The state of the cyber insurance market in 2025

That frequency and severity of ransomware attacks also led to some retractions in coverage, higher retentions, co-insurance in some cases, and lower sublimits, says Steve Robinson, National Cyber Practice Leader for Risk Placement Services (RPS). In order to remain insurable, clients responded by significantly improving their security controls.

In 2022, however, the P&C industry saw a reversal of those rate trends, Robinson adds, noting one contributing factor in particular: Once hostilities intensified after Russia's invasion of Ukraine, many threat-actor groups whose efforts otherwise might have been centered toward U.S. targets were refocused on the conflict at hand.

At the same time, carriers and clients alike began developing stricter, more widely adopted risk-mitigation practices, which over the past three years led to fewer widespread losses among cyber insurers. In recent quarters, rate decreases have slowed, with low single-digit decreases the norm.

“The rate environment in the cyber market has been on a bit of a rollercoaster over the past five years,” says Mike Colford, Westfield Specialty's Senior Vice President/Cyber Product Leader.

Today, market rates remain relatively adequate compared to five years ago, he adds, “but I think we are finally hitting an inflection point where carriers need to understand how these market dynamics will continue to impact their portfolio growth and profitability targets into the future.”

Maximum capacity

Despite the market fluctuations of the past five years, capacity has rebounded and remains strong. The cyber insurance space has seen an influx of capital as capital investors and new markets sought to capitalize on market opportunity and take advantage of the favorable rate environment. (It's also worth noting that many of these newer entrants in the cyber market don't have to deal with the tail risk that impacted legacy portfolios following the 2019-2020 surge in ransomware attacks.)

With so much capacity available, limits are high. Markets that were previously only offering a $1 million or a $2 million limit have since gone to $5 million. Particularly on larger national account business, $10 million limit deployments have become the norm while large blocks of primary and excess capacity in excess of $25 million limits have also returned, says Colford.

“The argument can be made that some of these larger companies remain under-insured following contraction during the hard market, but we are seeing that improve as they are starting to reinvest premium savings in order to purchase higher limits and return to their pre-hard market capacity levels,” Colford adds.

Retail, technology, health care and financial services clients are among the outliers that will continue to maintain flat to slight rate increases as they grow their insurance towers, says George Kotsiopoulos, President of Insurance at Resilience, a leading cyber risk solution company founded by experts from the U.S. military and intelligence communities. “A lot of those types of clients are taking advantage of the current rates and are increasing their limit purchased,” he adds.

In the middle market, premium savings and relatively favorable loss experience over the past few years have likewise allowed these insureds to increase their limits.

“It's a buyers' market, that's for sure,” says Erin Halchak, Chief Underwriting Officer for Cyber at Liberty Mutual. “This is a good time for insureds to expand their programs, due to the amount of capacity available.”

One of the factors contributing to lower rates is shared emphasis between carriers and clients on improving the cyber hygiene of the insured, says Halchak. Full embrace of best practices in cyber risk mitigation, she explains, has to be part of the client's corporate culture; access to services is provided to the insured with their policies.

“Much of the time, insureds don't realize what their vulnerabilities are. It's a complex matrix of exposures,” she adds. “In the past several years, we've seen a positive trend of clients sharpening their cyber hygiene. Now, it's rare to see a risk that doesn't have best-in-class controls.”

Where once there were risks that seemed uninsurable, “Now it's, 'name the price,'” says Kotsiopoulos.

“As an industry, we need to do a better job of improving the client's cyber risk hygiene throughout the policy term — identifying and addressing their vulnerabilities, which leads to better terms and conditions,” he adds.

Cyber sells, but who's buying?

While the cyber insurance market possesses more than its share of competitors, in some sectors the number of potential clients remains just that: potential. Halchak points out that during the pandemic, growth that was forecast in the cyber insurance market has yet to manifest.

“At that time, economists were saying that cyber would be a growth market for the insurance industry,” she says. “We've seen a lot of new entrants seeking market share, but the industry is not seeing all the new buyers that were expected. That said, I do think that in time the cyber market will hit the growth targets that have been projected.”

One client segment that was expected to contribute to further growth among cyber policyholders, she notes, is small to midsize businesses, which to date have not embraced the protections that cyber coverage provides, which is ironic, given that those businesses are perhaps most at risk for severe economic loss from a ransomware attack.

The hurdle, however, is in convincing small to midsize businesses that their risk of suffering a devastating loss is real. “The mindset is, 'it won't happen to me,'” says Kotsiopoulos.

