Howden Re launches its H2 2025 Cyber Threat Report: Analysis of cyber threat trends shaping the risk landscape
Howden Re’s latest Cyber Threat Report highlights a continued rise in extortion activity, fragile digital concentration points and an acceleration of zero-day vulnerability exploitation. Malicious use of GenAI tools was reported in H2, and it appears likely that these tools will help attackers to scale activity and reduce resource constraints. This reinforces the need for adaptive controls and a proactive approach to risk transfer.
“Scale, speed and technology interconnectedness are reshaping cyber risk,” said Luke Foord-Kelcey, Global Head of Cyber at Howden Re. “The rise of AI does not change what good cyber security looks like, but it is a step toward removing resource constraints which may have previously curtailed the scale of cybercriminal activity. This said, both defenders and attackers will leverage these tools.”
Harriet Gruen, Head of Threat Intelligence at Howden Re, added: “Where possible, we link threat intelligence and the risk landscape to insurance exposure data. While more automatable vulnerabilities are being exploited as zero-days, insured companies are patching and remediating software flaws faster than non-insured peers.”
Key findings from the report:
Extortion activity remains high, but the shape is shifting
Extortion activity remained high throughout 2025, with more than 5,000 victims posted to data leak sites (DLSs). Roughly 10% of all victims in each of the most affected sectors mapped to the Howden Re Industry Exposure Database (IED) – suggesting they are insured – with no industry standing out as being disproportionately impacted. While DLS matches to the IED appeared to be driven by large-scale exploitation of enterprise software, including managed file transfer tools and Oracle E-Business Suite, reported ransom payments continued to trend downwards – signalling an increasing resistance to making extortion payments.
Concentration risk via outages and supplier compromises
Technology dependencies allowed attackers to leverage access and exacerbated the impact of accidental outages. Credential-stealing “worms” moving through open-source ecosystems and identity-centric threat actors such as Scattered Spider exploiting SaaS supply chains, reinforced the new reality: access precipitates access.
Costs and consequences are escalating
In H2 2025, cyber breaches triggered litigation, subrogation actions and governance consequences, including legal action against technology providers and reductions in executive bonuses. This reflects a broader shift - where software vendors may be viewed as increasingly accountable for flaws/failures in their products.
New vulnerabilities are increasingly leveraged as zero-days
Nearly 60% of vulnerabilities added to the CISA Known Exploited Vulnerabilities list last year were newly disclosed. Vulnerabilities that are both automatable and exploited quickly by threat actors are the most likely to generate systemic footprints. New vulnerabilities (those with 2025 CVE IDs) were found to be increasingly exploited as zero-days.
AI is amplifying asymmetry, not replacing attackers
Generative AI is likely to accelerate both vulnerability creation and exploitation, lowering barriers for some attackers while increasing pressure on defenders. AI tools could enable widening of the “security poverty line,” amplifying the gap between well-resourced organisations and those unable to sustain baseline cyber resilience.
What this means for 2026
Looking ahead, Howden Re expects increased abuse of SaaS ecosystems, open-source-related incidents and targeted extortion enabled by AI-assisted analysis of stolen data. However, the fundamentals of defence remain unchanged. Patching, segmentation, identity controls and disciplined exposure management will continue to differentiate resilient organisations.
To support analysis of the cyber threat landscape, Howden Re has invested significantly in expanding its cyber team, bringing together specialists across broking, threat intelligence, underwriting and exposure management / actuarial to support clients and the wider market.
To receive timely insights as threats emerge, sign up for Howden Re Cyber Watch alerts.
Sign up here