This Insight was prepared with the assistance of student-at-law Kendall Kleisinger.
NetDiligence recently released its annual Cyber Claims Study report. This report offers an in-depth analysis of actual losses for data breaches and other cyber-related events, as reported by leading cyber insurance providers.
With over 4,000 new claims submitted in 2025, this year's report analyzes over 10,000 cyber claims from incidents that occurred from 2020–-2024. A copy of the full 2025 report can be found here.
Key findings from the report include the following:
- Claim amounts varied greatly, ranging from less than US$1,000 to over US$500 million
- Large companies (those with annual revenue of US$2 billion or more) accounted for only 2% of claims, but these claims accounted for 51% of the total incident cost analyzed
- The five-year average incident cost for all claims was US$246,000 for small to medium enterprises (organizations with less than US$2 billion in annual revenue) and US$10.3 million for large companies
- The five-year average incident cost for Canadian organizations of all revenue sizes was US$874,000, although claims from Canada represented less than 1% of the overall dataset
- Insurance payouts for organizations of all sizes covered only 32% of the total incident costs
- The five-year average incident cost at small to medium enterprises increased by nearly 30% since the 2024 study, while overall average incident costs decreased by 19% for large companies
- When a cyber incident results in business interruption, the average incident cost of a claim is over 650% more than claims without business interruption
- The proportion of claims caused by criminal activity has been over 97% since 2020 – on average, criminal incidents are much more costly than non-criminal incidents
- Ransomware and business email compromise are the two leading causes of all loss (other causes include hackers, wire transfer fraud, staff mistakes, rogue employees and third-party incidents)
- Ransom amounts reached an unprecedented high – initial demands were up to US$150 million, ransoms as high as US$75 million were paid and a total of 50 ransoms totalling at least US$10 million were paid
- The top five affected business sectors were professional services, manufacturing, healthcare, retail and financial services
Key takeaways
Cyber incidents are more costly than ever, and this report is an important reminder for organizations of all sizes to invest in defenses against cyber incidents and establish clear response plans to rely on if these incidents do occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