“Cyber risk is not just a big business problem,” says Melissa Carmichael, Head of U.S. Cyber for Beazley. “Smaller and mid-size businesses must also recognize that they are on the frontlines when it comes to cyber risk, and ensure they have the insurance that is as robust as the accelerating cyber threat.”

Shawn Ram, Chief Revenue Officer at cyber insurer Coalition, notes that small to midsized businesses are a frequent target “because they have fewer resources, often lack the core security controls (like multi-factor authentication), and attackers view them as a low-hanging fruit and easier payday. Our research found that many SMBs believe they are too small to be a target, but this is not the case.”

In fact, he notes, organizations with revenues of less than $25 million accounted for 64% of cyber claims in 2024.

“In the SME segment we have seen a material increase in market penetration, but this still lags behind the larger segments,” says Colford.

He adds that improvement in the types of services provided to these insureds will inspire take-up. “In addition to the traditional risk transfer that insurance provides, the cyber market has also added robust pre-incident risk management services to better support the cyber controls profile of insureds while also helping them prepare in the event that a cyber incident occurs.”

Attack speed accelerates

As premiums have fallen, activity among threat actors has only increased.

Consider that phishing e-mail attacks increased by 202% in the second half of 2024, according to SlashNext's “Prepare for 2025: 2024 Phishing Intelligence Report.” Credential phishing attacks (which prompt victims to enter their login information to gain access), increased by more than 700% over the same time period.

During the first quarter of 2025, cyber attacks worldwide increased by 47% to reach an average of 1,925 weekly attacks, according to Risk Placement Services' 2025 Cyber Market Outlook report.

Those attacks were spread across a variety of sectors, with education seeing the most (4,484 per week on average), followed by government systems (2,678) and telecommunications companies (2,664). Researchers note the prevalence of financially motivated attacks, utilizing sophisticated social engineering tactics involving fund-transfer fraud and invoice manipulation.

Ransomware, which is expected to cost victims as much as $275 billion annually by 2031, also remains a significant concern, with one report citing attacks up 126% so far this year and North America accounting for 62% of global targets, with threat actors increasingly targeting consumer goods and services, RPS reports.

“AI is supercharging threat actors, creating an uneven playing field for companies on the defense. The public sector should be more aware of that,” says Kotsiopoulos. “Law firms are duly prepared to file class actions after ransomware events. We've seen an uptick in that activity in the last year.”

“Our research shows that 79% of firms are looking to improve their cyber security with third-party suppliers, and 37% are planning to invest in improved cyber security this year,” says Carmichael. “This investment is needed, as organizations are facing increasingly sophisticated threat actors, bolstered by AI.”

Ironically, while the average cost of a data breach has reached a five-year low of $4.44 million worldwide (due to faster breach containment driven by AI-powered defenses), the U.S. is bucking that trend, according to IBM's “Cost of a Data Breach Report 2025.” In the States, the average breach cost is more than twice as high (past $10m), driven by steeper regulatory penalties and rising detection costs.

Colford says that the biggest factor driving the cost of cyber claims is the increase in regulatory actions and third-party litigation following an incident.

Because insureds have become more resilient and able to effectively restore their systems from backups, threat actors have shifted their focus from encrypting systems and demanding significant ransoms to exfiltrating large amounts of data, he explains: “The increase in the exfiltration of data has resulted in more privacy exposures and class action litigation, which can carry high costs for legal defense and increasing potential damages.”

This rise of data exfiltration, also known as “double extortion,” is a significant driver of claims costs.

As Ram at Coalition explains, “Exfiltration adds further costs that don’t exist when attackers only encrypt files. For example, data forensics and incident response teams focus on identifying the root cause and confirming that the provided decryption keys work with encryption cases. But with exfiltration, they must also focus on data mining to identify whose data was compromised and prove that the data was not exfiltrated. Otherwise, they need to assume the worst.”

With encryption, the primary costs are related to restoration and business interruption. However, when attackers steal data, “businesses must also consider the regulatory repercussions, customer notifications, and other related consequences,” he adds. “With exfiltration, an operational crisis also becomes a reputational crisis.”

The exploitation of edge devices (ones that provide an entry point into enterprise or service provider core networks) present an increasingly large threat, says Carmichael at Beazley.

“Previous generations of attackers focused on gaining network access through endpoints like workstations and servers, using phishing e-mails or stolen credentials or the installation of back doors,” she says. “But as organizations and vendors have improved endpoint security, attackers have expanded their repertoire to include an increasing focus on edge devices that may be out of date, unpatched, or otherwise vulnerable.”

