-party losses making up 17%. The headline trend is a global increase in claims frequency by 3% to 1.54%, yet a notable decline in claims severity by 19%, bringing the average loss down to $116,000. This divergence between more frequent, less severe incidents is the core dynamic professionals must internalize.
The quiet erosion of capital often proves more insidious than the sudden shock.
BEC claims perfectly embody this pattern: frequency jumped 15% to 0.47%, while severity plummeted 28% to an average loss of just $27,000. This suggests a broad, persistent attack surface where threat actors are leveraging scale over sophistication. It’s a numbers game for them, and for many organizations, it means a constant, low-level drain on resources and attention. The cumulative effect of these smaller losses can be substantial, often underestimated when compared to the dramatic headlines generated by ransomware.
Funds transfer fraud, the second most common claim type, bucked the overall frequency trend, seeing an 18% decrease in frequency to 0.42%, alongside a 14% drop in severity to an average loss of $141,000. This suggests some success in mitigating this specific vector, perhaps through improved internal controls or increased awareness. However, the average loss remains significantly higher than BEC, indicating that when these attacks succeed, they still carry a heavy financial punch.
Ransomware, while no longer the most frequent, remains the most severe. Its claims frequency held steady at 0.32%, but severity dropped 19% year-over-year to an average loss of $262,000. This reduction in average payout is a welcome development, potentially reflecting improved backup strategies, faster recovery times, or a reduced willingness to pay exorbitant demands. Yet, a critical caveat from Coalition is that “because ransomware claims often take time to develop, we expect these figures to evolve.” This implies current figures might not fully capture the long-tail impact or the true cost of ongoing negotiations and recovery efforts, suggesting that a degree of caution is warranted before declaring victory against this persistent threat.
Shifting Risk Priorities
This data forces a re-evaluation of where risk management efforts are best concentrated. For years, the focus has been heavily skewed towards preventing catastrophic, high-severity events like ransomware. While these remain critical, the rise of BEC as the leading incident type demands a parallel emphasis on managing high-frequency, lower-severity events. This isn't about choosing one over the other, but recognizing the dual nature of the threat. Organizations that are overly fixated on the 'big one' might be bleeding out slowly from a thousand smaller cuts. The implication for security budgets and training is clear: a balanced approach is needed, one that strengthens defenses against both the sophisticated, high-impact attack and the pervasive, social engineering-driven compromise.
The pressure is now on internal security teams and risk managers to articulate this nuanced threat profile to leadership. It’s no longer enough to report on the absence of a major breach; the constant barrage of BEC attempts, even if individually small, represents a significant operational burden and a cumulative financial risk. This requires robust employee training, multi-factor authentication, and sophisticated email filtering, not as optional enhancements, but as foundational elements of a resilient cyber defense strategy. The challenge lies in making the case for investment in controls that prevent a $27,000 loss, when the perceived threat is a $262,000 one. This misalignment of perception and reality is where expectations may be most misaligned.
What matters isn't just the biggest threat, but the one that never stops knocking.
For cyber insurers, these trends necessitate adjustments in underwriting models and claims management. An increase in frequency, even with lower severity, means more claims to process, potentially impacting operational efficiency and administrative costs. The declining severity, particularly for ransomware, might offer some relief on the payout side, but the evolving nature of these claims means vigilance is paramount. The 4% of claims stemming from third-party allegations, where external parties seek accountability for data privacy or security failures, also highlights an expanding area of liability that, while currently small, carries significant reputational and legal risk.
The overall picture for 2025 suggests a cyber landscape that is becoming more pervasive rather than necessarily more destructive on a per-incident basis. It's a shift from targeted, high-stakes attacks to a broader, more opportunistic approach by threat actors. This requires a more holistic and adaptive defense strategy, one that acknowledges the persistent, everyday threats as much as the headline-grabbing ones. Complacency, even in the face of declining average losses, would be a critical misstep.
The battle against cyber risk is increasingly one of attrition.
