Recent data suggests that while large companies don't have as many cyberincidents as smaller ones, when one does happen the costs can be massive.
This is one of the findings of a study from Top 10 firm RSM, which found that large companies represented only 2% of cyber insurance claims but, at the same time, accounted for 51% of all incident costs. Conversely, 98% of claims come from small to medium-size enterprises with less than $2 billion in annual revenue, yet collectively represent less than half of the costs.
Part of the reason for this variation is likely because large companies have more money to lose: the biggest company in the dataset, with over $290 billion in annual revenue, was about 29 million times larger than the smallest in the dataset, with less than $10,000 in annual revenue. The average large company—$12.5 billion in annual revenue—was more than 116 times larger than the average SME, with $108 million in annual revenue.
The most common source of loss, overwhelmingly, was ransomware, representing an average incident cost of $631,000 versus the next highest source, wire transfer fraud, which had an average cost of $171,000. Health care organizations bore the brunt of the costs, having an average incident cost of $566,000; professional services firms, such as accounting practices, bore an average cost of $271,000 by comparison.
At the same time, professional services firms took the lead in terms of quantity of claims, the sector accounting for 18% of all claims versus health care at 14%. This appears to suggest that professional services firms have a higher number of lower-cost claims.
"At SMEs, professional services claims accounted for 18% of all claims and 18% of total incident cost greater than $1K. Total incident cost ranged from $1K to $30M. The top causes of loss were the same as in the 2024 Claims Study: ransomware, BEC, and hackers," said the report.
While the traditional answer to cybersecurity challenges is more staff training, the data shows that only a small minority of incidents begin with non-criminal incidents such as staff mistakes, mishandling paper records, improper disclosures, lost devices, programming errors, system glitches or legal actions. Claims from such sources accounted for only 3% of such claims. The other 97% came from decidedly criminal events such as hacking, ransomware, social engineering, business email compromise, phishing, DDoS attacks, stolen devices, straight up theft, and banking/ACH fraud.
"There are fewer and fewer non-criminal incidents, which may be attributed to better employee training and more sophisticated controls. At SMEs, the proportion of claims caused by criminal activities ranged from a low of 97% in 2020 to a high of 100% in 2023. This proportion has been over 97% since 2020," said the study.
It also noted that, over the past five years, the number and magnitude of incidents caused by malicious employees and ex-employees have been declining. The number of incidents decreased from 65 in 2020 to 11 in 2024. The average incident cost decreased from $116,000 in 2020 to $25,000 in 2023. Excepting an extreme outlier event in 2022, average incident cost has been low.
The data also pointed out that while the figures are still disturbing, incidents are down compared to a few years ago. Of the roughly 10,000 claims analyzed, 53% of them came from either 2020 or 2021; in contrast, 47% of claims came from 2022, 2023 and 2024.
The report recommended that companies establish an effective foundation to strengthen their ongoing cybersecurity efforts, doing things such as doubling down on fundamental protections, managing vendors and third parties, embracing the cloud securely, staying ahead of emerging threats, and stressing incident response and resilience.
"Companies need security hygiene and good control of their identities, multifactor authentication and reduction of privileged identities," said Alden Hutchison, RSM's principal of cyber risk and data protection consulting in a statement. "Those things alone will help shrink the attack surface. But there's always a chance they're going to get in. So now, what's your resiliency plan? Do you have one? Have you tested it? Do you have the vendors in place to help you recover?"