“Non-malicious” privacy events also continue to rise. These include regulatory fines and class action litigation around the wrongful collection and misuse of personal information.

“Often these claims arise from the business practices of the insured, and involve allegations that the insured did not properly obtain the consent of their customers to collect, use, and share that information,” says Colford. “These kinds of claims often involve significant defense costs for the carrier and potential multi-million-dollar damages or settlements, some of which may exceed tens of millions of dollars.

”Robinson notes that one of the reasons why rates remain favorable, aside from overall improvement in risk-mitigation practices, is because a multitude of more wide-reaching, massive, horizontal loss events has yet to occur domestically. “The more high-profile [cyber] losses (with few exceptions) we've seen have largely been vertical and isolated, not occurring among multiple industries simultaneously,” he says.

Yet, as he points out, one major loss event that would reach across several different industries — or, short of that, even one that affects a high number of insureds in one sector (healthcare, for example) could potentially move the needle on pricing for cyber coverage.

“All it takes is one vendor — one software company with wide market share that serves multiple clients, in multiple industry verticals to be compromised, and it could cause a cascade of loss events,” says Robinson.

AI enters the chat

As cyber perpetrators continue to develop new ways to leverage artificial intelligence in their work, policy endorsements and exclusions specific to AI are now an ongoing conversation among underwriters.

For example, Robinson notes that clarifications are being issued around social engineering crimes in which deepfake videos or synthetically created voices are used. Even an organization's in-house use of AI tools, Robinson notes, creates exposures that insureds might not foresee: “When you have an insured that isn't a professional services organization deploying AI in customer-facing applications, from providing advice to filtering resumes, if something goes wrong with that model they could create legal liabilities that they're not expecting.”

Policy language pertaining to AI is — like the technology itself — still evolving.

“Think about the blazing speed at which AI has come into our industry,” Robinson says. “You've got this rapid development of new technology, which inspires an ongoing dialogue across coverage lines over which policy triggers as a result. “Will AI-fueled losses fall more on the cyber or the professional liability side, or will D&O and other coverage areas respond? And the answer is, yes.”

Recent developments in AI regulation at the state level have seen a great number of U.S. states proposing or adopting AI governance legislation, according to Gallagher's “Artificial Intelligence Regulations and Cyber Insurance Implications” Risk Bulletin. Colorado passed the first AI regulation of this kind, the Colorado Artificial Intelligence Act, which goes into effect on Feb. 1, 2026, and is likely to inspire similar legislation in other states.

The statute focuses on AI systems that may impact consequential decisions that have a material impact on areas related to employment, financing, health services, housing or insurance, regulating high-risk systems and preventing algorithmic discrimination, Gallagher reports.

Trends in other state-sponsored legislation focus on consumer protections when AI is used for profiling and automated decisions; use of AI for hiring and in employment contexts; deceptive media or deepfake videos; and forming AI task forces or groups devoted to understanding the impact of AI.

At the federal level, executive orders have emphasized varying focuses from ensuring the safety and privacy of AI to removing barriers to innovation in the private sector. Congress has issued more than 100 bills related to AI use: most focus on transparency and accountability aimed at consumer protection, while others target specific industries, including marketing, healthcare and education, among others.

Digital optimism

Meanwhile, executives remain hopeful that the cyber market will harden — albeit slowly — in the coming years. “I believe we are starting to see rates level out a bit as we close out 2025,” says Colford.

Halchak also remains cautiously optimistic: “Carriers do not enjoy three cycles of rate decreases, but at some point the market will firm up.”

Kotsiopoulos says he expects rates to stabilize in 2026, “though we don't expect significant rate increases due to the influx of new capacity.”

In the meantime, he is hopeful that fellow cyber insurers price their protections mindfully as they continue to seek market share. With low-to-single-digit rate reductions common industrywide, he adds, “we're not at the bottom yet, but from an actual-price-to-technical-price perspective, we're getting close to it.”

Award-winning writer and editor Shawn Moynihan is a seasoned insurance journalist and former editor-in-chief of PropertyCasualty360.com.

See also:

• Lessons from the Adidas third-party data breach
• Global business snarled by recent third-party cyberattacks
• Cyber claims: Stabilization trend threatened by mass attacks and data exfiltration
• The Merck Judgment: Implications for cyber insurers and policyholders