After years of significant growth in premiums collected by insurers specializing in cybersecurity, 2024 was marked by a first decline, with volumes down an estimated 170 million U.S. dollars. The top five insurers in the market saw their premium volume shrink by 130 million U.S. dollars.
At a webinar held at the end of July, which the Insurance Journal attended, AM Best brought together several experts to discuss developments in the cyber insurance market.
Christopher Graham, senior analyst at AM Best, summarized key points from the agency’s report on U.S. cyber insurance premium trends.
“We do have more insurers in the cyber space now, and the increase in capacity is driving down pricing,” says Graham. In addition, some insurers have raised their risk retention limits, reducing their need for reinsurance. Finally, part of the cyber insurance market has been absorbed through programs offered by foreign insurers.
According to Oliver Brew, head of the cyber practice at Lockton Re, the evolution of cybersecurity threats is evident in criminals’ growing use of generative artificial intelligence (AI). Large-scale phishing campaigns have become much more sophisticated and effective. Moreover, the ability to create fake images or manipulate voices to impersonate someone represents a new risk tied to AI.
Ransomware—malicious software that cripples systems and allows hackers to demand payment—remains a scourge, notes Brew. In the United Kingdom, the national cybersecurity authority reported in its most recent study that such attacks are expected to reach a record high in 2025.
In the first half of 2025, Brew says he observed the arrival of six to eight new players offering cyber insurance capacity. He believes several factors influence insurers’ behaviour toward this risk. First, the fear of missing out when they realize they are absent from a promising market.
Second, cyber insurance helps diversify an insurer’s portfolio and limits exposure to major losses linked to natural catastrophes. And third, growth prospects for the product are also a strong incentive.
Insurers’ behaviour
For his part, Bob Parisi, head of cyber solutions at Munich Re, believes it is becoming increasingly difficult for insurers to assess risk based on company size. “We used to say there were three markets in cyber: for small, mid-sized and large companies, but we’re seeing some of those lines start to blur,” he says.
He also points out that hackers are getting faster at exploiting security breaches. “The average time attackers need to move laterally inside a network after gaining access is down to 48 minutes. The fastest recorded involvement or breakout was 51 seconds,” says Parisi.
Growing capacity also has its drawbacks. “We’re also seeing the occasional walking away from underwriting discipline if it imperiled retaining the renewal,” he adds.
These new capacities, Brew notes, are also available in emerging markets where cybersecurity needs are increasing, such as Asia-Pacific, the Middle East and North Africa. Several London-based insurers have even opened offices in Dubai, United Arab Emirates, to serve these new clients.
“One of the great advantages of cyber insurance is that it moves from an indemnity paper policy into a much more complete value proposition—an end-to-end service based for risk management and pre-loss services as well as the post-loss recovery,” Brew observes.
Pricing models are constantly updated, but their main limitation remains, stresses Parisi: there have still been relatively few major claims where a virus caused systemic outages affecting large companies across several regions at the same time. While hoping no one to endure or pay for a major loss, the Munich Re expert reminds that indemnity is the very purpose of insurance.
The greatest challenge for a cyber underwriter is keeping up with the pace of technological change. “When Gutenberg invented the printing press and produced that first Bible, it was roughly several decades, even close to a century, before the printing press was widely accepted, widely distributed and wasn’t viewed as somehow evil. AI is actually changing and evolving even as I started answering your question,” says Parisi.
The very large number of insurers in the market, each with its own actuarial models, makes for a fragmented landscape, adds Parisi. Within two years, he expects more discipline will take hold as understanding of cyber risk improves. As a result, much of the policy wording will become standardized across insurers, regardless of company size.
Market evolution
On exclusions, there is nothing new on the horizon, according to Parisi. Two years ago, many insurers explicitly excluded war damages. “No one ever thought war itself was covered, but we went down a large path trying to redefine what war really means in the cyberage,” he says.
On the same issue, Brew notes that debates over so-called silent cyber exposures have been going on for years. The NotPetya virus had repercussions years later on liability linked to business interruption. “I think there’s been improved clarity around drawing the boundaries of what goes into a cyber policy and what is part of a traditional property and casualty policy,” he says.
Why is the share of SMEs buying protection against cybercrime risk so low? According to Brew, the industry as a whole must do a better job of explaining the product and doing business owners understand that their commercial general liability (CGL) policy will not cover damages from a cyber incident.
The product needs to be better packaged and offered at an affordable price so SME leaders are willing to buy it, he continues. Finally, underinsurance also stems from a lack of knowledge about cyber risk, Brew adds.
Even if today’s soft market in cyber insurance is coming to an end, Parisi believes some stability could emerge. Coverage limits, insurer capacity and pricing determine whether the market is hard or soft. If premiums are no longer falling, the two other factors are still at play. New capacity is still available, and coverage is being maintained—or even expanded.
This article is a Magazine Supplement of the October 2025 issue of the Insurance Journal.