Ransomware Payouts Decline Despite Growing Cyber Claims Frequency

The past year’s cyber attacks and technology outages illustrated the compounding risk from growing technology interdependencies. Major systemic-type events shook the scene in 2024, particularly evident in attacks against information technology (IT) service providers. A notable February attack on a healthcare payments technology provider resulted from the failure to implement multi-factor authorization, an industry standard and mandatory for baseline cyber-readiness. The ransomware breach affected the private data of approximately 190 million individuals. It led to a backlog of unpaid claims that left doctors’ offices and hospitals with severe cashflow problems and threatened patients’ access to care.1 The direct financial impact on the company was likewise extreme, tallying $3.09 billion pre-tax.2

In July, the Crowdstrike outage served as a timely warning of the high risks associated with digital interconnectedness. The outage caused more than 8.5 million systems to crash, disrupting operations worldwide and impacting commercial flights, hospitals, and financial services.3 One airline industry victim reported a $500 million revenue and $170 million expense impact.4 Wrapping up the year, a ransomware attack on a U.S. supply chain management provider was felt around the world. This hosting environment disruption affected major organizations, including retailers and software and IT service providers.

Cyber Claims Rise. Payouts Decline

As cyber attacks persisted, the frequency of cyber claims grew across 2024, ranging from ransomware and business interruption to class action litigation and regulatory investigations — resulting in an increasingly complex incident response. In the U.S., for example, Aon Cyber and Errors and Omissions (E&O) claims data revealed 1,228 reported incidents across broking clients in 2024, reflecting an increase of 22 percent year over year. Cyber events or litigation represented most claims, with 776 reported matters in the U.S. — up a third on the previous year — and 320 reported matters in EMEA.

This increase was driven by a rise in cyber incidents, more organizations acquiring cyber insurance and a heightened regulatory focus on publicly disclosing material events. Aon analysts observed underinsurance and a lack of basic cyber readiness plans exposed mid-market organizations to significant risk.5 Midsized organizations with $100 million to $2 billion annual revenue filed more claims than any other group, representing 52 percent of all matters.

Response plans enable organizations to reduce the cost of a breach by an average of almost $500,000, providing reassurance about the effectiveness of these strategies.

Though the frequency of claims grew, claim ratio experience from a leading cyber insurer remained mostly static and even improved in 2024, decreasing by nearly 3 percent compared to 2023.6 Despite pressure on premium rates, it was observed that Aon clients who invested in cyber preparedness were better able to respond to attacks with the technology controls and continuity plans to restore systems or regain access to data. IBM research found that having an incident response team and formal incident response plans enables organizations to reduce the cost of a breach by an average of almost $500,000, providing reassurance about the effectiveness of these strategies. 7

Ransomware Persists

Ransomware incidents persisted in 2024, increasing 24 percent versus 2023. Fraud and social engineering remained flat while claims frequency for privacy and data breaches and lost, missing, or stolen data decreased.

Cyber Frequency Trend | Global Data*

Despite the increased frequency of incidents, ransomware payment severity for Aon broking clients declined, likely supported by stronger cyber security controls.8 The average reported payment amounts also dropped by 77 percent, helping to maintain a soft market.

This Aon client data aligns with Coveware’s 2024 quarterly report9 which shows that despite increased ransomware activity, fewer companies are paying. The percentage of companies paying ransom dropped to an all-time low of 25 percent, marking a significant milestone in the fight against ransomware. While the average ransomware payment trended up in 2024, cresting at $553,959 in the fourth quarter of 2024, or an increase of 16 percent over the prior quarter. Meanwhile, median payments, which are typically a more reliable indicator of where the market is heading, are declining. The median ransom payment was $110,890 in fourth quarter 2024, a decline of 45 percent from the previous three months.10 Global organizations such as the Ransomware Task Force, continue to identify ransomware threat actors and protect organizations. While successful, recent law enforcement actions to dismantle ransomware threat actor groups destabilized the space, giving rise to dozens of splinter groups.

Observed Ransomware Breach Trends | YE 2024

Top Targets by Country

Ransomware payment bans are back on the table as governments contemplate minimizing payments and compelling cybercriminals to cease attacking their countries’ organizations.11

According to Aon’s data, E&O Cyber Broking reported incidents trended up in 2024 with 1,228  events or an increase of 22 percent. As for observed ransomware breaches (ORBs), or instances of organizations named and/or having their data published on ransomware leak sites due to not paying, the U.S. dominated the charts with more than 50 percent of incidents. Consumer and industrial products, professional services and consulting and manufacturing were the top three targeted sectors, with the real estate industry running close behind, claiming 13 percent of total victims.

Access claims trended up and down across the year. Access claims arise when threat actors, known as initial access brokers, breach organizations’ networks and sell this unauthorized access to other threat actors, leading to ransomware attacks and malicious activities. Targeting Remote Desktop Protocol (RDP) tools was the method of attack for half of all access claims.

Based on Aon’s proprietary data, threat actors continue to favor remote access and other administrator tools over malware. Identifying non-standard applications remains a key challenge for victims, and threat actors use ORBs more frequently to keep attacks hidden. With perimeter devices such as firewalls and VPNs as the most common entry point for attackers, IT teams must be vigilant about patching, MFA, and cert-based authentication.

The Return on Security Investment

Entering 2025, we expect to see more organizations better able to manage their cyber risk. Insureds continue to use data modeling to help make better decisions and inform cyber purchasing decisions to determine the appropriate limit levels. Aon saw 21 percent of clients purchase additional limits in 2024 and we anticipate further increases in demand for cyber insurance and technology E&O insurance. Competitive market conditions in excess layers coupled with rate decreases across the tower in both the primary and excess layers helped to drive this increase in additional limits. However, organizations are constantly evaluating cyber risk. Risk analysis allows organizations to make better-informed decisions around their insurance risk transfer program, whether through higher limits, different program structures, or alternative risk transfer solutions.