Cyber insurance claims are showing alarming trends in both frequency and severity, with U.S. businesses experiencing particularly steep increases while markets outside the U.S. show declining rates, according to a report from Chubb.

The comprehensive claims analysis, based on Chubb’s cyber claims data through December 2024, reveals critical insights about ransomware incidents driving claim severity, privacy-related liability becoming increasingly complex, and widespread cyber events contributing to rising frequency—all factors that are fundamentally reshaping the cyber risk landscape for businesses of all sizes.

U.S. Market Trends

The cyber insurance landscape in the U.S. continues to evolve at a concerning pace, with both frequency and severity of claims showing upward trajectories over the past three years. While claim frequency remains below the peak levels observed in 2020-2021, severity has increased significantly from 2020 through 2024, with notable volatility in recent years, Chubb reported.

Particularly alarming is the sharp increase in claim severity for mid-sized companies with revenues of $100 million to $999 million, and large companies with revenues exceeding $1 billion. These organizations have experienced substantial losses that have made headlines across business media. Interestingly, many of these attacks weren’t the result of sophisticated malware evading robust cybersecurity systems, but rather social engineering attacks targeting IT help desks and involving SIM card swaps in mobile phones, according to the report.

Another troubling trend is the rise in widespread cyber events—incidents that simultaneously affect numerous companies. These events, which can stem from attacks, software malfunctions or human error, increased to 5.3% of total reported claims in 2024, up from 4.0% in 2023, contributing significantly to the overall frequency of cyber claims.

International Market Contrast

The cyber risk scenario outside the U.S. tells a markedly different story. International markets are experiencing declining trends in both the frequency and severity of cyber claims. For medium and large revenue accounts outside the U.S., severity has decreased over the past three years, while small revenue accounts have seen only modest increases in severity, Chubb reported.

This divergence can be attributed to several factors. International businesses have increased cyber risk awareness at executive and board levels, improved business continuity planning, developed more robust incident response protocols, and focused on compliance with new regulatory frameworks such as the EU’s Digital Operational Resilience Act.

Perhaps most striking is the difference in ransom payment behavior. The willingness to pay ransoms is substantially lower outside the U.S., with only 8% of companies paying ransoms in 2024 compared to 35% of U.S.-based companies. This trend has remained consistent over the past five years, Chubb reported.

Notable Claims Statistics

The financial impact of cyber incidents continues to grow, with ransomware remaining the primary driver of losses. In 2023 and 2024, ransomware-related losses accounted for nearly 72% of all cyber claim dollars, up from an average of 63% between 2020 and 2022. The frequency of subsequent third-party litigation from ransomware incidents has also increased dramatically, up approximately 75% in 2024 compared to the 2020-2021 average.

The July 2024 CrowdStrike incident provides a sobering example of how non-malicious events can cause widespread disruption, the report noted. When the cybersecurity company CrowdStrike sent a faulty software update to customers worldwide, it resulted in 8.5 million systems crashing and generated between $400 million and $1.5 billion in insured losses, the report stated.

This incident highlighted that system failures can be as devastating as malicious attacks, underscoring the importance of comprehensive incident response planning and resilience measures. Organizations with strong resilience capabilities in place were better positioned to weather this unexpected disruption, reinforcing the value of preparedness in today’s interconnected digital ecosystem, according to Chubb.

Evolution of Privacy-Related Claims

As digital footprints expand and consumer awareness grows, privacy-related claims have emerged as a significant concern for businesses across the U.S. Recent data reveals a troubling trend: the proportion of third-party claims related to privacy liability has doubled in 2023-24 compared to 2020-22. This surge reflects not only heightened consumer awareness but also the evolving regulatory environment that has created new avenues for litigation, the report explained.

Three key regulatory frameworks are primarily driving this increase in U.S. privacy claims, Chubb reported:

• The Illinois Biometric Information Privacy Act (BIPA) has become particularly impactful, regulating how companies collect, use, and handle biometric identifiers and information.
• The Video Privacy Protection Act (VPPA) has gained renewed relevance in the digital age. This law directly addresses how companies implement and use pixels—those tiny snippets of code embedded in websites that track user behavior.
• State-level wiretapping laws have also contributed to the privacy claims landscape. The California Invasion of Privacy Act (CIPA), for instance, provides individuals with a private right of action against businesses for privacy violations, with potential statutory damages reaching $5,000 per violation—a figure that can quickly escalate to significant amounts in class action scenarios.

Beyond U.S. borders, international privacy regulations continue to reshape how global businesses approach data handling and privacy compliance. The European Union’s General Data Protection Regulation (GDPR) stands as the gold standard, comprehensively regulating the lawful collection, processing, use, retention and deletion of personally identifiable information.

View the full report here.