8 Surprising Cybersecurity Insurance Statistics

From shopping online to having endless entertainment at our fingertips, the internet has changed how we do everything. However, this nonstop connectivity also has its downsides. Among these are the individuals and groups worldwide who use their technological proclivity to hack into systems and steal private data, causing systems to crash or steal money.

These people have spurred the growth of the cybersecurity industry, which reached an estimated value of over $166.2 billion in 2023. Companies in this sector help secure systems and lock out those with dishonorable intentions. However, they aren’t always successful. For this reason, many companies require cybersecurity insurance that protects them if someone breaches their firewalls and wreaks havoc.

Following hot on the heels of our life insurance statistics, here are some surprising stats about cybersecurity insurance. Warning: these stats may shock you into rethinking your need for more robust insurance policies.

1. Cybersecurity Insurance Value

It comes as no surprise that cybersecurity as an industry is valued at around $166.2 billion. This amount is contributed to by penetration specialists who test systems, developers who create new programs to keep servers safe, and employees who constantly monitor everything on a network.

What is shocking is the revenue that goes specifically toward cybersecurity insurance policies. Globally, insurance policies for cybersecurity were estimated to generate revenue of $14 billion in 2023. This is expected to grow to almost $29 billion by 2027.

The US is the pack’s leader in this sector, contributing almost 32% of the total revenue. This isn’t simply due to the number of companies that have this type of insurance in the country but also because it is one of the most prominent targets among all nations worldwide.

2. Cybersecurity Insurance Reach

According to estimates, a cybersecurity attack occurs in the US every 39 seconds, equating to more than 2,200 attacks daily. Many of these are thwarted by security systems, but some are successful and allow criminals to access private systems and confidential information.

Despite these shocking occurrences, a 2022 survey revealed that only 55% of companies have a cybersecurity insurance policy in place. The remaining 45% stated they have no coverage should somebody breach their systems.

3. Cybersecurity Insurance Shortfalls

Not enough companies have insurance against attacks, and those that do are sometimes underinsured. The same study mentioned above revealed that of the 55% of companies with active policies, only 19% had policies that covered damages above $600,000.

Many insurers fail to advise their clients that they could be underinsured and actively draft clauses that can result in no payment should a claim be filed. An estimated 27% of policies covering data breaches have exclusions that prevent total payouts of claims and can sometimes result in no payment at all.

First-party breaches and claims are no different, with 24% of these policies having similar clauses.

4. Company Types with the Most Cybersecurity Insurance Claims

Large companies, particularly tech companies like Google, Meta, and Microsoft, are often the targets of cybercriminals. However, SMEs (small to medium enterprises) are the most vulnerable to attacks as they lack the resources to ensure their systems are entirely impenetrable.

Because of this, 99% of cybersecurity insurance claims are filed by SMEs whose annual revenue is below $2 billion.

5. Security Breaches with the Most Claims

Security breaches depend not only on the attacker but also on the system being hacked and the server’s services. Servers allowing users to make payments using ACH in online casinos or other areas, can contain critical confidential payment information, while social networking servers house consumer data profiles and the like.

One of the most effective security breaches for hackers is ransomware. This type of attack locks out the server or database and all information on it and requires a ransom payment to unlock it. It is estimated that these attacks occur 1.7 million times internationally each day—or 20 times per second.

Because of this, ransomware security breaches attract the most claims. These claims are paid to recover losses or mitigate legal action when private data is lost. However, they don’t cover ransom payments, which amounted to $1.1 billion in 2024.

6. Average Cybersecurity Insurance Claim Amount

When a claim is lodged that doesn’t trigger any of the clauses mentioned above, the insurer can pay the client. The amount paid varies based on the damages incurred and the policy’s total coverage.

The average security breach claim for SMEs is estimated to attract a payout of around $345,000. For ransomware attacks, this increases significantly to $485,000 per claim. However, when considering all companies and not only SMEs, this figure increases dramatically.

The average payment on claims across all organizations is around $812,360. This factors in massive companies and huge data breaches, like those experienced by MGM International and T-Mobile in 2023.

7. Legal Fees

Many believe that insurance claims paid out go solely toward mitigating damages from data breaches or incident repair. However, a shocking 28%, on average, go only to the legal fees incurred when suffering a data breach.

This is based on the average claim of $345,000 mentioned above, of which around $98,000 goes to lawyers and other advocates responsible for navigating the legal terrain surrounding such breaches.

8. The Largest Cybersecurity Insurance Claim

Official records regarding the most significant claim in history are hard to come by. After all, no company or insurer wants to acknowledge they have been the victim of a massive attack. However, many studies have been conducted that narrow this down.

The largest cybersecurity insurance claim in the US is estimated to have paid almost $120 million. Incredibly, this claim was submitted by an SME rather than a large corporation. The claim is said to have been constructed of hefty legal fees and extensive BI (business interruption) losses.

BI costs, which are not always covered under insurance policies, are expenses companies incur due to the loss of business resulting from a cyberattack. On average, BI costs resulted in $446,000 in losses for a company suffering from a security breach in 2020.