The newly released 2026 Cyber Claims Report from our partner Coalition is one of the clearest looks we have into what’s actually driving cyber losses today, not theory, not vendor positioning, but real claims data across more than 100,000 policyholders. It cuts through a lot of noise. What stands out isn’t just the rise in attacks, it’s where the losses are really coming from, how businesses are recovering, and why more spending still isn’t translating into better outcomes.
Here is a quick review of why it matters to businesses now more than ever, and how Third Wave helps our customers.
The problem no one wants to say out loud
Most organizations assume that if they invest enough in security tools, risk goes down. But that’s not what’s happening.
- Attack frequency is rising
- Teams are overwhelmed
- Visibility is fragmented
- And response is still too slow
At some point, you have to step back and ask "What is all of this actually changing when it comes to business outcomes?" Because that’s where things start to fall apart.
Where the real losses are happening
If you expected the biggest risk to be advanced attacks or zero-days, the data tells a different story. The majority of claims aren’t coming from highly sophisticated exploits.
They’re coming from simple, repeatable paths:
- Business email compromise
- Funds transfer fraud
- Social engineering
Together, these account for more than half of all claims. That matters because these aren’t just technical failures. They’re failures across people, process, and decision-making. And they hit where it hurts most: cash flow.
A single fraudulent wire transfer doesn’t show up as a “security event.” It shows up as a financial loss. That’s a very different conversation.
Ransomware didn’t go away. It evolved.
- Data theft
- Legal exposure
- Regulatory pressure
- Reputation damage
Most attacks now combine encryption and exfiltration, which means even if you recover your systems, the problem isn’t over. At the same time, something interesting is happening. More companies are refusing to pay. That sounds like progress, but it only works if you’re actually prepared to recover without the attacker. If you’re not, the cost just shows up somewhere else.
Speed matters more than prevention
Here’s one of the more important takeaways from the report. The difference between a manageable incident and a business-ending one often comes down to speed.
- How fast was it detected?
- How quickly was it contained?
- How quickly did recovery start?
In fraud cases, minutes matter. In ransomware, hours matter. In both cases, response is what determines the outcome. That’s why some organizations walk away from incidents with minimal loss, while others don’t recover at all. Not because they had better tools. Because they were able to act.
The risk you don’t control still hits you
Another shift that’s becoming impossible to ignore is third-party risk. You can do everything right internally and still take a hit because:
- A vendor was breached
- A SaaS platform was compromised
- Data was shared or exposed through a partner
- And then the second wave hits.
Legal claims. Privacy violations. Regulatory scrutiny.
In many cases, the cost of the incident isn’t the breach itself. It’s everything that follows. That’s where liability starts to outweigh the technical problem.
Why this hits SMBs the hardest
Smaller and mid-sized businesses are seeing increased attack frequency. Not because they’re more valuable targets, but because they’re easier ones. Automated attacks don’t care about company size. They care about exposure. And most SMBs don’t have:
- Dedicated response teams
- 24/7 monitoring
- Integrated recovery plans
So even if the dollar amount of a loss is smaller, the impact is often much bigger. It hits operations. It hits revenue. It hits survival.
What this actually means for cybersecurity
If you step back, the message in the data is pretty straightforward. Cybersecurity by itself isn’t enough. Insurance by itself isn’t enough. And more tools definitely aren’t enough. The organizations that are holding up better are doing something different.
They’re connecting:
- Security
- Risk
- Financial exposure
- And recovery
They’re not just trying to stop attacks. They’re preparing for what happens when one gets through.
Where Third Wave fits
This is exactly the gap Third Wave is built to address. We don’t approach cybersecurity as a collection of tools. We treat it as a business function.
That means:
- Reducing real financial risk, not just technical risk
- Aligning security with cyber insurance expectations
- Improving response so incidents don’t turn into losses
- Helping businesses recover quickly when something does happen
Because at the end of the day, that’s the only outcome that matters. Not whether an alert fired, or a control passed, but whether the business stays operational.