When most business leaders think of ransomware, they picture the classic scenario: Hackers encrypt files, demand payment and promise to unlock systems upon receipt of cryptocurrency. That’s not how it works anymore. Cybercriminals are much more brazen, and the financial stakes have never been higher. 

For starters, hackers are encrypting less and outright exfiltrating more. Data theft by ransomware groups jumped 92% year-over-year, according to Zscaler, rising to 238 terabytes of stolen data, while public extortion cases increased by 70%. 

Most organizations — and even their insurers — are unprepared for these new tactics. For starters, insurance companies rely heavily on claims data to assess risk, but this approach creates a fundamental blind spot that could prove catastrophic. 

Claims data only reflects what happens to companies that already have cyber insurance coverage. Huntress reports that 22% of companies don’t have cyber insurance, and 58% of those that do have decreased their coverage. In other words, insurers are making risk assessments based on an incredibly narrow slice of actual cyber incidents. They’re trying to understand the full scope of a forest fire by only looking at the houses that had fire insurance. 

What insurers should be examining instead is breach data — comprehensive information about cyberattacks across all sectors, company sizes and geographic regions, regardless of insurance coverage. This broader view reveals patterns and attack vectors that claim data completely misses. When you look at breach data, you see that attackers are increasingly using sophisticated social engineering tactics, like those employed by groups such as Scattered Spider, which manually infiltrate organizations rather than relying on automated malware deployment. 

The manual approach is more time-intensive for attackers, but also more lucrative. These groups take time to understand their targets’ infrastructure, identify the most critical systems and position themselves for maximum impact. Even major corporations that should have robust defenses, like Allianz, have fallen victim to significant ransomware attacks, showing that no organization is immune. 

The disconnect between what insurers think they know (based on claims data) and what’s actually happening in the threat landscape (revealed through breach data) creates a dangerous gap in risk assessment and pricing models. 

The Real Financial Impact Goes Far Beyond Ransom Payments 

While organizations focus on the immediate ransom demand, the hidden costs of modern ransomware attacks dwarf these initial payments. The evolution toward data theft fundamentally changes the financial equation in ways that traditional risk models fail to capture. 

Regulatory fines now represent one of the largest potential exposures. Under GDPR, organizations face penalties of up to €20 million or 4% of annual revenue, whichever is higher. The California Consumer Privacy Act imposes fines up to $7,988 per violation. When attackers steal millions of customer records, these per-violation penalties can quickly escalate into the hundreds of millions of dollars. 

Legal exposure has exploded alongside regulatory risks. More than 1,488 data breach class action lawsuits were filed in the U.S. in 2024, nearly tripling since 2022. High-profile settlements show the financial stakes: Meta agreed to a $1.4 billion settlement for biometric data violations last year, while Marriott paid $52 million to settle a multi-state data breach case. 

What Risk Models are Missing 

Traditional cyber insurance risk models assume ransomware means encrypted files and brief business interruptions. The shift toward data theft creates complex claim scenarios that span multiple coverage lines and expose gaps in traditional policy structures. 

When attackers steal data rather than just encrypting it, the resulting claims can simultaneously trigger business interruption coverage, professional liability protection, regulatory defense coverage and crisis management. Each coverage line may have different limits, deductibles and exclusions, creating complicated interactions that claims adjusters struggle to parse. 

Modern business relationships are interconnected, which amplifies complications. A data breach at one organization can trigger liability claims from business partners, regulatory investigations across multiple jurisdictions, and contractual disputes with vendors and customers. Dependencies on third-party services create cascading exposures that traditional risk models fail to capture. 

Perhaps most challenging, the timeline for data theft extends far beyond typical cyber claims. Encrypted files can often be restored from backups within days or weeks, but regulatory investigations and class action lawsuits can drag on for years. 

The AI Acceleration Factor 

The data theft evolution is accelerating rapidly due to AI-powered attack tools that fundamentally change the threat equation. Zscaler’s research shows that threat groups are already using ChatGPT and similar tools to create personalized phishing campaigns at unprecedented scale, automate social engineering attacks and generate convincing impersonation content that bypasses traditional detection methods. 

The insurance implications are profound. Manual risk assessment processes cannot keep pace with the volume and sophistication of AI-enhanced attacks. Carriers still relying on traditional underwriting approaches face a fundamental mismatch of human-speed risk evaluation against machine-speed threat deployment. 

Forward-thinking insurers are responding by integrating AI-powered risk scoring and automated threat assessment into their underwriting processes. These systems can analyze institutional security postures, process breach data patterns and identify emerging threat vectors at the scale and speed that modern cyber risks demand. Carriers that fail to adopt AI-based underwriting tools will find themselves consistently mispricing policies as attackers outpace their ability to understand and quantify evolving risks.