Large Cyber Claims Dominate: AXA XL Study Highlights Rising Ransomware Risks and Industry-Specific Trends

Cyber incidents continue to escalate in frequency and cost as organizations across industries embrace digital transformation. Threat actors are growing more sophisticated, and the value of sensitive data makes businesses increasingly attractive targets.

A new study from AXA XL, *Cyber Claims Unveiled: A Focused Study on Trends, Threats, and Tailored Solutions*, examines more than 300 cyber claims spanning a decade. The findings reveal a striking concentration of risk: 88% of incurred losses came from claims that exceeded $1 million (AXA XL Cyber Analysis Report).

This pattern highlights the reality that while many cyber incidents may be resolved without significant financial impact, a small share of large-scale claims drives the vast majority of losses. Understanding these high-value cases is essential for risk managers, insurers, and brokers as they shape strategies for resilience and protection.

Fran Gari, Head of Pricing, Global Cyber and lead author of the study, put it plainly: “A limited number of high-value claims account for the bulk of total losses, emphasizing the value for businesses in effective cybersecurity measures and proactive risk management strategies.”

The report also underscores ransomware’s role as the most disruptive force in recent years, with rising ransom demands, extended business interruptions, and evolving attack methods reshaping the cyber risk landscape.

The Growing Weight of Large Cyber Claims

The analysis shows that the severity of large claims has steadily increased over the past decade. Ransomware incidents in particular have driven this escalation, while non-ransomware data breaches have shown some decline in severity (AXA XL Cyber Analysis Report). By 2019, ransomware had overtaken data breaches as the leading cause of large losses, accounting for more than half of such claims. At the same time, ransom demands have surged—exceeding $21 million on average by 2023. Almost every ransomware incident analyzed resulted in a business interruption, with recovery often requiring weeks or even months.

These findings carry significant implications for the insurance market. As large claims grow in size and complexity, carriers are rethinking their underwriting strategies, adjusting pricing, and refining coverage options. For risk managers, the takeaway is equally clear: the financial impact of a single large-scale ransomware attack can dwarf years of smaller incidents.

How Attacks Are Evolving

According to the study, system vulnerabilities remain the most common entry point for cyber attackers, followed by compromised credentials and phishing campaigns (AXA XL Cyber Analysis Report). In many cases, attackers exploited administrator-level access to move laterally across networks, amplifying the severity of the disruption. Modern ransomware incidents often involve a dual-pronged approach: exfiltrating sensitive data before encrypting systems. This tactic increases leverage during ransom negotiations, complicates recovery, and drives up overall costs.

AXA XL’s analysis also shows that negotiation dynamics are shifting. With ransom demands rising, organizations are forced to weigh the cost-effectiveness of payment versus investment in cybersecurity controls and recovery strategies. The presence of professional negotiators in many incidents highlights the increasingly specialized responses required to manage these crises.

Industry Exposures and Signs of Resilience

The business impact of ransomware and other cyber incidents varies significantly across industries. Manufacturing and retail companies are especially prone to operational disruptions, with even short shutdowns proving costly. Healthcare and financial services face the highest relative frequency of large claims, due to the sensitivity of the data they manage and the regulatory consequences of breaches. Meanwhile, technology companies experience different exposure patterns, including greater risks to intellectual property.

Despite the challenges, the study points to encouraging signs of progress. A growing share of breaches—66% since 2019—are now detected internally by IT teams, compared with just 35.7% before that period (AXA XL Cyber Analysis Report). Organizations are also experiencing shorter shutdowns and fewer incidents where backups are compromised. These trends suggest that investments in monitoring, continuity planning, and recovery protocols are making a measurable difference.

Danielle Roth, Head of Cyber Claims for AXA XL in the Americas, sees these developments as evidence of greater preparedness: “Shorter shutdown durations, an increasing number of companies successfully detecting breaches independently, and in less time. All of these improvements show that organizations are becoming more resilient and proactive in their cybersecurity efforts.”

What Risk Leaders Should Take Away

The AXA XL study reinforces an important lesson: risk managers must prepare for the small subset of cyber incidents that have the potential to generate multimillion-dollar losses. While ransomware remains the most disruptive threat, industry-specific vulnerabilities demand tailored strategies, and larger organizations face heightened exposure despite their greater resources. Positive signs—such as improved detection and reduced recovery times—show progress, but resilience will require continuous improvement.

For insurers, brokers, and clients alike, the data emphasizes the need to focus not just on the frequency of incidents, but on the potential severity of outlier events. Andrew Farr, AXA XL’s Global Chief Underwriting Officer for Financial Lines, explained: “By understanding the narratives of our most prominent cyber claims, AXA XL can leverage our experiences to improve underwriting practices, develop new products, and enhance our risk management solutions.”

Ultimately, by studying the narratives behind large claims, organizations can make better-informed decisions about cybersecurity investments, risk transfer strategies, and business continuity planning. The findings serve as a reminder that resilience is not just about avoiding the next attack—it is about preparing for the one that could reshape an organization’s future.

Download a copy of AXA XL’s report here. &