Report by AXA XL

Cyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions

80 FINDINGSPublished Sep 9, 2025
View Original Report →

Key Findings

In 17.0% of cases since 2019, breaches were first reported by external parties.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

Data recovery was triggered as the main driver of loss in 1.3% of claims, triggered with some loss impact in 17.5%, triggered with no loss impact known in 5.0%, and not triggered in 76.2%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsPrivacyCyber security

Average initial ransom demand (based on all cases with ransom demand) in 2019: $7.77 million.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

Between 2019 and 2023, other sectors experienced large losses primarily from ransomware (53.1%), followed by data breaches (25.0%) and other causes (21.9%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breach

Between 2019 and 2023, healthcare experienced large losses primarily from ransomware (57.1%), followed by data breaches (28.6%) and other causes (14.3%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachHealthcare

Companies with revenues between $250M and $500M had an average relative frequency of large claims on primary policies of 1.19.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

In 6.4% of cases since 2019, the attackers themselves disclosed the breach.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

Privacy and cyber security coverage was triggered in 13.2% of all claims, with a higher prevalence in excess claims(22.2%) compared to primary claims (9.4%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsPrivacyCyber security

In 42.9% of cases prior to 2019, breaches were first flagged by outside parties such as security firms, regulators, or customers.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

The average duration business operations were affected by ransomware in financial services was 33 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionFinancial services

The average duration business operations were affected by ransomware in manufacturing was 62 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionManufacturing

For data breach cases where the attackers themselves disclosed the breach, it took an average of 17 days to notice the attacker since 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Average initial ransom demand (based on all cases with ransom demand) in 2021: $17.39 million.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

In 2023, victims paid on average 39.1% of the initial ransom demand.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

In 49.2% of large ransomware claims, attackers gained access by exploiting system vulnerabilities.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareVulnerabilities

Business interruption coverage was triggered in 17.5% of all claims, occurring more frequently in excess claims(23.3%) than in primary claims (15.1%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBusiness disruption

In 66.0% of data breach cases since 2019, the company’s own IT team or outsourced service providers discovered the attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

In 2019, organizations took an average of 76 days to restore operations after a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

Companies with revenues between $500M and $750M had an average relative frequency of large claims on primary policies of 1.40.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

Companies with revenues between $750M and $2B had an average relative frequency of large claims on primary policies of 1.80.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

Companies with revenues above $2B had an average relative frequency of large claims on primary policies of 1.86.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

2021: 29.7% of large losses came from other causes, 23.7% from data breaches, and 46.6% from ransomware. Ransomware overtook all other causes and drove nearly half of the biggest cyber claims.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

Businesses typically required around two full months to restore operations following a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

In 14.3% of cases prior to 2019, the source of detection was miscellaneous or unknown.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

In 2021, organizations took an average of 77 days to restore operations after a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

Ransomware claims accounted for 54.3% of cyber claims in the sample for the period of 2019 and onwards.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomware

The average duration business operations were affected by ransomware in health care was 70 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionHealthcare

88% of all incurred losses from AXA XL cyber claims over the last decade arise from claims that surpass $1 million, suggesting that a relatively small number of large claims are responsible for the majority of cyber losses.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

2023: 24.0% of large losses came from other causes, 13.3% from data breaches, and 62.8% from ransomware. Ransomware reached a record high, driving almost two-thirds of the largest cyber insurance payouts.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

In 2021, victims paid on average 33.9% of the initial ransom demand.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

Data breach response / crisis management was triggered as the main driver of loss in 24.5% of claims (primary 23.6%, excess 26.7%), triggered with some loss impact in 27.5%, triggered with no loss impact known in 3.6%, and not triggered in 44.4%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach responseCrisis management

In 16% of large ransomware claims, attackers leveraged compromised or weak credentials to gain entry.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareCredentials

In 2023, only 11.1% of backups were affected by ransomware.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareBackups

Across all data breach cases combined, the average time to notice an attacker was 90 days prior 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Privacy & cyber security was triggered as the main driver of loss in 13.2% of claims (primary 9.4%, excess 22.2%), triggered with some loss impact in 14.6%, triggered with no loss impact known in 3.3%, and not triggered in 68.9%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsExtortion

37.2% of large losses came from other causes, 16.0% from data breaches, and 46.6% from ransomware. While other causes ticked up, ransomware continued to generate nearly half of the most expensive claims.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

Average initial ransom demand (based on all cases with ransom demand) in 2020: $11.25 million.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

In 2022, organizations took an average of 43 days to restore operations after a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

In 2023, 88.9% of backups were not affected by ransomware.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareBackups

For data breach cases where the attacker was detected by internal IT staff or an outsourced cybersecurity provider (OCP), it took an average of 61 days to notice the attacker prior 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Between 2019 and 2023, retail experienced large losses primarily from ransomware (50.0%), followed by other causes (30.0%) and data breaches (20.0%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachesRetail

