Cyber attacks are no longer designed solely to cause immediate business disruption.

Instead, they are increasingly engineered to inflict sustained financial, regulatory and reputational damage that lingers well beyond the initial incident, according to a new portfolio study from Resilience, a cyber risk solutions company.

In its 2025 Cyber Risk Report, Resilience said the cyber threat landscape has shifted away from ransomware campaigns centered on encrypting data and toward pure extortion based on data theft.

As a result, the primary risk is no longer simply going offline, the company wrote.

“[It] is the multi-year legal, regulatory, and reputational ‘tail’ that follows a data exposure event,” the report said. “As the business of cybercrime reaches higher maturity levels, the real risk comes not just from disruption—but duration.”

Resilience found that data theft-only attacks rose from 49% of extortion claims in the first half of last year to 65% in the second half. The company described the shift as a move to a strategy centered on stealing sensitive data, threatening to publish it and demanding payment.

That approach diminishes the effectiveness of backup-based defenses, which are “ineffective against the primary threat: reputational and regulatory damage from data exposure,” the report said. Resilience also reported seeing instances in which an insured pays a threat actor to suppress stolen data, only to face class-action litigation after affected individuals are notified of the breach.

And there’s still no guarantee threat actors won’t sell data they were paid to suppress.

Resilience predicted this extortion-only model may represent the majority of extortion incidents by the end of 2026. The insurer said organizations must move from recovery-focused strategies to prevention-focused strategies that include data loss prevention, zero trust architecture, encryption at rest and identity containment.

“Cyber risk is constantly changing,” Vishaal “V8” Hariprasad, co-founder and CEO of Resilience, said in a press release. “As cybercriminals shift their tactics, a new reality is setting in: the real risk is about more than a security incident’s immediate disruption, it’s about the long-tail aftershocks that follow.”

In the report, Resilience urged organizations to “prepare for the reality that successful attacks, driven by the shift from operational disruption to reputational and regulatory exposure, now carry substantially higher financial severity than in previous years.”

Resilience Portfolio Impact

Scattered Spider, a cybercriminal group that targets large companies, made industry headlines for its cross-industry campaigns last summer. The group’s series of attacks on U.K. retailers were felt at Resilience; the company reported that the retail sector went from near-zero material losses in its portfolio in 2024 to one of the top three industries for cyber losses, with an average severity of $2.6 million.

Manufacturing remained the highest total loss industry in Resilience’s portfolio—though average severity declined by approximately 29% from the prior year—and health care remained the highest-severity sector. Combined with retail, these three industries accounted for 68% of all portfolio losses.

This article was previously published by Insurance Journal