2025 Cyber Risk Report: How cybercriminals changed the game

The Resilience 2025 Cyber Risk Report is out and the data tells a clear story: the business of cybercrime matured significantly in 2025. Threat actors moved away from locking up systems and toward stealing data—a shift that has fundamentally changed what it means to be “prepared” for a cyber event.

Our claims data, threat intelligence from the Risk Operations Center, and frontline insights from underwriting and incident response teams all point to the same conclusion. The primary risk for organizations is no longer going offline. It’s the multi-year legal, regulatory, and reputational fallout that follows a data exposure event.

Here’s what stood out.

Data theft replaced encryption as the go-to extortion tactic

For years, ransomware meant encryption: lock the files, demand payment for the key. In 2025, attackers largely abandoned that playbook. Data theft-only attacks jumped from 49% of extortion claims in the first half of the year to 65% in the second half. For the full year, nearly 58% of extortion events involved data theft without any encryption at all.

The logic is straightforward. As organizations got better at restoring from backups, encrypting systems became less profitable. Stealing sensitive data and threatening to publish it, on the other hand, creates regulatory exposure, litigation risk, and reputational damage that no backup can undo. And as our Chief Underwriting Officer Maria Long notes in the report, paying threat actors to suppress stolen data has proven unreliable—data often resurfaces, notification obligations still apply, and class action lawsuits frequently follow.

AI supercharged social engineering

Phishing surged 53% in claim frequency to become the number one point of failure in 2025, jumping from 21% of incurred losses in 2024 to 50% in 2025. While it’s difficult to attribute any specific attack to AI, the timing tracks with the proliferation of AI tools that let attackers craft more convincing messages, impersonate executives, and operate at scale without the language errors that used to be a giveaway.

Research from the Harvard Kennedy School found that AI-generated phishing campaigns achieve a 54% success rate, compared to 12% for traditional phishing. That 4.5x effectiveness multiplier helps explain why phishing losses surged even as organizations continued investing in security awareness training.

Vendor risk stayed stubbornly high

Vendor-related failures accounted for nearly 19% of losses in 2025 with an average severity of $1.36 million per incident. When a critical vendor serving an entire industry is compromised, losses concentrate across that sector simultaneously—as the CDK Global incident demonstrated across the automotive supply chain in 2024.

The challenge is clear: your security controls stop at your network perimeter, but your risk exposure extends through your entire vendor ecosystem.

Retail became a top target overnight

Perhaps the most dramatic shift in 2025 was retail’s transformation from near-zero material losses to one of the top three loss-generating industries, with a $2.6 million average severity. The Scattered Spider campaign in May 2025—targeting Marks & Spencer, Co-op, Harrods, and several US retailers—exposed sector-wide vulnerabilities in authentication procedures, distributed workforces, and concentrated customer data. The M&S incident alone took 45 days to recover online ordering, with losses exceeding £40 million per week.

What this means going forward

The report includes detailed guidance for CFOs, CISOs, and CROs, but the throughline is this: the shift from disruption to data theft means organizations need to rethink where they invest. Backup and recovery strategies are still necessary, but they no longer address the primary threat. Prevention—data loss prevention, zero trust architecture, phishing-resistant authentication, and credential monitoring—has to take priority.

At the same time, incident response planning needs to account for the legal and regulatory tail that now follows most cyber events. Lawsuits are arriving within days of disclosure, claim timelines are stretching to two to three years, and legal defense costs are rivaling or exceeding direct response costs.

The full report covers threat actor profiles, industry-by-industry analysis, case studies, and a detailed look at what we expect in 2026—including the rise of deepfakes, AI-created attack surfaces, and hybrid extortion models.

Download the 2025 Cyber Risk Report