In 2019, victims paid on average 56.9% of the initial ransom demand.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

In 2023, organizations took an average of 32 days to restore operations after a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

Before 2023, 62.8% of backups were affected by ransomware.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareBackups

Before 2023, 37.2% of backups were not affected by ransomware.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareBackups

The average duration business operations were affected by ransomware in professional services was 85 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionProfessional services

In 10.2% of large ransomware claims, the attack vector was either different or unknown.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomware

On average, businesses across all industries experienced 69 days of operational disruption due to ransomware attacks.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruption

In 7.1% of cases prior to 2019, the hackers themselves revealed the breach.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

In 10.6% of cases since 2019, the source of detection was unknown or other.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

Across all data breach cases combined, the average time to notice an attacker was 45 days since 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

In 2020, organizations took an average of 54 days to restore operations after a ransomware attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRecovery

For data breach cases where the attacker was detected by internal IT staff or an outsourced cybersecurity provider (OCP), it took an average of 35 days to notice the attacker since 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

For data breach cases where the attacker was detected by a third-party, it took an average of 91 days to notice the attacker since 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Data breach response / crisis management coverage was triggered in 24.5% of all claims overall, with a slightly higher incidence in excess claims (26.7%) compared to primary claims (23.6%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach responseCrisis management

Extortion coverage was triggered in 11.9% of all claims, showing a significant difference between primary claims(15.6%) and excess claims (3.3%), indicating it is far more common at the primary layer.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsExtortion

Other insuring agreements (average) were triggered as the main driver of loss in 1.6% of claims, triggered with some loss impact in 1.4%, triggered with no loss impact known in 0.5%, and not triggered in 96.6%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData recovery

2018: 46.2% of large losses came from other causes, 37.9% from data breaches, and 15.9% from ransomware. Ransomware started to emerge as a meaningful driver of big cyber claims.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

In 2020, victims paid on average 37.4% of the initial ransom demand.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

Average initial ransom demand (based on all cases with ransom demand) in 2023: $32.25 million.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

In 24.6% of large ransomware claims, attackers used phishing to infiltrate systems.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwarePhishing

In 2022, victims paid on average 42.0% of the initial ransom demand.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

The average duration business operations were affected by ransomware in retail was 32 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionRetain

Extortion was triggered as the main driver of loss in 11.9% of claims (primary 15.6%, excess 3.3%), triggered with some loss impact in 11.6%, triggered with no loss impact known in 9.6%, and not triggered in 66.9%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBusiness disruption

2020: 27.3% of large losses came from other causes, 29.2% from data breaches, and 43.4% from ransomware. Ransomware remained a dominant source of costly claims.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

2019: 28.1% of large losses came from other causes, 29.2% from data breaches, and 45.1% from ransomware. Ransomware surged and became the leading cause of major cyber claims for the first time.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

Ransomware incidents often lead to significant business interruptions, with some level of systems shutdowns occurring in approximately 92% of these cases.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareBusiness disruption

For data breach cases where the attackers themselves disclosed the breach, it took an average of 38 days to notice the attacker prior to 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Between 2019 and 2023, professional services experienced large losses primarily from ransomware (75.0%), followed by data breaches (14.3%) and other causes (10.7%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachProfessional services

Companies with revenues up to $250M had an average relative frequency of large claims on primary policies of 0.45.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claims

Average initial ransom demand (based on all cases with ransom demand) in 2022: $21.46 million.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareRansom

2010–2017: 62.3% of large cyber losses came from other causes, 37.7% came from data breaches, and ransomware caused 0.0% of major losses. At this stage, ransomware claims were rare, and most large claims stemmed from breaches and miscellaneous incidents.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breachRansomware

The average duration business operations were affected by ransomware in technology was 57 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruptionTechnology

In 35.7% of data breach cases prior to 2019, the company’s own IT team or outsourced service providers detected the attack.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsData breach

The average duration business operations were affected by ransomware in other industries was 44 days.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareDisruption

For data breach cases where the attacker was detected by a third-party, it took an average of 136 days to notice the attacker prior 2019.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBreach discovery

Between 2019 and 2023, financial services experienced large losses primarily from data breaches (40.9%) and ransomware (40.9%), followed by other causes (18.2%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachFinancial services

Between 2019 and 2023, manufacturing experienced large losses primarily from ransomware (86.7%), followed by other causes (10.0%) and data breaches (3.3%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachManufacturing

Between 2019 and 2023, technology experienced large losses primarily from other causes (38.0%), followed by ransomware (32.0%) and data breaches (30.0%).

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsRansomwareData breachTechnology

Business interruption was triggered as the main driver of loss in 17.5% of claims (primary 15.1%, excess 23.3%), triggered with some loss impact in 12.6%, triggered with no loss impact known in 7.3%, and not triggered in 62.6%.

Axa XlCyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions·8mo ago
Cyber insuranceCyber claimsBusiness disruption