Cyber Claims Frequency-Severity Divergence Reshapes Rate Models in 2026

From tracking cyber insurance loss data across multiple carrier filings, one pattern stands out in the 2026 data cycle: frequency and severity are moving in opposite directions, and the divergence is large enough to break any pricing model that relies on a single aggregate loss-ratio trend. Coalition's 2026 Cyber Claims Report, released March 5, 2026 and based on over 100,000 policyholders across five countries, quantifies the split. Overall claims frequency rose 3% year over year to 1.54%, while average claim severity dropped 19% to $116,000. Underneath those topline numbers, ransomware demands surged 47% even as 86% of businesses refused to pay, and attack vectors migrated in ways that demand peril-level loss cost segmentation.

For pricing actuaries, this is not simply an academic curiosity. The frequency-severity divergence cascades through every component of the rate indication: trend selections, increased limits factors, experience rating relativities, and loss development patterns all require separate treatment. This article develops the actuarial methodology for pricing cyber insurance under these conditions, drawing on Coalition's data alongside market context from S&P Global, Marsh, Aon, and AM Best.

Peril-Level Loss Cost Decomposition

The first step in any cyber rate analysis is recognizing that "cyber" is not a single peril. Coalition's data shows three distinct loss-generating mechanisms with fundamentally different frequency-severity profiles:

Business email compromise and funds transfer fraud accounted for 58% of all cyber incidents. BEC claims frequency rose 15% year over year, while funds transfer fraud frequency declined 18%, demonstrating real-time attack vector migration within a single policy period. BEC carries an average loss of $27,000 (down 28% year over year), while FTF averages $141,000 (down 14%). These are high-frequency, moderate-severity perils with short claims tails.

Ransomware represented 21% of claims at a 0.32% frequency, essentially flat year over year. But the composition shifted dramatically: dual extortion attacks (encryption plus data exfiltration) now constitute 70% of ransomware claims, carrying an average loss of $299,000, more than double the $138,000 average for encryption-only attacks. Initial ransom demands surged 47% to over $1 million, but with 86% of victims refusing to pay, negotiated settlements among the 14% who did pay averaged $355,000, roughly 65% below the initial demand.

All other perils (unauthorized access, denial of service, misconfiguration) comprised the remaining 21%, generally carrying lower severity and contributing to the 64% of claims that resolved at zero policyholder cost.

Two-Part Trend Selection: Separating Frequency from Severity

The standard actuarial approach of fitting a single exponential trend to aggregate loss ratios fails in cyber because it masks offsetting movements. When frequency rises 3% and severity falls 19%, a blended loss-ratio trend would show an aggregate decline that understates the frequency pressure on attachment probability and overstates the severity trend that drives excess layer pricing.

The preferred framework uses weighted least-squares regression on separate frequency and severity series. For frequency, the dependent variable is claims per exposure unit (per policy, or per $1 million of revenue) by accident quarter. For severity, the dependent variable is average loss per claim, ideally segmented by peril category. The weighting scheme uses exposure counts for frequency regressions and claim counts for severity regressions, concentrating influence on the most credible data points.

Coalition's multi-year dataset supports this decomposition because it tracks 100,000+ policies with consistent exposure definitions across reporting periods. The practical output is two separate trend factors: a frequency trend applied to the expected claim count at the base limit, and a severity trend applied to the mean and variance of the loss size distribution. These feed independently into the loss cost projection rather than being blended into a single trend that obscures the underlying dynamics.

An important calibration check: the product of the selected frequency and severity trends should reconcile to the observed aggregate loss cost trend within a reasonable tolerance. If the aggregate pure premium moved -16.4% (the approximate product of +3% frequency and -19% severity), but the separate trend selections imply a different aggregate, the actuary needs to investigate whether the divergence stems from mix shifts, development pattern changes, or model specification error.

ILF Recalibration Under a Shifting Severity Distribution

Increased limits factors in cyber are acutely sensitive to the shape of the severity distribution, and Coalition's data shows that shape is changing in two simultaneous ways.

First, the 64% of claims resolving at zero policyholder cost creates a massive point mass at zero in the empirical severity curve. For parametric severity model fitting (lognormal, Pareto, or mixed distributions), this zero spike must be handled explicitly, typically by modeling the probability of a nonzero loss separately from the conditional severity given a nonzero loss. Ignoring the zero-loss mass and fitting the full empirical distribution will systematically understate the base layer loss cost and overstate the tail thickness.

Second, the growth of dual extortion ransomware (70% of ransomware claims at $299,000 average, versus $138,000 for encryption-only) fattens the right tail of the conditional severity distribution. This is a classic mixed-peril effect: the severity distribution is not a single parametric family but a mixture of BEC losses concentrated below $50,000, FTF losses centered around $141,000, and ransomware losses with a heavy right tail extending past $1 million.

