Cyber risk is often framed as a fight against external attackers, but most severe losses arise from a broader mix of technological dependence, human decision‑making, governance failures, and vendor relationships. While ransomware remains a major liability driver, operational disruptions, social engineering fraud, privacy litigation, and even website and advertising technology are now among the most significant sources of cyber‑related loss.
Understanding how cyber losses occur, how they are litigated or remediated, and how insurers underwrite these risks can help organizations better prepare for incidents — and set realistic expectations about insurance recovery.
01
Operational disruption & business interruption
Some of the costliest cyber events do not hinge on ransom payments, but rather on operational shutdowns and downstream disruption. A striking example occurred in 2024, when hackers targeting Change Healthcare, a U.S. healthcare technology provider, exploited its lack of multifactor authentication on a remote‑access application. After nine days inside the company’s systems, attackers exfiltrated sensitive data.
Once Change Healthcare identified the intrusion, it disconnected data centers and suspended network operations. The resulting outage cost the company an estimated $867 million in business interruption losses alone, far eclipsing the $22 million ransom payment. Even then, some sensitive data was still disclosed.
The incident illustrates a key reality of modern cyber risk: Business interruption — lost revenue, additional expenses, and cascading operational impacts — often accounts for the largest share of loss.
Why business interruption is so difficult to manage
Operational disruption following a cyber event is both common and prolonged. An IBM-Ponemon Institute study found that 86% of organizations experiencing a data breach reported operational disruption, and 76% said recovery took more than 100 days.
Dependency risk magnifies this exposure. Many organizations rely on a narrow set of vendors, platforms, or managed service providers to perform critical business functions. When a technology provider experiences an outage or breach, the effects can ripple through entire industries. During the Change Healthcare incident, pharmacies were unable to process insurance claims and healthcare providers were forced to take out loans to meet payroll, making it one of the most consequential cyberattacks on the U.S. healthcare system.
The World Economic Forum’s Global Cybersecurity Outlook 2026 identified third-party and supply chain vulnerabilities as the top challenge to cyber resilience.
At the same time, rising geopolitical tensions in 2025 and 2026 have increased the risk of ideologically motivated attacks aimed not at extortion, but at disruption. Survey respondents cited geopolitically motivated cyberattacks as the leading factor shaping their cyber‑risk mitigation strategies.
Insurance response & pain points
Most cyber policies offer some form of business interruption coverage, but claims are closely scrutinized. Insurers focus on when an interruption began and ended, whether decisions to shut down systems were reasonable, and how policyholders calculate their losses.
Organizations that track revenue in real time — such as casinos or online retailers — may find it easier to demonstrate business interruption losses. For many others, particularly those with longer revenue cycles or intangible outputs, quantification can be significantly more challenging. To understand potential losses from business interruption events, brokers may provide modeling tools, but these require companies to realistically assess what a “worst day” looks like during a cyber event and to manage expectations about how much loss is ultimately recoverable.
02
Ransomware’s growing costs
Ransomware continues to draw public attention, but the nature of these attacks — and their financial impact — has evolved. Where attackers once focused on encrypting data and selling decryption keys, many now prioritize data theft and extortion, demanding payment to prevent publication or reuse of stolen information.
In 2025, just over 30% of ransomware victims paid a ransom, consistent with prior years, according to Arete Advisors. Median ransom demands rose to $600,000, up from $500,000 in 2024, while median payments increased only modestly to $152,750.
The higher cost often lies adjacent to the actual ransom. Sophos estimates the average enterprise recovery cost from ransomware in 2025 — excluding ransom payments — was $1.85 million, reflecting expenses tied to investigation, system restoration, legal response, and business disruption. Higher education, finance, transportation and logistics, and retail incurred particularly high recovery costs.
Ransomware coverage challenges
Although most cyber policies cover ransomware, insurers increasingly focus on whether policyholders met baseline security and governance expectations. Identity controls, access management, backup integrity, and incident response preparedness are central to underwriting and claims decisions.
