Malware and Ransomware Are to Blame for Rising Number of Cyber Insurance Claims

Nearly £200 million ($262 million) was paid out in cybersecurity insurance claims to help UK businesses recover from cyber incidents in 2024, according to the ABI, an association for more than 300 UK insurance and long-term savings firms.

Firms participating in an ABI cyber data collection project said that the amount paid out to support businesses after cyberattacks increased 230 percent year-over-year—a £138 million ($181 million) increase from 2023.

Malware and ransomware accounted for 51 percent of all claims reported in the ABI project, up from 32 percent in 2023. This highlights “how increasingly sophisticated digital threats are causing more extensive damage, leading to higher payouts,” the ABI said.

The data represents just a sample of the overall UK cyber insurance market; the figures were not extrapolated to estimate market totals.

The global cyber insurance market was valued at $16.66 billion in 2023 and is expected to reach $120.47 billion by 2032, with North America accounting for the largest market share (36.61 percent in 2023), according to data from Fortune Business Insights.  U.S. cyber insurance policies increased 11.7 percent in 2023 in the face of more frequent, high-impact cyber incidents, the National Association of Insurance Commissioners (NAIC) reported in 2024. The number of claims also spiked, with 33,561 reported in the United States in 2023.

“The cyber insurance market has begun to stabilize with smaller rate increases and, in some cases, flat renewals,” the NAIC report said. “However, the market has not reverted to the softer conditions seen in the years leading to the global pandemic of 2020. Positive factors supporting the stable cyber insurance market outlook include continued demand, increasing take-up rates for cyber coverage, and continual improvements in cyber hygiene. Insurers have switched their focus from pricing to managing systemic risk as they look to limit their aggregate exposure. There is a rising demand for cyber insurance among small and medium-sized enterprises, as 72 percent without cyber insurance say a major cyberattack could destroy their business.”

Ransomware-as-a-service and other malware services have lowered the barrier of entry for cyber actors, so attackers can essentially rent attack capacity as needed instead of having specialized cyber expertise. This market also widens the field of potential victims, since it’s cost-effective to go after many smaller payouts than focusing on one big breach. But the percentage of companies that pay ransomware demands has come down over time, which should reduce claim severity averages, the NAIC said.

 “Cyber insurance is more than just a financial safety net,” said Jonathan Fong, head of general insurance policy at the ABI, in a press release. “The right policy not only supports businesses in the aftermath of an incident but can also help prevent attacks through access to expert advice, threat monitoring, and incident response planning. With cyber threats continuing to grow in scale and sophistication, it needs to be a critical component of every organization’s modern risk management strategy.”

But insurance doesn’t let organizations off the hook for effective risk management and security postures. The NAIC cautioned that policies frequently include “failure to maintain security” or “failure to follow” exclusions, precluding coverage for claims resulting from an insured company’s failure to maintain minimum or adequate security standards.