From tracking cyber insurance loss data across carrier filings for the past three years, a recurring assumption has held: ransomware claims are independently distributed across a fragmented threat landscape, with dozens of competing groups each contributing a thin slice of total frequency. That assumption no longer holds. At-Bay's 2026 InsurSec Report, published April 22 and covering more than 100,000 policy years of claims data, reveals that a single ransomware-as-a-service operation, Akira, accounted for more than 40% of all ransomware claims in their book. That is the highest single-strain concentration ever observed in a major cyber portfolio, and it forces a fundamental rethink of how pricing actuaries structure their frequency-severity models.
The broader numbers reinforce the urgency. Overall cyber claim frequency rose 7% year over year to the highest level since 2021, the third consecutive year of worsening results. Average claim severity hit an all-time high of $221,000 across all incident types, with ransomware severity reaching $508,000, up 16% year over year. These sustained adverse trends invalidate flat trend assumptions in current rate filings. But the concentration story is what changes the modeling framework entirely.
Why Concentration Breaks the Standard Model
Standard cyber insurance pricing uses a compound frequency-severity framework where expected losses equal E[N] multiplied by E[X]. The model assumes individual claims are independently distributed: one policyholder's ransomware event carries no information about whether another policyholder will experience one. When that independence holds, the central limit theorem justifies using a normal approximation for aggregate losses, and the variance of aggregate loss is simply N times Var(X) plus E[X] squared times Var(N).
Akira's dominance shatters this assumption through two channels. First, 86% of Akira attacks targeted environments running SonicWall VPN appliances, exploiting CVE-2024-40766, a vulnerability disclosed in August 2024. Any two policyholders running unpatched SonicWall devices face correlated exposure to the same threat actor using the same exploit. Their claim probabilities are no longer independent; they share a common vulnerability that functions as a systemic risk factor. Second, the group's 364% frequency surge in Q3 and Q4 of 2025, with two-thirds of attacks occurring on nights and weekends, means a single operational decision by one criminal organization (to ramp up attacks) drives portfolio-level loss volatility in a way that attritional models cannot capture.
The Property Cat Analogy
This pattern resembles catastrophe risk more than attritional loss. In property insurance, a hurricane generates correlated claims across an entire geographic zone. In cyber, a single ransomware group targeting a single vendor's appliances generates correlated claims across every policyholder running that technology. The pricing response should be analogous: a catastrophe-style concentration risk load layered on top of the attritional frequency-severity projection.
Building a Concentration Risk Adjustment Factor
The actuarial approach to concentration risk loading in cyber should follow the same logic as property catastrophe pricing. The goal is to estimate the marginal impact on portfolio-level losses from a correlated threat vector and calculate the variance loading needed to maintain a target probability of adequacy.
Step one: isolate the correlated component. Separate the ransomware loss experience into Akira-attributed and non-Akira claims. At-Bay's data shows Akira claims carry average demands of $1.2 million (50% above non-Akira demands) and average payments of $452,000. The non-Akira ransomware population distributes across dozens of smaller groups with no single strain exceeding 10% of frequency. The non-Akira component retains approximate independence; the Akira component does not.
Step two: model the correlated scenario distribution. Rather than projecting Akira frequency as a point estimate, build a scenario-based severity distribution. The relevant scenarios include: (a) Akira sustains current attack tempo, producing frequency consistent with the H2 2025 run rate; (b) Akira accelerates, targeting additional VPN vendors beyond SonicWall or expanding into cloud infrastructure; (c) law enforcement disrupts Akira operations (as occurred with LockBit in February 2024), causing a sharp frequency drop but potentially spawning successor groups. Assign subjective probabilities to each scenario, then calculate the expected value and variance of aggregate losses across the scenario set.
Step three: calculate the variance loading. The concentration risk charge equals the difference between the variance of aggregate losses under the correlated model (with scenario-weighted Akira frequency) and the variance under the independence assumption. Express this as a percentage load on the base expected loss cost. For a portfolio with meaningful SonicWall exposure, this load could range from 15% to 30% of the ransomware component, depending on the probability weights assigned to the acceleration scenario. The target is a probability of adequacy comparable to property catastrophe pricing, typically 80% to 90% at the portfolio level.
