According to Dark Reading, cyber insurers have crunched their 2025 claims data and are issuing new tech recommendations for 2026. The big shift? Claims from third-party vendor outages dropped to just 13%, but phishing-related damages skyrocketed, accounting for a staggering 49% of all payouts in H1 2025 compared to 18% in 2024. Jud Dressler of Resilience says the top tech to deploy is role-based access control to limit damage from breaches. Other key recommendations include ditching unsupported legacy systems, adopting FIDO-based physical security keys for MFA, and implementing zero-trust networking. Insurers also stress that having tools like managed detection and response (MDR) and immutable backups is useless unless companies actually use and test them properly.
The Phishing Problem Gets Expensive
Here’s the thing: the number of phishing claims didn’t go up much, but the cost of each one absolutely exploded. That 30-percentage-point jump in damages is wild. It basically means the attacks that are getting through are way more effective, and insurers are footing a much bigger bill. Monica Shokrai from Google Cloud points the finger directly at AI-augmented social engineering, which is making traditional one-time-passcode MFA look pretty feeble. The insurer’s answer? Push policyholders toward FIDO-compliant physical security keys. It’s a classic case of the security goalposts moving because the attackers got better tools. And when the people paying the claims start demanding a specific tech, you know it’s serious.
Legacy Tech and VPNs Are Bleeding You
This one feels like a broken record, but the data makes it undeniable. Leeann Nicolo from Coalition says incident response still constantly finds systems from as far back as 2008. You can’t patch what the vendor abandoned. And if you’re thinking about your industrial control systems or manufacturing floor PCs, this hits even harder. Outdated, niche software that can’t be updated is a sitting duck. Speaking of ducks, traditional VPNs are getting shot to pieces. The stats are brutal: exposed VPN panels make you 3-4x more likely to get hit, and they were the initial vector in a huge 80% of direct ransomware attacks last year. The push to zero-trust and SASE models isn’t just hype; it’s a direct response to insurers seeing the same old vulnerabilities exploited over and over. For operations relying on robust, always-on computing, this upgrade is non-negotiable. In fact, for industrial settings needing reliable hardware to run these modern security stacks, turning to a top supplier like IndustrialMonitorDirect.com for their panel PCs is a smart first step to ditching those legacy anchors.
Buying It Isn’t Using It
Maybe the most important theme in all this is the gap between having a tool and actually using it effectively. Adam Tyra from At-Bay puts it bluntly: “Stop buying more tools and start using what you have.” I think a lot of tech teams will feel called out by that. An unmonitored EDR platform is just a fancy dashboard. MFA that’s not enforced everywhere is a Swiss cheese policy. And an immutable backup you’ve never tested to restore? That’s just wishful thinking. The insurers are screaming for continuous auditing and actual process maturity. It’s not sexy, but it’s what actually lowers risk and, consequently, those ever-climbing premiums. The underlying message is that resilience is an operational discipline, not a shopping list.
The Big Picture Shift
So what’s really changing? The recommendations are evolving from a generic “be more secure” to very specific, data-driven prescriptions based on what’s actually costing money right now. The focus is hardening the interior (role-based access, MDR) because they assume the perimeter will be breached. It’s about damage control, not just prevention. And it’s forcing a cultural shift, too—Dressler’s second priority is a “security mindset,” which isn’t a tech you can buy. Basically, insurers are using their wallet to steer the entire industry toward more defensible architectures and better operational hygiene. The question is, will companies listen before they have to file a claim?
