Cyber Insurance Data Gives CISOs New Ammo for Budget Talks

Summary

Resilience released analysis of its manufacturing cyber insurance claims (2021–2026) showing ransomware accounts for 90% of losses despite only 12% of claims. The report identifies MFA misconfiguration as the top financial loss driver (26%), followed by software vulnerability exploits (13%), and recommends CISOs use this data to translate technical risk into business terms for board budget discussions.

Full text

CFOs and boards need to understand risk in financial terms. Insurance data can do this. Obtaining adequate cybersecurity budget from the board requires translating technical risk into business financial risk – an ability that is not always available to security technicians. Resilience, a firm that provides insurance, risk decision support and consultancy, can assist. Through its insurance service, Resilience can directly relate financial loss to specific cybersecurity events and their likely occurrence, allowing CISOs to present technical risk as the monetary risk that CFOs and board members readily understand. The firm’s latest analysis does this for ransomware in manufacturing, which is industry’s most targeted sector (in 2025, 25% of cyberattacks targeted manufacturing). Since different sectors have different characteristics, the precise details do not represent industry and commerce at large, but the principles contained remain valid, and all sectors can benefit from them. The details in the report are drawn from the firm’s own proprietary manufacturing cyber insurance claims portfolio from March 2021 through February 2026, and synthesized with data from other publicly available sources such as IBM X-Force and KELA. The outstanding headline is that the cost of ransomware is high: 90% of incurred loss over this period is attributable to ransomware while only 12% of the claims relate to ransomware. Ransomware attacks are increasing across the board, but especially in manufacturing where downtime could be catastrophic to the victim, or beneficial to adversarial nation states (see the more recent Iran-linked attack on Stryker).Advertisement. Scroll to continue reading. The value of the Resilience data to CISOs comes from mapping the security failure points in its portfolio to the ultimate cost of the security incident. Two key failures stand out. Firstly, 13% of losses stem from software vulnerability exploits. This highlights the need for improved patching cycles. While it is true that manufacturing has specific and severe patching problems, very few companies anywhere invest in adequate, rapid patching. For manufacturing, Resilience recommends, “Organizations should implement compensating controls including network isolation, virtual patching, and enhanced monitoring of vulnerable systems.” Perhaps more surprising, however, is that double the exploit loss is caused by MFA misconfigurations – the number one point of failure – leading to financial loss at 26%. (This figure dwarfs the loss incurred by the absence of MFA which stands at 8%; but the probable reasons are no excuse nor argument for not installing properly configured MFA.) The single largest loss in the portfolio, a ransomware attack attributed to BlackCat, was directly enabled by misconfigured MFA. Resilience recommends that MFA validation should be treated as a continuous process. “The priority is not just deploying MFA but auditing existing deployments to ensure enforcement across all accounts, elimination of bypass conditions, and proper configuration of conditional access policies.” Beyond ransomware, the report highlights loss incurred through transfer fraud and email compromise, which comprise 30% of all claims. These attacks are more frequent than ransomware even if the loss is less severe. In both cases, the primary point of failure is phishing leading to credential compromise, which is implicit in more events than these. “Once obtained, valid credentials allow attackers to log into enterprise systems as if they were authorized users, blending into normal networks,” says Resilience. “Attackers obtain these credentials primarily through infostealer malware delivered via phishing emails — which surged 84% year-over-year in 2024 — and through credential phishing sites that mimic legitimate login pages.” The report recommends that transfer fraud should be combatted with out of band confirmation for payment changes, and a dual authorization procedure for large transactions together with targeted social engineering training, especially for finance and accounting teams, to counter phishing in general. While the Resilience analysis primarily relates to ransomware in the manufacturing sector, its recommendations will resonate across multiple attack and industry vectors and could be used by all CISOs. “Manufacturers don’t need to reinvent the wheel in the face of a growing threat,” says Jud Dressler, head of the risk operations center (ROC) at Resilience. “Our claims data, coupled with threat intelligence from the ROC, found that by auditing and validating MFA deployment, implementing procedural controls for financial transfers, investing in ransomware containment and response, and instituting other easy-to-implement practices can materially combat risk.” The report adds, “Translating cybersecurity risk into financial language that resonates with CFOs and boards is essential for securing adequate investment. The claims data provides a concrete basis for this conversation: ransomware dominates loss, a single point of failure (MFA misconfiguration) drives the largest share of exposure, and unpatched software is a direct line to the most expensive outcomes. These findings map directly to specific control investments and insurance coverage decisions.” Armed with such data, technical CISOs could more effectively present and argue the case for an adequate security budget. Learn More at the CISO Forum at the Ritz-Carlton, Half Moon Bay Related: Ransomware Hits Automotive Data Expert Autovista Related: Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping Related: Masimo Manufacturing Facilities Hit by Cyberattack Related: Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Sevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs PredictableThe Behavioral Shift: Why Trusted Relationships Are the Newest Attack SurfaceAre SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM DataCoChat Launches AI Collaboration Platform to Combat Shadow AI‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain AttacksCISO Conversations: Ross McKerchar, CISO at Sophos‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI ThreatsBrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research Findings Latest News Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureHundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical SoftwareChrome 147, Firefox 150 Security Updates Rolling OutCritical GitHub Vulnerability Exposed Millions of RepositoriesVimeo Confirms User and Customer Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chie

Entities