Tokio Marine HCC International (TMHCCI) has released its sixth consecutive annual Top 10 Cyber Incidents Report, highlighting the 2025 events it believes will be most consequential for cyber insurers and their clients.
It again emphasized three recurring themes: ransomware, technology supply-chain compromise and the concentration risk posed by a small number of hyperscale cloud and platform providers.
M&S and Jaguar Land Rover (JLR) exemplified the real‑economy fallout. A ransomware attack on Marks & Spencer led to an estimated £300 million hit to operating profit and significant disruption to food logistics and online sales, with much of the impact stemming from a prolonged shutdown of its online clothing business. TMHCCI also pointed to the ransomware event at JLR, which forced shutdowns across its production network and was described as the most economically damaging cyber incident to hit the UK to date, with one estimate putting the wider cost at £1.9 billion.
Cloud concentration and SaaS dependence were another focal point. Multiple outages at Cloudflare in 2025, including a June failure affecting its Workers KV storage and a November bot‑management configuration bug, triggered globally significant disruptions. These incidents briefly took offline or degraded services at platforms including ChatGPT, X and Canva, illustrating how short‑lived outages at providers carrying a large share of global web traffic could generate systemic business interruption losses.
Supply‑chain attacks and data breaches also dominated TMHCCI’s list. One case involved attackers abusing OAuth tokens to access hundreds of Salesforce environments via marketing‑automation provider Drift, while another centered on a poisoned npm JavaScript component used for credential theft across developer and enterprise environments. The report further referenced an alleged breach of Oracle’s cloud platform affecting millions of records and more than 100,000 tenants, underscoring the accumulation risk around shared vendors and open‑source ecosystems.
In telecoms and luxury, TMHCCI highlighted SK Telecom’s breach, in which attackers maintained access for years and exposed data on tens of millions of users, driving SIM‑cloning risk and customer churn. Luxury group Kering also featured, following an incident in which hackers accessed limited customer data, reportedly linked to the Shiny Hunters ransomware group.
The report’s “Bonus Track” turned to AI governance. TMHCCI flagged an AI‑orchestrated APT campaign as an early signal of the volume and sophistication of AI‑enabled threats and argued that, for cyber underwriters, clients’ AI deployment and governance would quickly become as critical as traditional controls.
THCCI said it expected the convergence of AI‑driven attacks, cloud concentration and technology‑supply‑chain exposures to remain a defining theme for the cyber re/insurance market in 2026 and beyond.
