3 Crucial Insights to Shape Your Cyber Risk Strategy

If you spend any time talking about cybersecurity, you’ll likely hear all about the ever-changing threat landscape. What does that actually mean?

Simply put, the threat landscape encompasses the cybersecurity risks and real-world incidents that impact businesses every day. With insurance claims data, we have a unique view of that landscape, including the most pervasive attack types, how often they occur, and the average loss amounts businesses experience.

Theoretical risk models and industry surveys can point us in the general direction of what to expect from cyber criminals. But the best way to mitigate risk and prepare businesses, brokers, and insurance providers? Use the data from actual events to inform security decisions that move the needle.

Coalition’s 2025 Cyber Claims Report examines global claims data, industry-specific findings, third-party risk, and much more. Below, we’re narrowing our focus and diving deeper into three key insights that should be top of mind for anyone responsible for managing a business’ cyber risk in 2025.

Insight 1: Attack costs triple when business email compromise escalates to funds transfer fraud

For the past three years, our data reveals that email-based attacks have driven the majority of cyber claims. In 2024, 60% of all cyber claims were due to business email compromise (BEC) or funds transfer fraud (FTF). 

BEC is an event where cyber criminals gain access to an organization’s email account to execute a cyber attack. Once inside, attackers can leverage email access to find sensitive data. Or, for a while, threat actors may just lie in wait.

By surveying incoming and outgoing messages, they can learn relationship dynamics, mirror the compromised user’s personality, and track payment history. And when the time is right, a threat actor can strike with a well-crafted email to a target vendor or colleague, requesting that a routine wire transfer be directed to a new (criminal-owned) bank account. 

In 2024, 60% of all cyber claims were due to business email compromise (BEC) or funds transfer fraud (FTF). 

Now, what started as an email compromise has escalated to funds transfer fraud. Across all BEC events in 2024, 29% resulted in FTF with an average loss incurred by the business of $106,000. Meanwhile, the average loss associated with a standard BEC event is $35,000.

Due to the high margin for human error, FTF remains one of the easiest routes for threat actors to monetize cybercrime. Threat actors go where the money is; inboxes remain a hotbed for common daily transactions and, consequently, digital crime. 

One phone call can prevent funds transfer fraud

FTF resulting from an email account takeover is particularly insidious because phony emails look legitimate. Unlike spoofing, employees can’t rely on misspelled domains as a red flag. If a suspicious recipient hovers over the sender address, it’s the same exact account they regularly interact with. 

Threat actors may communicate just like the compromised user and know personal details to easily fool the recipient. However, any sudden mention of a new payment method should be viewed with a healthy dose of skepticism. 

“If an employee receives a request for a new payment method, they should verify account information with an independently known phone number,” said Chris Hendricks, Head of Coalition Incident Response (CIR). “Don’t use contact information you got through the same exchange where your vendor or contact requested a new payment method.” 

Insight 2: Ransom demands aren’t the only driver of ransomware loss

Ransomware is responsible for 21% of all claims, but attacks are 2.5x more severe than other cybercrime with an average cost of $292,000. 

The average demand in 2024 was $1.1 million. Ultimately, ransom payments drive the majority of losses and public scrutiny following an attack. 

But ransom payments are not the be-all, end-all of ransomware losses. Behind the scenes, many businesses subject to a ransomware attack dedicate months to restoring data, investigating the attack, and rebuilding networks to return to operations as usual. And the costs associated with downtime and recovery can add up fast. 

Average business interruption loss: $102,000

Imagine if a local restaurant experienced a ransomware attack. Suddenly, they can’t access their point of sale system. No one can place orders online. Inventory management is down. Despite being a brick-and-mortar shop with the majority of sales in person, business as usual is basically impossible. Now, imagine the consequences for a business with thousands of endpoints, downstream customers, or complete digital dependencies. 

Without access to vital technology following a cyber attack, businesses of all sizes struggle with maintaining operations, resulting in additional expenses and lost profits. 

Average digital asset restoration cost: $18,000

Ransomware is built on the foundation of encrypting and destroying data. Digital asset restoration is the process of recovering or recreating all of the information lost as a result of the attack.

Depending on the extent of the damage, full restoration can take anywhere from a few days to several months. Reliable backups can make all the difference for a quicker restoration process.

“If your business experiences a ransomware attack, you don’t want to rely on a bad actor and their decryptor to be your backup,” said Hendricks. “Make sure you are backing up the right data, make sure you can effectively restore them, and make sure backups are not accessible from the main network.”

Average forensic vendor cost: $58,000

Digital forensics involves the collection, analysis, and preservation of electronic evidence. Through an investigation, vendors are able to determine how malware entered the network and provide actionable advice for businesses to limit their exposure in the future. 

Ransomware is responsible for 21% of all claims, but attacks are 2.5x more severe than other cybercrime with an average cost of $292,000. 

Insight 3: Third-party breaches demand proactive management of supply chain risk

In 2024, third-party breaches accounted for 52% of all miscellaneous first-party losses (those not involving BEC, FTF, or ransomware). In these incidents, a policyholder’s vendor or business partner was compromised, which led to financial loss.

No business operates in a silo, which makes downstream risk practically unavoidable. 

From software providers to manufacturers, any business in the supply chain is vulnerable to an attack. The appeal for threat actors is that one successful breach disrupts hundreds, if not thousands, of downstream customers — incentivizing businesses to pay a hefty ransom. As the old adage goes, why work harder when you can work smarter?

In 2024, a glaring example was Change Healthcare. The technology company, which processes transactions among healthcare providers, went offline as a result of a ransomware attack in February 2024. The disruption impacted more than 90% of pharmacies across the US and the estimated total cost to businesses stemming from the attack is estimated at nearly $2.87 billion.

“Policyholders aren’t always aware of all of the other companies they rely on to function,” said Anne Juntunen, Senior Claims Manager at Coalition. “In some cases, there were multiple companies in the dependency chain between our policyholders and Change Healthcare. Those policyholders were still impacted.”

With Change Healthcare responsible for one in every three patient records in the US, the entire industry was left scrambling in the fallout. 

Disruption from the Change Healthcare ransomware attack impacted more than 90% of pharmacies across the US and the estimated total cost to businesses stemming from the attack is estimated at nearly $2.87 billion.

Not just the big dogs

Hospitals unable to pay claims made headlines. But of the thousands of healthcare providers left without the ability to process claims, many small businesses flew under the radar.

Before Change Healthcare went offline, a medical equipment supplier had just expanded its business. When its connection to an electronic medical records and billing vendor was severed, the supplier was no longer able to electronically submit claims or receive payments. 

Without the cashflow, the supplier couldn’t purchase new inventory. And even as Change Healthcare brought operations back online, it took months (and several insurance payments to cover ongoing business interruption losses) for the supplier to recover from the fallout of the third-party breach.

“You need to pay attention to your vendors’ security posture,” said Hendricks. “Generally speaking, we call that third-party risk management. Through Coalition Control™, our unique risk management platform, businesses can scan and assess their vendors’ risk profile to better understand the potential impact to their own business.”

Want even more insights?

An additional key finding from the 2025 Cyber Claims Report? Prevention must be prioritized over reaction. 

To effectively combat cyber risk, brokers and businesses alike need to know where to focus their efforts — and real-life claims data can help. To get a broader view of the current threat landscape, download the full 2025 Cyber Claims Report.

This article originally appeared in the May 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.