Allianz Commercial finds cyber risk claims severity has declined 50% in 2025

Takeaways:

• Data exfiltration comprised 40% of large cyber claims in H1.
• Ransomware is now targeting small and mid-sized companies, a component in 88% of data breaches.
• AI is helping threat actors create more "believable" phishing emails to steal credentials.

A new report from Allianz Commercial, the Cyber Security Resilience Outlook, provides some encouraging news when it comes to cyber claims: The first half of 2025 saw claims severity drop by 50%, while claims frequency declined by 30%. Ransomware continues to be the major driver of cyber claims, accounting for 60% of claims over €1mn ($1.1 million). 

Cyberattacks focus on smaller companies

However, as larger companies have improved their cybersecurity training and risk management, threat actors are now focusing on smaller and mid-sized companies that don't have the same high level of security. For these sized firms, ransomware was the source of 88% of the data breaches, finds wireless provider Verizon. 

According to the Allianz report, territories such as Asia and Latin America have become new targets for cyberattacks. Threat actors are also changing their tactics regarding ransomware, now choosing to focus on double extortion-based attacks because the threat of losing the information from data exfiltration makes it easier for hackers to be paid ransoms. The average cost of a data breach in 2024 was $5 million, due primarily to business disruption and remediation efforts.

The report also indicates that while ransomware threats will not abate, international coordination efforts by law enforcement, as well as stronger cybersecurity mitigation efforts by corporations, are having a positive impact on cyber claims.

"Several ransomware events have hit the headlines this year, but overall, we see that  insured losses from these attacks have decreased in 2025 to date," said Michael Daum, global head of cyber claims at Allianz Commercial in a press release. "Insureds' increased detection and response capabilities are helping to stop some attacks at an early stage."

Social engineering is on the rise

While guarding log-in credentials and passwords is a priority, they are still vulnerable to cyberattacks and artificial intelligence is helping threat actors to craft believable phishing emails to gain access to this information. 

"Attackers are using AI to automate and speed up the process of cyberattacks — and we can see the volume and frequency of attacks is increasing, which puts the emphasis back on the need for defense," explains Rishi Baviskar, global head of cyber risk consulting for Allianz Commercial, in the report. "If you have weak cybersecurity or do not invest in detection and response, then attackers are likely to break through. It only takes one successful attack."

Several incidents perpetrated by the hacking group Scattered Spider utilized compromised credentials, which enabled them to target airlines, casinos, major retailers and even insurance companies. According to the report, more than 10 attacks were attributed to the group in the first six months of 2025. 

Many of these efforts also target suppliers and vendors to companies because they can provide access to data or possible login credentials. There are also "specialist" brokers that sell the information on the dark web. 

Technology vendors that play key roles in data supply chains are also seeing an increase in cyberattacks. An Allianz Commercial analysis identified that contingent business interruption claims accounted for 15% of large cyber claims, which more than doubled the number of claims (6%) seen in 2024. While companies can work to educate their teams and mitigate some of the direct cyber risks they face, vendors can still be a weak point for data access. 

Data exfiltration involves the intentional, unauthorized exportation of data to a third party, and is a frequent outcome of cyberattacks. Allianz found that approximately 40% of large cyber claims (over €1mn) include data exfiltration, an increase of 15% from 2024.

"We continue to see a shift in ransomware towards data exfiltration," says Caitlin Ewing, complex claims analyst at Allianz Commercial in the report. "It is much easier to steal data than to encrypt it — it takes less preparation and work on the part of the attackers."

The report highlights four key stages found in social engineering attacks:

Information gathering — Scammers can use information found on social media sites about jobs, family and friends to help create convincing impersonations.

Building trust or creating urgency — As hackers build trust, they can also entice an individual to respond to a fake emergency by creating a sense of urgency. 

Exploitation — As trust builds, hackers can encourage individuals to share sensitive or personal information.

Covering their tracks — Once hackers have access to the data they want, they erase any signs of being in the system.

"Social engineering attacks have become a common way for hackers to gain access to sensitive information by exploiting human interactions. People are perceived as the weakest link in cybersecurity, and threat actors will look to exploit this," says Ewing. "Social engineering is now a prominent driver of cyber claims. For threat actors, it is easier to effect, especially with AI. In the past, it was easier to spot mistakes and unusual language, but now there are fewer obvious red flags."