VPN Exposure as a Systemic Rating Variable
The VPN concentration data demands attention as a rating factor. VPN compromise accounted for 73% of all ransomware intrusions with identified entry vectors in 2025, nearly doubling from 38% in 2023. SonicWall topped the targeted VPN list at 27% of all ransomware claims, the first time a single vendor held the top position. This means that a policyholder's VPN vendor choice now carries more predictive power for ransomware frequency than many traditional rating variables.
Pricing actuaries should evaluate whether VPN-dependent insureds warrant a separate catastrophe load analogous to coastal property zones. The 86% correlation between Akira attacks and SonicWall environments creates a measurable exposure concentration. Insureds running SonicWall without 24/7 managed detection and response (MDR) represent a distinct risk class: At-Bay reported zero Akira claims among its MDR customers in 2025, compared to a 60% breach rate among Akira targets that had endpoint detection and response (EDR) deployed without continuous monitoring. That differential is large enough to justify a binary rating factor for MDR presence, with the non-MDR class receiving a surcharge reflecting the correlated Akira exposure.
Small Business Severity Demands Reclassification
The small-account segment shows the most acute deterioration. Companies with revenue under $25 million experienced a 21% increase in ransomware frequency and a 40% jump in average ransomware severity to $422,000 in 2025. The overall small-business claim severity rose 26%, the steepest increase among all revenue bands and part of a three-year worsening trend. Current small-account class rating factors materially understate the true risk differential if they were calibrated on data from 2022 or 2023, when small-business severity was trending lower.
The industry-level severity data reinforces the need for segmentation. Technology firms carried the highest ransomware severity at $875,000, followed by finance and insurance at $731,000 and healthcare at $675,000. Manufacturing showed 2.2 times the portfolio average frequency. These industry differentials, combined with the revenue-band effects, suggest that a two-dimensional rating structure (revenue band by industry group) would capture significantly more variance than either dimension alone.
Business Interruption Requires Separate Sub-Limit Pricing
Business interruption triggered on one in three ransomware claims, with average severity of $510,000 versus $168,000 for ransomware claims without BI involvement. That 3x severity differential persisted throughout 2025, and the largest single BI claim reached $5 million (the policy limit, with actual costs likely higher). Roughly one in ten ransomware incidents caused downtime exceeding 30 days.
This data supports a separate BI sub-limit pricing approach rather than embedding BI exposure in the overall ransomware severity distribution. The BI tail is structurally heavier than the data breach or extortion payment tail because downtime costs compound daily while the insured scrambles to restore operations. Actuaries should develop explicit BI trend factors using the emerging multi-year BI severity series, and loss development for BI-triggered claims should follow a longer pattern (18 to 24 months to ultimate) than non-BI ransomware claims that resolve within 6 to 12 months.
Third-Party Liability: Separate Triangles, Separate Trends
Third-party liability claims surged 70% year over year, the largest increase among any incident type tracked by At-Bay. The driver is litigation, specifically the California Invasion of Privacy Act (CIPA), which now accounts for 34% of all third-party claims, up from 7% in 2023. The jump is dramatic: in less than two years, a single state statute has reshaped the third-party loss distribution. Non-Meta pixel tracking cases comprised 69% of CIPA filings in 2025, broadening the plaintiff pool beyond the initial wave of social media tracking suits.
For pricing actuaries, this acceleration necessitates separate development triangles and trend selections for third-party versus first-party coverages. Third-party claims have longer tails (class action filings can take 12 to 24 months to reach settlement), different severity distributions (driven by statutory penalties per violation rather than actual restoration costs), and a trend trajectory dominated by litigation expansion rather than cybercriminal activity. Blending first-party and third-party data into a single triangle will understate third-party IBNR during a litigation surge and dilute the signal that CIPA exposure is growing at a compounding rate.
Financial Fraud: Time-to-Notification as a Rating Variable
Financial fraud remained the most frequent incident type for the third consecutive year, accounting for 30% of all claims. Average stolen funds reached $285,000, up 16% year over year, with the largest single loss at $9.65 million. At-Bay recovered $56 million in stolen funds during 2025, with recovery rates showing sharp time dependence: 70% recovery when the insured notified within three days of the incident, declining to 53% within 4 to 14 days and dropping below 30% after 14 days.
