Cyberattacks are getting worse, and the costs are hitting companies harder than ever, a new report from Aon shows. In 2024, reported cyber incidents jumped by 22% compared to the year before. These incidents ranged from ransomware attacks to business interruptions and legal troubles. In the U.S. alone, there were 1,228 reported cases among Aon’s clients, marking the biggest increase in years.
What’s surprising is that while ransomware attacks became more common, the average ransom paid by companies fell by 77%. Mid-sized businesses reported more claims than any other group, making up over half of all incidents.
The report highlights that the damage from a cyberattack goes far beyond immediate cleanup or ransom costs. When a company’s reputation takes a hit, its stock value can drop sharply—on average by 27%. These reputation hits are tough to cover with insurance, which means managing and preventing them is crucial.
Certain types of cyberattacks are more likely to hurt a company’s reputation. Malware and ransomware, for example, account for about 60% of reputation-damaging cyber events, even though they only make up 45% of all cyber incidents. Malware attacks happen most often but have a somewhat smaller effect on shareholder value when they do impact reputation. Other attacks, like system exploits, are less likely to damage reputation.
The media often picks up on these stories, especially when consumers might be affected or when there’s public outrage. Aon reviewed over 1,400 cyber incidents reported in the news last year, and found that more than 95% were malicious attacks. Out of those, 56 became major reputation problems that led to big losses in stock value.
Insurance companies are now paying closer attention to how well organizations prepare against cyber risks. Clients who invested in stronger security controls saw a 9% improvement in what experts call critical or “red flag” controls. These controls can influence whether a company can get insurance and on what terms. Insurance firms are becoming smarter about assessing risks based on how mature a company’s cyber defenses are and how they tell their risk story.
In short, companies need to focus more on preventing attacks and protecting their reputation if they want to avoid the expensive fallout that goes far beyond just paying a ransom. The cyber threat keeps growing, and just fixing problems after they happen is no longer enough.