Cyber losses for small and mid-sized enterprises (SMEs) are climbing.The costliest incidents increasingly involve business interruption.Ransomware and business email compromise (BEC) remain the top drivers of loss, demanding both stronger controls and sharper insurance strategies.

What the Data Says: Key Claims Trends In late 2025, NetDiligence released its 2025 Cyber Claims Report, which analyzed 10,402 cyber claims occurring from 2020 to 2024, with 98% of those claims from small to medium enterprises (SMEs, <$2B revenue) and 60% of claims from businesses <$300M revenue.  Below are some of the key trends: Cost Trends > The five-year average cost for all SME cyber claims is $264,000, an increase of 29% from last year.> The five-year average cost for crisis services (defined below) is $152,000, with slight year-to-year decreases since 2021.The Big Two: Ransomware & Business Email Compromise (BEC) > For SMEs, ransomware and BEC combined account for ~50% of claims from 2020 to 2024, and nearly 55% in 2024.

> Five-year average incident cost of a ransomware claim for SMEs: $631,000 > Average incident cost of BEC claim for SMEs: $98,000 Business Interruption (BI) is a Force Multiplier > SME claims that included Business Interruption averaged $1.4M in total incident cost across five years.This equates to ~650% higher than claims without BI.> Ransomware incidents accounted for 81% of claims with a BI component, making ransomware a key focus for cyber defense investment.

Successful Cyber Risk Leadership While the risk is increasingly apparent, many company leaders struggle to lead effective cybersecurity conversations and meaningful improvement of their organization’s defenses.At our recent 2025 Executive Risk Management Conference, Dr.Tim Cranny, Security Principal with Global Digital, shared practical executive-level insights, including: Successful companies ground cybersecurity decisions in what really matters.

What this means: Anchoring security efforts to critical assets and business priorities (e.g., uptime, payment processing, client communications, PHI) and ensuring that every proposed control directly maps to protecting those assets and business functions.Successful companies win with fundamentals.What this means: Before chasing shiny tech solutions, successful companies are driving mastery of basics: identity hygiene, hardening, backups (immutable), monitoring, email security, payment verification, and tested recovery.Then “trust but verify”—measure results rather than effort and re‑check controls periodically to avoid false confidence.

Dr.Cranny’s framing of cyber attacks as chains of events (not “instant bombs”) is particularly useful: executives should push for defense‑in‑depth controls that break the attack chain at multiple points, and for governance that keeps teams focused on risk‑reducing outcomes over tool‑centric activity.Insurance Perspective: Structuring Coverage for Today’s Cyber Losses In conjunction with strong cyber risk mitigation practices, your cyber insurance coverage should align with your risk exposures and overall strategy.

Best practices include: If you’d like help benchmarking your company’s cyber risk, stress-testing your incident response & BI scenarios, or right-sizing cyber coverage, the team at Scott Insurance can facilitate a working session and deliver a prioritized action plan.Contact your Scott Risk Advisor today to get started.