This recovery curve suggests that time-to-notification should be incorporated as either a rating variable (with faster-reporting insureds receiving credit for lower net severity) or an underwriting criterion (requiring incident response plan documentation as a condition of coverage). From a pricing standpoint, the net severity for fraud claims depends heavily on the speed of the policyholder's response, which is a behavioral variable that traditional rating approaches do not capture. Insurers already offering incident response services, as At-Bay does, effectively shift the recovery curve leftward, reducing expected net severity for their portfolio relative to carriers without embedded response capabilities.
| Metric | 2025 Value | YoY Change | Pricing Implication |
|---|---|---|---|
| Overall Claim Frequency | Highest since 2021 | +7% | Upward frequency trend selection required |
| Average Claim Severity | $221,000 | All-time high | Severity trend compounds with frequency |
| Ransomware Severity | $508,000 | +16% | ILF curves need upward adjustment |
| Akira Ransomware Share | 40%+ of ransomware | 364% freq. surge | Concentration risk load required |
| VPN Entry Vector | 73% of ransomware | Up from 38% (2023) | VPN vendor as systemic rating variable |
| Small Biz (<$25M) Severity | $422,000 (ransomware) | +40% | Revenue-band factors need recalibration |
| BI-Triggered Ransomware | $510,000 avg. | 3x non-BI claims | Separate BI sub-limit pricing |
| Third-Party Liability | CIPA = 34% of 3P claims | +70% YoY | Separate development triangles |
Why This Matters for Pricing Actuaries
The standard compound frequency-severity model for cyber insurance rests on an independence assumption that Akira's 40% claim share and 86% SonicWall targeting concentration decisively violate. When a single ransomware group can drive a 364% frequency surge across an entire technology-defined exposure class in one half-year, pricing actuaries are dealing with catastrophe-correlated risk, not attritional loss.
The response requires four structural changes to the pricing framework: a concentration risk load analogous to property cat pricing, calibrated through scenario-weighted variance analysis of the dominant threat vector; separate loss development triangles for ransomware versus non-ransomware and for first-party versus third-party coverages, given the materially different tail behaviors; ILF curve recalibration reflecting the $508,000 average ransomware severity and the heavy-tailed distribution created by $1.2 million average demands; and revenue-band rating factor updates that reflect the 40% severity surge for sub-$25 million accounts.
Munich Re projects global cyber premiums reaching $28 billion by 2030, with 15% average annual growth. That growth will be profitable only for carriers whose pricing frameworks can distinguish between attritional cyber loss and concentrated, correlated ransomware exposure. The Akira data is not an anomaly to smooth away in trend selection; it is a structural feature of the cyber risk landscape that demands its own modeling layer.
Sources
- At-Bay, "2026 InsurSec Report: 5 Key Cyber Risk Findings," April 2026, at-bay.com
- At-Bay, "2026 InsurSec Report: Key Cyber Risk Insights & Data," April 2026, at-bay.com
- Help Net Security, "Ransomware, Fraud, and Lawsuits Drive Cyber Insurance Claims to New Peaks," April 23, 2026, helpnetsecurity.com
- Insurance Business, "One Ransomware Crew Now Drives Half of All Cyber Claims: At-Bay," April 2026, insurancebusinessmag.com
- Reinsurance News, "Ransomware Is Shifting Towards Infrastructure-Led Exploitation, At-Bay Reports," April 2026, reinsurancene.ws
- Munich Re, "Cyber Insurance: Risks and Trends 2026," munichre.com
- DataBreaches.net, "One Ransomware Crew Now Drives Half of All Cyber Claims: At-Bay," April 27, 2026, databreaches.net
- Morningstar/Business Wire, "1 in 3 Ransomware Claims Started with SonicWall in 2025 as VPN Attacks Nearly Double," April 22, 2026, morningstar.com
Further Reading on actuary.info
- Cyber Claims Frequency-Severity Divergence Reshapes Rate Models in 2026
- Cyber Insurance Market 2026: Actuarial Challenges, Market Dynamics, and the Road Ahead
- Cyber Reinsurance Rates Fall 32% at April 2026 Renewals
- Climate Risk and Catastrophe Modeling in Insurance 2026
- Cyber and AI Liability Converge Into One Digital Risk Line