AXA XL

In 17.0% of cases since 2019, breaches were first reported by external parties.

Data recovery was triggered as the main driver of loss in 1.3% of claims, triggered with some loss impact in 17.5%, triggered with no loss impact known in 5.0%, and not triggered in 76.2%.

Average initial ransom demand (based on all cases with ransom demand) in 2019: $7.77 million.

Between 2019 and 2023, other sectors experienced large losses primarily from ransomware (53.1%), followed by data breaches (25.0%) and other causes (21.9%).

Between 2019 and 2023, healthcare experienced large losses primarily from ransomware (57.1%), followed by data breaches (28.6%) and other causes (14.3%).

Companies with revenues between $250M and $500M had an average relative frequency of large claims on primary policies of 1.19.

In 6.4% of cases since 2019, the attackers themselves disclosed the breach.

Privacy and cyber security coverage was triggered in 13.2% of all claims, with a higher prevalence in excess claims(22.2%) compared to primary claims (9.4%).

In 42.9% of cases prior to 2019, breaches were first flagged by outside parties such as security firms, regulators, or customers.

The average duration business operations were affected by ransomware in financial services was 33 days.

The average duration business operations were affected by ransomware in manufacturing was 62 days.

For data breach cases where the attackers themselves disclosed the breach, it took an average of 17 days to notice the attacker since 2019.

Average initial ransom demand (based on all cases with ransom demand) in 2021: $17.39 million.

In 2023, victims paid on average 39.1% of the initial ransom demand.

In 49.2% of large ransomware claims, attackers gained access by exploiting system vulnerabilities.

Business interruption coverage was triggered in 17.5% of all claims, occurring more frequently in excess claims(23.3%) than in primary claims (15.1%).

In 66.0% of data breach cases since 2019, the company’s own IT team or outsourced service providers discovered the attack.

In 2019, organizations took an average of 76 days to restore operations after a ransomware attack.

Companies with revenues between $500M and $750M had an average relative frequency of large claims on primary policies of 1.40.

Companies with revenues between $750M and $2B had an average relative frequency of large claims on primary policies of 1.80.

Companies with revenues above $2B had an average relative frequency of large claims on primary policies of 1.86.

2021: 29.7% of large losses came from other causes, 23.7% from data breaches, and 46.6% from ransomware. Ransomware overtook all other causes and drove nearly half of the biggest cyber claims.

Businesses typically required around two full months to restore operations following a ransomware attack.

In 14.3% of cases prior to 2019, the source of detection was miscellaneous or unknown.

In 2021, organizations took an average of 77 days to restore operations after a ransomware attack.

Ransomware claims accounted for 54.3% of cyber claims in the sample for the period of 2019 and onwards.

The average duration business operations were affected by ransomware in health care was 70 days.

88% of all incurred losses from AXA XL cyber claims over the last decade arise from claims that surpass $1 million, suggesting that a relatively small number of large claims are responsible for the majority of cyber losses.

2023: 24.0% of large losses came from other causes, 13.3% from data breaches, and 62.8% from ransomware. Ransomware reached a record high, driving almost two-thirds of the largest cyber insurance payouts.

In 2021, victims paid on average 33.9% of the initial ransom demand.

Data breach response / crisis management was triggered as the main driver of loss in 24.5% of claims (primary 23.6%, excess 26.7%), triggered with some loss impact in 27.5%, triggered with no loss impact known in 3.6%, and not triggered in 44.4%.

In 16% of large ransomware claims, attackers leveraged compromised or weak credentials to gain entry.

In 2023, only 11.1% of backups were affected by ransomware.

Across all data breach cases combined, the average time to notice an attacker was 90 days prior 2019.

Privacy & cyber security was triggered as the main driver of loss in 13.2% of claims (primary 9.4%, excess 22.2%), triggered with some loss impact in 14.6%, triggered with no loss impact known in 3.3%, and not triggered in 68.9%.

37.2% of large losses came from other causes, 16.0% from data breaches, and 46.6% from ransomware. While other causes ticked up, ransomware continued to generate nearly half of the most expensive claims.

Average initial ransom demand (based on all cases with ransom demand) in 2020: $11.25 million.

In 2022, organizations took an average of 43 days to restore operations after a ransomware attack.

In 2023, 88.9% of backups were not affected by ransomware.

For data breach cases where the attacker was detected by internal IT staff or an outsourced cybersecurity provider (OCP), it took an average of 61 days to notice the attacker prior 2019.

Between 2019 and 2023, retail experienced large losses primarily from ransomware (50.0%), followed by other causes (30.0%) and data breaches (20.0%).

In 2019, victims paid on average 56.9% of the initial ransom demand.

In 2023, organizations took an average of 32 days to restore operations after a ransomware attack.

Before 2023, 62.8% of backups were affected by ransomware.

Before 2023, 37.2% of backups were not affected by ransomware.

The average duration business operations were affected by ransomware in professional services was 85 days.

In 10.2% of large ransomware claims, the attack vector was either different or unknown.

On average, businesses across all industries experienced 69 days of operational disruption due to ransomware attacks.

In 7.1% of cases prior to 2019, the hackers themselves revealed the breach.

In 10.6% of cases since 2019, the source of detection was unknown or other.