The 2026 Chubb Cyber Claims Report paints a nuanced picture of the evolving threat landscape across Europe and the UK. The report shows that, while claims severity is on the rise, claims frequency reached a five-year low among mid-size and large businesses. At the same time, small-to-medium enterprises (SMEs) experienced a sharp increase in both the frequency and severity of claims.
The growing complexity of exposures and the rapid advancement of artificial intelligence (AI) are shifting the dynamics of cyber risk. While AI adoption has helped businesses better detect vulnerabilities prior to an attack, it has also enabled more sophisticated adversarial use of technology to accelerate the speed and scope of risk exposure. This reinforces the need for businesses to strengthen their cyber resilience.
Tracking both the severity and frequency* of cyber claims provides insight into the shifting risk landscape for SMEs, middle market and large companies.
* Severity is defined as the average cost per claim. Frequency is defined as the average number of cyber claims per 100 policies.
The severity of cyber claims for SMEs reached a five-year high of $82,621 on average per claim, while claims frequency increased by 86% between 2024 and 2025.
This sharp rise, in both claim frequency and severity suggests increased targeting of SMEs by cyber criminals.
Although incidents in middle market businesses became less frequent, the financial impact of cyber claims grew substantially.
Claims severity in the middle market rose by 210% over a five-year period to an average claim cost of $318,820 in 2025, while the frequency of middle market claims reached a five-year low to 1.51 claims per 100 policies.
The severity of cyber claims saw costs increase by around 100% between 2024 and 2025. Similar to the middle market frequency trends, claims frequency among large companies reached its lowest point in 2025 after several years of steady decline, dropping approximately 68% from 2020 to 2025.
While claims frequency decreased over the five-year period, incidents affecting large organisations often involve broader, more complex breaches and higher regulatory costs, resulting in far greater financial losses.
Even companies with robust cybersecurity measures can face serious disruption and threats when sensitive information is exfiltrated and exposed, leading to a range of regulatory, operational and financial challenges and reputational harm.
Ransomware attacks continue to pose significant threats, often resulting in severe and costly incidents - particularly for SMEs and mid-sized companies. The severity of these attacks is mainly driven by business interruption losses.
And while the adoption of AI has contributed to a decline in claims frequency by enhancing detection capabilities, AI has also increased the speed and scope of risk exposure, enabling more sophisticated attacks to compromise companies of all sizes.
In addition to cyber threats, legal and regulatory factors play a significant role in shaping cyber claim frequency and severity across regions.
According to the Cyber Claims Report, in the US, a ‘litigation-first’ approach and a complex patchwork of state-level privacy laws drive higher claim frequency and severity. This creates challenges for businesses operating across multiple states, as well as for European companies trading with or in the US, as they must comply with complex cross-border regulations.
International privacy laws and their associated obligations continued to evolve rapidly throughout 2025. The EU’s General Data Protection Regulation (GDPR) establishes region-wide standards for the lawful collection, processing, retention and deletion of personally identifiable information. In the UK, the Data (Use and Access) Act 2025 (DUAA), builds on the Data Protection Act (2018), modernising the existing framework while retaining core GDPR principles.
Evolving privacy regulations governing the collection, use and transfer of personal data presents significant challenges for companies operating globally, with non-compliance risks greater than ever.
By better understanding the shifting cyber risk landscape, companies can be more confident in identifying and responding to threats.
Chubb offers its policyholders access to wide range of tools and solutions designed with this in mind. This includes support across areas such as cyber protection for small businesses, incident response, vulnerability management, security, managed detection and response, privacy risk management, and user security and awareness.
More broadly, Chubb publishes insights and intelligence to help businesses understand the evolving threat landscape. This includes the Chubb Cyber Index, which gives real time access to claims data, current threat trends, incident activity and costs and Chubb Threat Intelligence Reports, which offer quarterly guidance on emerging cyber threats.
Cyber risks continue to evolve rapidly, with recent years marked by shifting trends in both claims severity and frequency across all business sizes, as well as the growing impact of ransomware, emerging AI-driven threats and regulatory obstacles.
With Chubb’s global expertise, comprehensive claims data and advanced risk mitigation tools, companies can anticipate, withstand and recover from even the most complex cyber incidents.
Download the full cyber report for insights and strategies needed to strengthen cyber resilience and prepare for the whatever next.
All content in this material is for general information purposes only. It does not constitute personal advice or a recommendation to any individual or business of any product or service. Please refer to the policy documentation issued for full terms and conditions of coverage.
Chubb European Group SE (CEG) is an undertaking governed by the provisions of the French insurance code with registration number 450 327 374 RCS Nanterre. Registered office: La Tour Carpe Diem, 31 Place des Corolles, Esplanade Nord, 92400 Courbevoie, France. CEG has fully paid share capital of €896,176,662. UK business address: 40 Leadenhall Street, London, EC3A 2BJ. Authorised and supervised by the French Prudential Supervision and Resolution Authority (4, Place de Budapest, CS 92459, 75436 PARIS CEDEX 09) and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.