Cowbell's 2026 Claims Data Shows Ransomware Isn't Your Client's Biggest Cyber Loss

If you're walking into a cyber renewal in 2026 leading with ransomware, you're selling the wrong threat. Cowbell's 2026 Claims Report puts extortion events at just 18.3% of claims. Data breach (33.5%) and cybercrime (31.8%) each produce more claim activity than ransomware does. The FBI's own numbers back that up. The pitch most brokers keep rehearsing doesn't match the loss runs.

The Claim Mix Has Shifted

Cowbell's numbers reflect the last 18 months of reported incidents from a direct-to-SME cyber carrier. Data breach sits at 33.5% of claims and cybercrime at 31.8%. Extortion events come in at 18.3%, with the remaining 16.4% split across everything else. Data breach and cybercrime each out-claim extortion by nearly two to one.

The FBI's 2025 Internet Crime Report tells the same story in sharper terms. Business email compromise alone accounted for $3.05 billion in reported 2025 losses across 24,768 complaints. Ransomware accounted for $32.3 million across 3,611 complaints. BEC losses outweighed ransomware losses by a factor of nearly 94 to 1 in the FBI's own data. Cybercrime isn't a sideshow to ransomware. It is the show.

Ransom Payments Are Falling

Cowbell also reports that average ransom payments have dropped roughly 44%. Better backup posture and stronger refusals to pay. That's a structural shift, not a cyclical one. If your renewal conversation is anchored on a worst-case million-dollar ransomware scenario, the client is being priced against a threat model the market is moving past.

Ransomware hasn't disappeared. Cowbell still flags it as 19% of claims from 2022 to 2025, and Akira and Qilin together account for 53% of named threat actors in their data. The IC3 report ranks Akira as the single most reported ransomware variant in 2025, with Qilin at number two. Two independent data sources agree on the same villains. Akira in particular leans on VPN and remote-access exploitation against SMEs, which is most broker books. The takeaway isn't that ransomware is gone. It's that it's no longer the modal claim.

Where the Controls Story Breaks Down

If cybercrime is now the dominant claim driver, the controls that matter at underwriting change. 86% of BEC losses moved via wire transfer or ACH in the FBI's 2025 data. That makes out-of-band verification on payment changes the single most important control you can ask a client to demonstrate. DMARC enforcement on inbound email sits next to it. Staff training focused on invoice fraud and executive impersonation. Dual-control sign-off on any new payee in the finance system. None of those get top billing on most cyber supplementals. Ransomware-era applications still lead with EDR deployment and backup frequency.

Those controls aren't wrong. MFA coverage still prevents a large share of credential-driven incidents, and backup maturity still drives extortion severity. But if you close a renewal on a client with strong EDR and a sloppy accounts-payable process, the carrier is covering an exposure you didn't price. APWG's Q4 2025 report shows that wire-transfer BEC attacks observed by its contributing members jumped 136% quarter over quarter. That line item is still accelerating while ransomware frequency flattens out.

The Counter-Argument

It's worth pushing back. Claim frequency isn't severity. A single ransomware event with a business-interruption tail can dwarf five BEC losses on paper, and carriers know that. The IC3 loss numbers also undercount the true cost of ransomware, which often moves through channels other than direct victim complaints to the FBI. That framing is defensible on its own terms.

What it doesn't defend is selling every client the same ransomware narrative. A professional services firm with heavy wire activity is a cybercrime account. A manufacturer with production-line dependency is a business-interruption and extortion account. If your underwriting submission reads identically for both, you're not doing the differentiation the data actually supports.

What to Do at the Next Renewal

Pull the claim mix into the client conversation directly. Cowbell's report is public and recent, from a carrier that actively writes SME cyber. The FBI's IC3 report is a primary-source federal dataset and hard to argue with as a reference. Quote the 33.5% / 31.8% / 18.3% Cowbell split alongside the 94-to-1 BEC-versus-ransomware loss ratio from IC3. Use both to reframe what the client is actually buying coverage against, then walk the controls review from there.

Ask what the company's wire-transfer process looks like and whether finance verifies a vendor change request out of band. Then ask about email authentication and DMARC enforcement. Those questions position you against the claims data the carrier is paying out on, not the headline threat the client remembers from a news cycle.

Brokers who keep selling 2021's ransomware story in 2026 will lose accounts to the ones reading what carriers and federal law enforcement are actually publishing right now.