Claims Data Reveals the ‘New Economics of Cyber Crime’

• By: Olivia Overman
• February 25, 2026

New cyber insurance claims data highlights a fundamental shift in the economics of cybercrime.

According to Resilience’s 2025 Cyber Risk Report, cyber threats are no longer designed solely to cause immediate business disruption. Instead, cybercriminals now execute prolonged attacks on organizations, increasingly engineered to inflict sustained financial, regulatory and reputational damage.

“Cyber risk is constantly changing. As cybercriminals shift their tactics, a new reality is setting in: the real risk is about more than a security incident’s immediate disruption, it’s about the long-tail aftershocks that follow,” said Vishaal “V8” Hariprasad, co-founder and CEO of Resilience.

During the first half of 2025, the report found that extortion demands to suppress stolen data accounted for less than half (49%) of all extortion claims, but grew to nearly two-thirds (65%) in the second half. For the entire year, data theft-only attacks accounted for more than half (57%) of all attacks, as hackers looked to bypass organizations’ increasingly strong backup practices.

“Claims data gives us the best and most granular insight into the real-world costs of those shockwaves,” Hariprasad said. “Understanding the materiality of the full lifecycle of a cyber incident is the only way to meaningfully arm ourselves against advanced new tactics and grow more resilient to inevitable threats.”

The report also found that infostealers harvested more than 2 billion credentials in 2025 and were frequently detected in victim organizations’ environments before ransomware attacks occurred. Treating infostealer activity as a critical early warning signal that requires immediate action can reduce the likelihood of follow-on attacks.

Further, threat groups like Interlock, an emerging and sophisticated ransomware and extortion group, continued to find victim organizations’ cyber insurance policies among stolen data to better calibrate their ransom demands—maximizing payouts while staying below coverage limits, the report said.

Vendor risks were identified as the second-highest loss category by Resilience, representing nearly one-fifth (18%) of total losses. Attackers are successfully leveraging password reset attacks and are increasingly infiltrating open-source code repositories that serve as the foundation for enterprise applications; this opens the door to an industry-wide cascade of short- and long-term disruption following the compromise of a critical vendor.

 Highlighting that cyberattacks have become more strategic, the report recommends that organizations work to mitigate material losses by prioritizing investments in data loss prevention systems and zero-trust architecture, credential monitoring, vendor incident contingency plans, tabletop exercises, and comprehensive insurance coverage that reflects 2025’s severity levels rather than mere historical averages.

 “Looking at the increasing professionalization of the threat landscape, it can be tempting to assume that there’s no recourse. But our latest findings give us incredibly useful insight into the incentives behind the incidents—and how we can best fight back,” said Judson Dressler, head of Resilience’s Risk Operations Center (ROC).

“For instance, to mitigate infostealer activity, our ROC team proactively hunts for stolen credentials on the dark web or new exploits or vulnerabilities that affect their environment and alerts our clients to these critical findings,” Dressler said. “That’s one example of what it looks like in practice to adjust to the reality that we’re facing an ‘everything, everywhere, all at once’ model of cyber risk.”

Olivia Overman is IA content editor.