Data Theft Overtakes Encryption in 2025 Cyber Claims, Resilience Reports
Wednesday, February 25th, 2026 Insurance Industry Legislation & Regulation Litigation Risk Management TechnologyThe traditional ransomware model built around encrypting systems and demanding payment for decryption is losing ground. According to the latest Cyber Risk Report from Resilience, cybercriminals shifted decisively in 2025 toward data theft and extortion-only schemes, leaving many insureds and insurers exposed to risks that backups alone cannot fix.
Resilience analyzed 827 total claims and found that data theft-only attacks climbed from 49% of extortion claims in early 2025 to 65% in the second half. For the full year, 57.6% of extortion cases involved stolen data without encryption, compared to just 13% relying solely on encryption. This evolution significantly weakens a core pillar of many insureds’ cyber response strategies. While backups can restore operations after encryption, they offer no protection against reputational damage, regulatory scrutiny, class action litigation, or privacy enforcement tied to exfiltrated data.
For adjusters, this shift changes both claim valuation and coverage analysis. Data theft losses often trigger multi-layered exposures, including breach response costs, regulatory defense, notification expenses, business interruption, and third-party liability. Ransom payments in data theft-only events offer no assurance that stolen information will not be leaked or resold, increasing the potential for repeat incidents and complicating subrogation prospects.
Phishing losses also surged. Phishing accounted for 50% of incurred losses in 2025, up from 21% in 2024, with average severity exceeding $1.6 million per claim. Resilience cited a study from Harvard University showing AI-generated phishing campaigns achieved a 54% success rate, far outpacing traditional methods. Organizations that invested in phishing awareness training reduced potential risk by more than $100,000, underscoring the measurable impact of risk management controls that underwriters and adjusters increasingly evaluate during placement and renewal.
Legal pressure intensified as well. Wrongful data collection claim notices more than doubled year over year, driven by litigation under the California Information Privacy Act. Law firm Eckert Seamans reported 1,500 CIPA lawsuits filed in the 18 months leading to August 2025. Research from Allianz Commercial found that privacy actions tied to wrongful collection accounted for 18% of large claims by value in 2024, triple the share from three years prior. Meanwhile, WTW noted some markets have already begun restricting coverage for wrongful collection risks, signaling tightening underwriting conditions.
For claims professionals, the message is operational. Backup validation alone is no longer sufficient as a primary cyber control narrative. Adjusters should expect increased scrutiny around zero trust implementation, endpoint detection capabilities, vendor risk management, and AI governance. Severity modeling must reflect the compounding effects of extortion demands, privacy litigation, regulatory enforcement, and social engineering losses.
Looking ahead to 2026, Resilience projects extortion-only attacks will dominate, deepfakes will become a more common social engineering tool, and AI-driven system deployments may introduce new breach vectors. Insurers that recalibrate coverage terms and insureds that shift resources toward prevention rather than post-event recovery may be better positioned as the cyber claims landscape continues to evolve.
