Marsh: Cyber Extortion Events Fell 33% in 2025 as Brokers Pivot to Claims Speed

Cyber extortion frequency is in structural retreat. Marsh’s 2025 cyber claims report shows that reported cyber extortion events for US and Canada clients declined 33% in 2025 compared to 2024, while total claim notifications fell 29% over the same period. Against a backdrop of ten consecutive quarters of premium decreases and a 7% rate decline in Q1 2025, the competitive battleground for commercial cyber brokers has shifted from price to something harder to commoditise: how fast a policyholder receives funds during a live incident.

Extortion Frequency Down, But the Risk Mix Is Shifting

The headline extortion number from Marsh’s claims data is striking, but the risk landscape it describes is more nuanced than a simple improvement story. The 33% year-on-year decline in reported cyber extortion events runs alongside a sharp pivot in litigation-driven claims: website-tracking and related privacy breach claims rose 43% in 2025 versus 2024, even as BIPA claims fell 50% and VPPA claims fell nearly 59%. The composition of the cyber claims universe is rotating, not shrinking.

This shift matters for underwriters and risk managers in equal measure. Commercial lines buyers who secured broad cyber coverage at softening rates may find that their policy’s privacy liability sub-limits — sized for a BIPA and VPPA environment — are now inadequately calibrated for the website-tracking wave. This dynamic is consistent with the broader theme flagged in Beazley’s analysis of AI-driven supply chain attacks as the next frontier for cyber underwriting, where the risk vectors insurers price for can diverge quickly from the ones that actually drive claims.

Ransom Economics Have Deteriorated — But the 2023 Baseline Was Severe

To read the extortion decline in isolation is to miss the severity of the prior cycle. Marsh’s ransomware claims analysis documents the 2023 inflection point in uncomfortable detail: the median ransomware extortion payment for US and Canada clients surged to $6.5 million in 2023 — up from $335,000 in 2022 — while the median demand reached $20 million, compared to $1.4 million the year before. The proportion of demands that translated into actual payments also worsened: the share of the ransom demand paid rose from 24% in 2022 to 32% in 2023.

That context reframes the 2025 extortion decline as a partial correction from an elevated baseline rather than a return to pre-ransomware-era norms. Threat-actor economics have shifted — law enforcement disruptions, improved victim resilience and the saturation of high-yield targets have all played roles — but the attacker toolkit remains intact. Median breach-response expenses held at approximately $160,000, with average costs reaching $1 million in Q4 2023, illustrating that even incidents that do not result in ransom payment carry material response cost. For risk officers benchmarking retentions, these figures serve as the floor, not the ceiling.

Ten Quarters of Rate Decline Have Saturated the Price Argument

Aon’s Global 2025 Cyber Risk Report confirms that buyer-friendly conditions have become the structural norm rather than a cyclical dip: cyber insurance rates declined 7% in Q1 2025, marking the tenth consecutive quarter of premium decreases, driven by ample market capacity and intensifying competition. Marsh’s own Q4 2024 data reinforces the trend: US cyber insurance rates fell 5% on average in Q4 2024, with 20% of clients increasing coverage limits and 18% reducing self-insured retentions in the same period.

When ten consecutive quarters of price reductions become the baseline expectation, competing on rate alone ceases to be a differentiator. Brokers operating in this environment need a value proposition that survives the next hard-market turn — one that is difficult to replicate quickly and whose performance is observable during the policy period, not just at renewal. That pressure is what is driving the current focus on claims velocity. The structural logic is reinforced by Moody’s assessment of AI and technology as the primary growth lever for insurance brokers in 2026, where operational differentiation — not pricing — is the margin driver.

Claims Velocity: The New Broker Differentiator

In a soft market defined by ample capacity and falling rates, several large commercial brokers are reportedly moving toward accelerated-payment and direct-to-vendor endorsement frameworks that allow funds to reach breach-response vendors — forensics firms, legal counsel, notification providers — within hours of an incident trigger rather than days or weeks after loss adjustment. The rationale is straightforward: in a ransomware or data-exfiltration event, every hour between incident detection and vendor engagement has a measurable impact on total breach cost.

This is an emerging market practice reported by multiple trade sources; the structural parameters of individual carrier programmes vary and the category is still taking shape. What is not in doubt is the demand signal. Marsh’s December 2025 survey of more than 2,200 cyber risk leaders across 20 countries found that 70% of organisations experienced at least one material third-party cyber incident in the prior year (Marsh December 2025 survey, 20 countries), and nearly two-thirds — 66% — planned to increase cybersecurity investments in 2026, with more than 26% targeting budget increases of 25% or more. Buyers who are actively investing in cyber resilience are, by definition, also thinking harder about how their insurance programme performs under stress. Speed of response is the dimension that a rate reduction does not address.

The regulatory pressure layer compounds the commercial incentive. As mandatory incident reporting timelines tighten — particularly for financial-sector entities now subject to the ESAs’ first DORA ICT incident baseline reporting requirements — the window between breach detection and obligatory notification is narrowing. A policy framework that pre-positions funds and pre-authorises vendor engagement is not simply a claims convenience; it is, for covered entities in regulated sectors, a compliance asset.

What Brokers and Risk Officers Should Do Now

For commercial risk officers, the soft market creates an unusual opportunity: premium savings can be redirected toward structural enhancements — higher limits, lower retentions, or endorsements that compress the claims payment timeline. The data from Marsh and Aon suggests that the window is open. The trend of 18% of clients reducing self-insured retentions in Q4 2024 indicates that sophisticated buyers are already acting on this logic.

For brokers, the claims-velocity narrative carries a practical implication: it requires carrier relationships that include pre-agreed panel vendor lists, pre-authorised spend thresholds and, in the most advanced frameworks, tri-party funding arrangements between insurer, broker and incident-response provider. Building that infrastructure now, while the market is soft and carriers are motivated to differentiate, is considerably easier than retrofitting it into a hard-market programme under time pressure.

The longer-term question is how claims-velocity performance will be measured and disclosed. If brokers are to compete on this dimension at renewal, some form of standardised claims-handling metric — average time to first payment, time to vendor authorisation — will need to emerge. The absence of that metric today is both a risk and an opportunity for the brokers who move first to define it.

Mini-FAQ

Sources used

• Marsh Cyber Claims 2025 Report (Marsh — cyber claims frequency and extortion data)
• Ransomware: A Persistent Challenge in Cyber Insurance Claims (Marsh — ransom payment and demand benchmarks)
• Rising Third-Party Risks and Ransomware Threats Drive Cybersecurity Investments in 2026 (Marsh — enterprise cyber risk survey)
• Cyber Risk Insurance Market Remains Buyer-Friendly (Aon — Global 2025 Cyber Risk Report, rate cycle data)
• Cyber Insurance Market Update (Marsh — US cyber rate and retention update)