The practical consequence for ILF calculation: excess loss factors at each attachment point must be recalculated using the updated severity mixture. A $1 million excess of $1 million layer will load more heavily when dual extortion shifts the conditional severity distribution rightward, even though the overall average severity declined. Actuaries using last year's ILFs without adjustment will underprice excess layers and overprice primary layers, creating adverse selection against the carrier in both directions.

Peril Category	Share of Claims	Avg. Severity	YoY Change	Tail Behavior
BEC	31%	$27,000	-28%	Light; concentrated below $50K
FTF	27%	$141,000	-14%	Moderate; some $500K+ outliers
Ransomware (dual extortion)	~15%	$299,000	n/a	Heavy; demands exceed $1M
Ransomware (encryption-only)	~6%	$138,000	n/a	Moderate
Other (zero-cost resolved)	~21%	$0	n/a	Zero-loss spike

Revenue-Band Segmentation and Credibility Weighting

The 4.7x frequency multiplier between sub-$25 million and $100 million-plus firms demands explicit rating segmentation by insured size. Building credibility-weighted relativities for revenue bands requires three components.

Observed relativities: Using Coalition's data, the raw frequency relativities by revenue band are approximately 1.00 (base, $25M-$50M), 0.74 ($0-$25M), and 3.50 ($100M+). These raw relativities carry sampling error, particularly in the tails where the claim count per band may be thin.

Credibility standards: Under limited fluctuation credibility with a 90% probability of being within 5% of the true value, the required claim count threshold is approximately 1,082 claims (using the standard formula n = (z/k)^2 where z = 1.645 for 90% confidence and k = 0.05, assuming a Poisson frequency). Revenue bands with fewer claims receive partial credibility, with the complement weighted toward the all-band average or a prior fitted curve.

Exposure normalization: Revenue is an imperfect but practical exposure base for cyber risk. Larger firms have more endpoints, more users, more attack surface, and more data worth exfiltrating. The 4.7x frequency differential is partly explained by these exposure characteristics. However, it also reflects selection effects: larger firms are more likely to report incidents and more likely to carry coverage in the first place. Actuaries should consider whether the relativity captures true risk differential or reporting propensity bias before applying it to rate indications.

Split Development Triangles by Peril Category

Loss development in cyber is peril-dependent, and blending all perils into a single development triangle distorts the tail factors for both short-tailed and long-tailed components.

BEC and FTF claims develop quickly. Most are reported within days of the incident, and financial losses are quantified within 60 to 90 days. Coalition's fund recovery program (which recovered $21.8 million in stolen funds at an average of $202,000 per successful recovery) further compresses the net development pattern by reducing ultimates at later maturities. These perils are typically fully developed within 12 months of the loss date.

Ransomware claims with business interruption components take 18 to 24 months to fully develop. The initial ransom demand and any payment resolve relatively quickly, but downstream costs (forensic investigation, regulatory notification, business interruption losses, and third-party liability) emerge over a longer horizon. The Resilience 2026 Cyber Claims Report noted that 65% of H2 2025 extortion claims involved data theft suppression demands, which can trigger extended notification and litigation timelines.

The practical recommendation: maintain separate development triangles for (1) BEC/FTF, (2) ransomware, and (3) all other first-party claims. Apply distinct link ratios to each triangle, then aggregate the projected ultimates for the combined rate indication. Using a single composite triangle will understate IBNR for ransomware (because the fast-developing BEC claims pull the composite factors down) and overstate IBNR for BEC (creating unnecessary conservatism in the short-tailed component).

Recovery offsets add another layer. Coalition recovered $21.8 million in stolen funds during the reporting period. These recoveries should be reflected as negative development in the FTF triangle, reducing the net loss development factor at later maturities. Actuaries must decide whether to model recoveries as a separate line item or embed them in the development pattern; the former provides more transparency for rate filing support.

Rate Adequacy in the 2026 Market Context

The pricing methodology above operates against a market backdrop that is itself shifting. Marsh reported Q1 2026 cyber rates declined 5%, marking the seventh consecutive quarter of decreases. Aon's Q4 2025 data showed client rate reductions of 20% on primary layers and 22% across all layers. Meanwhile, AM Best reported the U.S. cyber loss ratio rose to 48.8% in 2024 from 41.6% in 2023, with nearly 50,000 claims reported, a roughly 40% increase year over year.

S&P Global Ratings projects global cyber premiums reaching $23 billion by 2026, forecasting 15-20% premium growth as rate adequacy testing reveals that accumulated soft-market decreases are outpacing the underlying trend. The tension between deteriorating loss experience and competitive rate pressure creates a classic underwriting cycle dynamic, though one compressed into shorter timeframes than traditional P&C lines.

For pricing actuaries, the rate adequacy question reduces to this: can the current rate level absorb a frequency trend that is positive and accelerating (particularly among large accounts at 5.72%) while the severity distribution reshapes around dual extortion? The aggregate loss ratio improvement from declining average severity may be temporary if the peril mix continues shifting toward more expensive ransomware variants.