NetDiligence’s 2025 cyber insurance claims study analyses over 10,400 claims from businesses of all sizes and revenue levels. Compare this to its first study in 2010 that covered a mere one hundred claims for a stark picture of the significant increase in cyber incidents.

But the numbers also indicate the ever-rising risk and costs associated with data incidents. Cyber risk— now, more than ever— is financial risk.

Key findings from the report are that SMEs experience incidents more often than large companies, and ransomware and business email compromises are the two top causes of all data incidents. As criminal activity gets more rampant, large and small companies must now spend not just on training to minimise staff mistakes, but on programs and controls to keep criminals out of their systems.

All said, however, the study identifies the biggest cost of cyber incidents— business interruption.

Who is NetDiligence?

NetDiligence has been tracking cyber insurance claims since 2010. Its first study analysed fewer than 100 claims. Its latest study, which covers the period 2020-2024 analyses 10,402 claims. The data for the study is contributed by major cyber insurers, incident response firms, breach coaches, and legal specialists. The report reflects $4.8 billion in total incident costs analysed and offers direct insight into how cyber incidents unfold financially.

Cyber incidents getting more and more expensive

Neither size, industry, nor location— nothing protects a company from catastrophic loss. The cyber incidents analysed ranged from under $1,000 to over $500 million in cost per incident. Additionally, records exposed ranged from 1 record to over 140 million records

Eight incidents analysed exceeded $100 million. Two of those were at organizations earning under $700 million annually. That’s more than 14% or a seventh of their annual revenue.

SMEs vs large companies: why smaller businesses feel the pain

The overwhelming majority (98%) of claims in the study came from SMEs. SMEs accounted for 49% of total incident costs, despite having far smaller revenues than large enterprises. Large companies, on the other hand, represented only 2% of claims and accounted for 51% of total costs.  At SMEs the average incident cost was $264,000, while it was $10.3 million at large companies.

While SMEs are hit more often, large firms are hit harder, but SMEs may be less able to absorb losses.

In the Caribbean, micro, small and medium enterprises, MSMEs, make up about 80% of all businesses and contribute up to 70% of GDP.  The region’s companies, regardless of size, have varying levels of cyber maturity, but risk exposure is rising everywhere. This study provides at least baseline instruction for how businesses in the Caribbean should strengthen their cyber resilience.

Ransomware and BEC dominate real-world losses

This brings us to the core threats to businesses. The top two causes of loss across the companies in the study were ransomware and business email compromise (BEC). Together they accounted for 50% of SME claims from 2020–2024, and nearly 55% of SME claims in 2024 alone.

For ransomware, initial ransom demands reached $150 million, and actual ransoms paid reached $75 million. Fifty ransoms exceeded $10 million.

For incidents caused by BEC, average incident cost was relatively lower (~$75K–$100K), but the volume surged in 2024. More than 80% of BEC cases involved someone clicking an email link. One takeaway here is that ‘low-tech’ attacks still drive major financial loss.

Business interruption: the hidden cost many firms underestimate

Claims involving business interruption were a whopping 650% more expensive than claims without BI. In 2024 alone, BI claims were 250% more expensive. At SMEs: Average BI cost: ~$1.4 million. Worthy of note is that Ransomware caused 81% of BI-related claims. A clear insight here is that the biggest losses often come after systems go down—not from the breach itself.

Another key consideration of the post incident phase is crafting and operationalising a response. Incident response services can include breach coaching, notification and monitoring and crisis communication.  Response services now account for 47% of total incident cost for SMEs, up sharply from prior years. Even when no data is exposed, costs remain comparable to record-exposure incidents. Companies pay for response whether or not data is compromised.

Takeaways for Business Leaders

Cyber risk is increasing simply with the passage of time, and cyber risk is financial risk. Far from being just tech problems, data incidents can become operational boulders and amount in huge losses for a business. However, reports like NetDiligence’s 2025 Cyber Claims Study can help organisations everywhere translate global data into regionally relevant, practical action.

In addition, data protection consultants can help organisations prepare by supporting the buildout of comprehensive cybersecurity plans. Proactive action is the biggest tool in preventing companies from becoming statistics in studies like this.

About Bloomfield

Bloomfield is a bespoke digital compliance support consultancy, serving clients with interests in the Caribbean, North and South America. As an end-to-end compliance partner, we assist organisations from policy creation to staff sensitisation and programme implementation.