What the 2025 NetDiligence Cyber Claims Study Tells Us About Small Business Risk.
LC
Cyber risk is evolving quickly. Threats are getting more sophisticated, and the financial fallout from ransomware, business email compromise, and other incidents is becoming harder to predict. NetDiligence’s 2025 Cyber Claims Study, which analyzed over 10,000 cyber claims from 2020 through 2024, shows that small and mid-sized businesses are carrying most of the burden. Nearly all reported breaches happened to smaller organizations, not Fortune 500 giants.
For leaders of small businesses, this report is a wake-up call. Cyber risk is not just a problem for big companies. It’s a daily reality for organizations of every size, and the costs can be crippling.
Key Takeaways
1. Small businesses experience the vast majority of breaches
Nearly 98 percent of all breaches in the study happened to small and mid-sized businesses. While their average cost per incident is lower than what Fortune 500 companies face, these losses can still be devastating. For many smaller organizations, even a few hundred thousand dollars in ransomware payments, recovery expenses, or crisis services can threaten operations or long-term stability.
2. Business interruption multiplies the damage
When an incident disrupts operations, the costs escalate fast. For smaller businesses, a claim that includes business interruption is more than six times more expensive than one that does not. The downtime and recovery can quickly overshadow the original attack.
3. Crisis services add up quickly
For small and mid-sized businesses, almost half of total incident costs come from services like forensics, legal help, customer notifications, and credit monitoring. These steps are necessary to comply with regulations and rebuild trust, but they can double or even triple the overall cost of a breach.
4. Ransomware and Business Email Compromise are still the top problems
These two types of attacks continue to drive a large share of high-cost claims. Ransom demands have grown to staggering levels, with some reaching $150M and actual payments as high as $75M. Even when the ransom is not paid, the recovery and downtime can cripple smaller organizations.
5. Fewer records are being exposed, but risk is still high
The number of incidents with exposed records is going down, but that does not mean companies are safer. Many of today’s most expensive events, like ransomware and wire fraud, do not involve exposed data at all.
6. Almost all incidents are caused by criminals
Criminal activity accounts for more than 97 percent of claims for small and mid-sized businesses. Non-criminal incidents do occur, but they are rare and usually less costly.
7. Big companies still face the biggest dollar losses
Large enterprises made up only 2 percent of claims but accounted for more than half of the total financial impact. Their average incident costs were in the $10M to $12.7M range, compared to hundreds of thousands for smaller firms. While the stakes are higher at the top end, the frequency of attacks clearly tilts toward smaller organizations.
What This Means
Don’t assume you’re too small to be a target. Nearly all the claims in the study involved small and mid-sized businesses. Attackers know many smaller firms lack the same defenses as big corporations.
Have a response plan. Because crisis services like forensics, legal counsel, and notifications make up such a large portion of costs, having a plan and trusted partners lined up can prevent expenses from spiraling.
Look beyond stolen data. A breach that doesn’t expose customer records can still grind your operations to a halt and cost millions in downtime and recovery.
Be ready for ransomware. Backups, access controls, and good cyber hygiene are essential. Ransomware is not slowing down, and it continues to be one of the most common and damaging threats.
Review your insurance carefully. Coverage is changing quickly. Make sure your policy actually covers the areas where costs are growing, such as business interruption and recovery expenses.
A Few Things to Keep in Mind
The averages in the study can be skewed by a handful of very large claims, so not every company will see costs in the millions. Also, not every organization reports full details of their expenses, which means some costs are probably higher than the study shows. What’s important is not the exact number, but the trend: cyber claims are increasing, and the financial impact on smaller organizations is growing year after year.
Final Thoughts
The NetDiligence 2025 study makes one thing clear. Cyber risk today is not just about stolen records. It is about downtime, recovery, and the very real financial shock that comes with trying to get a business back on its feet. Small and mid-sized businesses are the ones most often in the crosshairs. The organizations that will weather the storm are those that prepare in advance with prevention, response, and recovery plans that match the realities of today’s threat landscape.
If you are wondering what this means for your business, let’s talk. You can grab a time with me here: https://calendly.com/lee-whitecaprisk/30min.
For a full copy of the report go here - https://netdiligence.com/cyber-insurance-claims-study/