Full Report
The 2026 InsurSec Report from At-Bay, covering more than 100,000 policy years of claims data, documents a 7% year-over-year rise in overall claim frequency and an all-time high average severity of $221,000. Ransomware severity reached $508,000, up 16% from the prior year, making it the costliest incident type by a wide margin. Businesses under $25 million in revenue saw the steepest changes in the portfolio. Ransomware frequency in this segment rose 21% year-over-year, and average ransomware severity climbed 40% to $422,000. The infrastructure-driven targeting model used by Akira and similar groups struck vulnerable appliances wherever they existed, pulling smaller organizations into campaigns that had previously concentrated on mid-market and larger firms.
Analysis Summary
# Industry News: At-Bay 2026 InsurSec Report Signals Record Cyber Insurance Losses
## Summary
At-Bay’s 2026 InsurSec Report reveals a significant shift in the cyber threat landscape, highlighting a 7% rise in claim frequency and record-breaking average severity of $221,000. The data underscores a strategic pivot by threat actors toward targeting remote access vulnerabilities, disproportionately impacting small businesses and specific sectors like manufacturing and technology.
## Key Details
- **Date:** April 23, 2026
- **Companies Involved:** At-Bay (Cyber Insurance/InsurSec), SonicWall, Cloudflare, Akira Ransomware Group
- **Category:** Market Analysis / Industry Report
## The Story
The 2026 InsurSec Report, based on 100,000 policy years of data, indicates that ransomware severity has surged by 16% to an average of $508,000. A critical shift in attacker methodology is evident: remote access weaknesses now account for 87% of ransomware entries, with VPN compromises alone representing 73%. Notably, the report highlights that email-based ransomware entry has dropped to nearly zero, as attackers favor the speed and high-level access provided by exposed appliances.
The Akira ransomware group has emerged as a primary driver of these trends, with a 364% frequency jump in late 2025. Akira’s attacks are characterized by extreme velocity—often deploying within minutes of access—and occur predominantly during off-hours. This infrastructure-driven targeting has pulled "Main Street" businesses (revenue under $25M) into the crosshairs, leading to a 40% increase in ransomware severity for this segment.
## Business Impact
### For the Companies Involved
- **At-Bay:** Solidifies its position as a data-driven insurer using proprietary claims data to drive risk-mitigation advice.
- **SonicWall:** Faces brand pressure as one in three ransomware claims involved its devices, necessitating urgent patch management and customer outreach.
### For Competitors
- **Cyber Insurers:** Will likely adjust premiums and underwriting requirements for organizations using legacy VPN hardware.
- **Security Vendors:** Providers of MDR (Managed Detection and Response) and AI-backed email security have a strengthened value proposition.
### For Customers
- **SMEs (Small/Medium Enterprises):** Smaller firms face a "new normal" where they are targeted as aggressively as large enterprises but with fewer resources to absorb the 40% rise in loss severity.
- **Policyholders:** Can expect stricter mandates to transition from hardware VPNs to Zero Trust/Cloud-based access.
### For the Market
- **CDNs (Cloudflare, etc.):** While currently insulated from liability, the high abuse of their infrastructure (69% of analyzed fraudulent links) may eventually invite regulatory scrutiny.
- **Shift in Costs:** The record-high severity indicates a continuing "hardening" of the cyber insurance market.
## Technical Implications
The primary technical shift is from phishing to **infrastructure exploitation**. Zero-day and N-day vulnerabilities in VPN appliances are the preferred entry vector. Furthermore, the effectiveness of 24/7 MDR was proven: 100% of Akira victims who avoided data encryption had MDR in place, whereas 66% of attacks occurred when unmonitored teams were offline.
## Strategic Analysis
- **Market Positioning:** At-Bay is pivoting from a passive insurer to a proactive security partner, emphasizing "InsurSec" (Insurance + Security).
- **Competitive Advantage:** Managed Security Service Providers (MSSPs) that offer automated EDR blocking and 24/7 monitoring now have quantifiable data to prove ROI to cost-conscious SMEs.
- **Challenges:** The speed of modern attacks (minutes vs. days) makes human-only response obsolete, necessitating a strategic shift toward automated prevention.
## Industry Reactions
- **At-Bay CISO Tristan Tyra:** Emphasizes that there is "no close substitute" for professional MDR and urges businesses to move away from vulnerable hardware appliances toward SaaS-based remote access.
- **Market Sentiment:** Analysts view the 16% increase in stolen funds (averaging $285,000) in financial fraud as a sign that traditional email filters are failing against cloud-obfuscated links.
## Future Outlook
- **Predictions:** Ransomware groups will continue to automate the scanning and exploitation of network appliances, further reducing the time from breach to encryption.
- **What to Watch For:** A potential regulatory or legal push to hold Content Delivery Networks (CDNs) more accountable for the malicious links hosted on their platforms.
## For Security Professionals
- **Immediate Action:** Audit and potentially retire high-risk VPN appliances. If hardware must remain, ensure it is behind a robust patching schedule.
- **Configuration:** Enable "block mode" on EDR tools. The report suggests that "passive" monitoring is insufficient against high-speed groups like Akira.
- **Coverage:** Ensure security monitoring is "24/7/365," as the majority of high-severity incidents now occur during nights and weekends.