AXIS Cyber Risk Advisory INCYTE Newsletter
AXIS Incident Commander Corner
AXIS Incident Commander provides 24/7 technical triage and support to customers facing cyber incidents. We distill our front-line experiences into key lessons for all.
Incident Commander has recently initiated a review of first-party cyber claims data to derive actionable insights that help customers, distribution partners, and AXIS. Preliminary analysis of 1H 2025 claims data revealed a notable trend: in ransomware and network intrusion incidents, phishing and social engineering attacks were the second most common root cause surpassed only by vulnerabilities associated with Virtual Private Networks (VPNs).
Further investigation uncovered that:
- Several customer VPNs were found to be unpatched, exposing systems to known vulnerabilities
- Some lacked fully implemented Multifactor Authentication (MFA), or had MFA only partially enabled
Call to Action for Brokers:
- Brokers are encouraged to proactively advise their customers to maintain a consistent patching schedule and conduct regular security testing. These measures are critical to reducing the risk of ransomware and network intrusion claims
In the first half of 2025, analysis of Microsoft 365 Business Email Compromise (BEC) claims revealed a concerning oversight: while the overall percentage is modest, over 11% of claims indicated that the Microsoft 365 Unified Audit Log (UAL) was not enabled within the affected email tenants.
The UAL is a critical forensic tool in BEC investigations. Without it, Digital Forensics and Incident Response (DFIR) partners are significantly limited in their ability to conduct a comprehensive, evidence-based review of the incident.
Call to Action for Brokers:
- Given that retention periods vary by M365 license type, brokers should strongly encourage clients to enable the Unified Audit Log for a minimum of 90 days. This proactive step enhances investigative capabilities and supports more effective incident response
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.
For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information