Disputes today often turn less on policy exclusions and more on compliance with conditions. Insurers are tightening scrutiny of restoration timelines, imposing or reducing business interruption sublimits, and requiring clearer dependency mapping. Because ransomware frequently involves data theft and extortion, insurers are also looking beyond ransom reimbursement and recovery costs to privacy liability, regulatory exposure, and litigation — raising complex issues around aggregation, sublimits, and allocation.
Insurance implications of SEF losses
Insurance recovery for SEF claims often depends on strict adherence to internal payment controls. Coverage may turn on whether companies enforced dual authorization, callback verification, segregation of duties, and escalation protocols. In some jurisdictions, such as many in the Middle East, stolen funds are not covered under a cyber policy but rather under a crime policy.
Insurers are increasingly denying claims where controls were bypassed — even under pressure or apparent executive urgency. As a result, claims investigations frequently resemble forensic audits of internal process compliance rather than assessments of criminal conduct.
AI‑enabled impersonation has also complicated coverage. While some voice spoofing incidents may still fall under existing crime or impersonation coverage, underwriters are questioning whether traditional policy language adequately addresses synthetic identity attacks. In some cases, endorsements are being tightened to exclude “authorized” transfers, even when authorization was obtained through deception.
04
The perils of privacy & data breaches
Although the fundamental pattern of data breaches — unauthorized access followed by theft or misuse of personal data — has remained consistent, recent years have seen an increase in third‑party involvement. Verizon’s Data Breach Investigations Report found that 48% of breaches from Nov. 1, 2024, through Oct. 31, 2025, involved third parties, up from 30% in the previous year.
Supply chain risk is especially acute for small and midsize organizations, which are targeted nearly four times as often as large enterprises. Still, human error and complacency remain the dominant contributors to data loss.
Attackers most commonly seek personally identifiable information such as tax identification numbers, addresses, and email credentials, according to IBM and the Ponemon Institute.
This data fuels downstream crimes, enabling highly targeted phishing and fraud attempts.
The costs of data breaches include investigation and remediation, operational disruption, victim compensation, litigation, and regulatory fines. Roughly one‑third of organizations that experienced a breach in 2025 paid regulatory fines, with the highest penalties reported in the United States — one reason breaches there are particularly costly. The Middle East and Benelux, a European region comprising Belgium, the Netherlands, and Luxembourg, had the second and third highest breach costs, respectively.
Evolving tactics by plaintiffs’ attorneys have given rise to new data breach risks. Plaintiffs' attorneys in the U.S. increasingly employ technicians who surf the so-called “dark web,” an obscure corner of the internet that requires specialized tools to access and where threat actors often communicate.
Technicians scan the dark web for discussions of stolen data, which plaintiffs' attorneys then use to file lawsuits quickly, sometimes before the company even knows there was an issue. This makes it challenging for a company to defend itself at the early stages of litigation.
Insurance challenges in data breach claims
Insurers now expect demonstrable data governance, not future‑looking promises. Underwriters want evidence of encryption, access control, retention policies, employee training, and vendor risk management that are already in place.
Mapping dependencies and assessing third‑party risk are no longer optional. As with SEF and ransomware claims, insurers are increasingly framing coverage questions around compliance with security and governance standards rather than purely around the occurrence of a breach.
05
Non‑breach privacy risk & pixel tracking
Some of the fastest‑growing cyber losses do not involve breaches at all. In 2022, Mass General Brigham settled a class‑action lawsuit for $18 million over the use of cookies and pixels on its patient portal. The settlement fueled a wave of similar claims.
Pixel tracking — technology that monitors user behavior on websites — can trigger liability when data is collected without proper consent. Litigation alleging violations of wiretapping, privacy, and consumer protection statutes surged to 2,200 lawsuits in 2025, according to Fisher Phillips.
Retailers are frequent targets, but healthcare, technology, manufacturing, finance, and insurance companies also face claims, many of which settle for more than $1 million. In a high-profile case, a San Francisco jury in September 2025 awarded $425.7 million against Google for unauthorized tracking of users who had opted out. Google was also fined 325 million euros by a French regulatory agency in 2025 for displaying ads containing cookies on Gmail without obtaining account holders’ consent.
