Resilience’s 2025 cyber risk report highlights strategic shift in cybercrime

New cyber insurance claims data from Resilience, a cyber risk and insurance firm, points to a fundamental shift in how cybercriminals operate and profit.

Drawing on claims from its 2025 client portfolio, the company’s latest analysis shows that threat actors are conducting longer, more calculated campaigns against organisations. The findings also make clear that the financial damage from cyber incidents increasingly extends far beyond the initial breach, often unfolding over an extended period.

The 2025 Cyber Risk Report, informed by claims data and research from Resilience’s Risk Operations Center (ROC), describes a more intricate threat environment and outlines steps organisations can take to limit material losses.

During the first half of 2025, extortion demands intended to prevent the release of stolen data accounted for 49% of all extortion-related claims. That figure climbed sharply in the second half of the year to 65%. Across the full year, data theft-only attacks represented 57% of all incidents, signalling that attackers are adapting their tactics to bypass increasingly robust backup systems.

The report also found that infostealer malware harvested more than 2 billion credentials over the course of the year. In many cases, infostealers were detected within victim environments before ransomware was deployed, indicating that such activity should be treated as a serious early warning sign. Prompt action to prevent credential harvesting can reduce the likelihood of subsequent attacks.

Certain threat groups, including Interlock, were observed extracting cyber insurance policy information from stolen data. By reviewing coverage details, attackers are able to tailor ransom demands to maximise potential payouts while remaining within policy limits.

Vendor-related incidents emerged as another major driver of losses. Within Resilience’s portfolio, vendor risk represented 18% of total losses, making it the second-largest category overall. Attackers are increasingly exploiting password reset processes and compromising open-source code repositories that form the backbone of many enterprise applications. A breach affecting a critical vendor can create cascading operational and financial consequences across multiple organisations and industries.

Taken together, the data suggests that cyberattacks have become more strategic and methodical. The resulting losses are not confined to the moment of disruption but can accumulate gradually, sometimes over months or years.

“Cyber risk is constantly changing. As cybercriminals shift their tactics, a new reality is setting in: the real risk is about more than a security incident’s immediate disruption, it’s about the long-tail aftershocks that follow,” commented Vishaal “V8” Hariprasad, Co-Founder and CEO of Resilience.

“Claims data gives us the best and most granular insight into the real-world costs of those shockwaves. Understanding the materiality of the full lifecycle of a cyber incident is the only way to meaningfully arm ourselves against advanced new tactics and grow more resilient to inevitable threats.”

The report recommends that organisations focus on practical measures to reduce material exposure. These include strengthening data loss prevention capabilities, implementing zero-trust architecture, closely monitoring credentials, developing vendor incident contingency plans, conducting tabletop exercises, and securing insurance coverage aligned with current severity trends rather than relying solely on historical averages.

“Looking at the increasing professionalisation of the threat landscape, it can be tempting to assume that there’s no recourse. But our latest findings give us incredibly useful insight into the incentives behind the incidents—and how we can best fight back,” added Judson Dressler, Head of Resilience’s Risk Operations Center (ROC).

“For instance, to mitigate infostealer activity, our ROC team proactively hunts for stolen credentials on the dark web or new exploits or vulnerabilities that affect their environment and alerts our clients to these critical findings. That’s one example of what it looks like in practice to adjust to the reality that we’re facing an ‘everything, everywhere, all at once’ model of cyber risk.”