Cyber Insurance Provider Reports Fall in Claims Frequency in 2024
A new report from a leading cyber insurance provider shows a slight decline in claims for ransomware attacks in 2024. Claim amounts for ransomware-related losses were down 7% from the previous year, according to the Coalition 2025 Cyber Claims Report.
Global claim frequency for all types of cyber events was also down 7% year-over-year, with the average claim amount remaining stable at an average of $115,000 globally and $108,000 in the United States. Of all matters reported to Coalition, 56% were handled without any out-of-pocket payments by policyholders.
The most common reasons for submitting claims against policies were financial transfer fraud and business email compromise (BEC) attacks, which accounted for 29.8% and 29.7% of claims, respectively. Ransomware was the third most common reason, accounting for 21.12% of claims.
There was a 19% decrease in claims frequency in 2024 by businesses in the healthcare industry, which fell to 1.38%; however, claim severity increased by 32% year-over-year, with an average loss of $144,662. Across all industry sectors, there was a decline in claims frequency, which fell by 4% for businesses with less than $25 million in revenue, and claims severity fell by 8%.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Businesses with revenues between $25 million and $100 million saw claim frequency fall by 5% and claim severity fall by 6%. Large businesses with revenues of $100 million or more had a 6% year-over-year decrease in claims frequency, although a 21% increase in claims severity.
Out of the three main reasons for claims, ransomware attacks were the costliest, with average losses of $292,000 and $294,000 in the United States. Ransomware groups reduced their initial demands by 22% in 2024 to an average of $1.1 million, which shows that there is often considerable scope for negotiation. On average, Coalition negotiated a 60% reduction from the initial ransom demand, with 44% of victims opting to pay the ransom.
Coalition reports that while the ransom payment is a sizeable cost, businesses had an average $102,000 loss due to business disruption, a $58,000 cost for forensic investigation, and an $18,000 average cost of digital asset restoration.
Fund transfer fraud was also costly, with an average loss of $185,000, although that’s a 46% reduction from the $340,000 average loss in 2023. Coalition attributes the reduction to changing threat actor and financial institution behaviors, with threat actors less likely to request transfers in high six and seven-figure amounts, as these large amounts are often flagged by financial institutions and held for an extended period of time, making it more likely that the fraud is discovered.
Claims severity for business email compromise attacks increased by 23% year-over-year to an average of $35,000. 29% of all BEC events in 2024 resulted in financial transfer fraud, with an average financial transfer fraud loss of $106,000.
Coalition also tracked losses to third-party breaches, which resulted in an average loss of $42,000. One notable third-party breach was the ransomware attack on Change Healthcare, which affected more than 90% of U.S. pharmacies, with total costs from the attack estimated to be almost $2.87 billion. Coalition policyholders that submitted a claim had an average claim severity of $22,000.
Coalition also reports that businesses are realizing the importance of taking proactive measures to address cybersecurity, as well as the consequences of not doing so. Prior to underwriting insurance policies, Coalition often prompts businesses to adopt new security tools to enhance cybersecurity controls in specific areas. Coalition reports that in 2024, 614 businesses were informed that they had critical cybersecurity issues when they were given a cyber insurance quote and opted not to resolve the issues and bind a Coalition policy, only to subsequently fall victim to a ransomware attack. The estimated losses to those attacks from businesses that did not bind a policy were $307 million – an average of $500,000 per business.