Why pixel tracking claims are so challenging
Unlike external cyberattacks, pixel tracking claims can stem from deliberate business or marketing decisions made without full awareness of legal exposure. Other times, companies hire website design firms that install these tools without the company’s knowledge of their presence or understanding of what they do. Plaintiffs' attorneys can file claims cheaply and at scale, often leveraging decades‑old statutes.
U.S. states such as California have expanded definitions of personal information, particularly for minors, making technical defenses less effective. Plaintiffs' attorneys have tried to push a theory that pixel tracking is intentional conduct, which opens the door to claims of willfulness or negligence, especially where executives were unaware that pixels had been deployed.
Insurers frequently exclude non‑breach privacy violations and wrongful collection claims. Definitions of privacy violations, personal information, and security events have narrowed, and carriers often argue that coverage should not apply where a company chooses to deploy tracking technology.
Provisions requiring arbitration to resolve legal disputes over pixel tracking and other advertising technology can prove troublesome. Plaintiffs' attorneys can send a company a letter indicating they have hundreds or thousands of clients ready to proceed with arbitration, which can amplify legal costs for companies and their insurers.
06
Media, marketing, & intellectual property risks
Like pixel tracking, media and intellectual property losses arise from a company’s own actions rather than malicious outsiders. Cyber policies provide limited coverage, with many of these risks better suited to professional liability or media policies.
False advertising is a growing problem. Food manufacturers in particular have faced lawsuits over misleading health claims tied to ultraprocessed products. Instacart paid $60 million to settle FTC allegations that its “free delivery” and “100% satisfaction guarantee” claims were misleading. Underwriters often view false advertising as an intentional act by an insured and often exclude it from cyber policies.
Copyright infringement is another recurring risk, especially in social media marketing. Casual use of copyrighted music, images, or likenesses by brands or influencers has drawn aggressive enforcement from content owners. Defamation exposure increases when companies post provocative or inaccurate content in pursuit of online engagement.
Preparing for the full spectrum of cyber loss
Today’s cyber losses reflect more than technical failure. They arise from human judgment, operational dependencies, strategic decisions, and evolving legal standards. Insurance remains a critical tool, but recovery increasingly depends on demonstrated controls, governance discipline, and realistic planning.
Understanding how losses actually occur — and where coverage frictions emerge — allows organizations to better manage expectations, reduce exposure, and respond more effectively when incidents inevitably occur.
© 2026 Lockton Companies. All rights reserved.
03
Social engineering fraud & business email compromise
SEF may be the most significant cyber risk facing organizations today. Attackers can pursue these schemes quickly, cheaply, and at scale. While technology plays a role, the real vulnerability is human behavior.
In 2025 and 2026, attackers have increasingly used AI‑driven deepfakes to impersonate senior executives via phone calls or voice messages, convincing employees to transfer funds or disclose sensitive information. These tactics now rival — and in some cases surpass — traditional BEC attacks involving phishing emails or bogus invoices.
SEF schemes often evade technical controls by exploiting trust, urgency, and routine business processes. Fast‑paced communication, decentralized decision‑making, and reliance on email and messaging platforms all increase exposure.
Large companies with good internal controls can still fall victim to theft by SEF. Some recent examples of SEF included fraudsters impersonating investors and well-known law firms in M&A transactions or other business deals. Mobile numbers set up to send genuine-looking calls and messages, along with fake portals mimicking well-known law firms to exchange documents, furthered a scheme in which multiple transactions were routed to fake bank accounts that could not be clawed back later.
This has driven some companies to question whether they are purchasing enough social engineering coverage.
Assuming the client has adequate controls in place, the Lockton U.K. crime wording offers full social engineering coverage. It works on a broader “all risk” basis, rather than the “named peril” basis that many crime wordings operate on.
These examples demonstrate the pervasiveness of cybersecurity threats, the complexity of insurance coverage, and the centrality of human error in today’s most expensive claims.