As we embark on a fresh new year, many signs show that the Cyber insurance market is continuing to mature. Since the inception of the coverage as a standalone product, Cyber insurance has largely been viewed as finding its way, particularly compared to its far more seasoned coverage contemporaries such as Property, General Liability and virtually all other executive liability coverages.

While this reputation may persist simply because of the product's youth, we continue to see signs of growth.

Areas of Growth for Cyber insurance

Coverage Constancy

Gone is the breakneck pace of coverage innovation that we witnessed from 2013 through 2019. Today, while the risks and associated claims are always evolving, lately the policy language that addresses these risks has remained relatively consistent. The coverage grants in Cyber policies are proving sufficiently broad to handle a wide array of privacy and digital risks. Where much of the innovation in the product's infancy was aimed at broadening coverage, more recent changes have narrowed the scope in areas such as biometric information privacy, website tracking software and business interruption from supply chain providers.

The next wave of affirmative coverage expansion is already occurring in artificial intelligence (AI} and machine learning, where threat actors employ these tools to execute their attacks. AI is already covered in many policies, but we're seeing a trend develop for affirmative coverage grants — particularly in privacy and security liability insuring agreements, in addition to social engineering and cyber deception.

Application consistency

Another sign of a maturing product is revealed through the underwriting questions and process used to assess the risk. After creating a more technical approach — with questions about practices involving remote system access controls, data segmentation, email protections and event monitoring software — in addition to the use of outward-facing network infrastructure scans — we've seen more consistency in underwriting. No carriers are adding three more pages of questions to get the answers they're looking for. That's not to say that unforeseen events won't inform future application requirements, but for now, there's been some consistency.

Rate Leveling

Profitability continues to benefit from the significant rate increases applied by insurers in 2021 and 2022 on the heels of the ransomware epidemic. And, while 2023 and 2024 saw some rate softening,1 we're witnessing a leveling of rate changes. Significant movement in rates is now more specifically tied to insurer profitability within specific verticals, such as car dealerships for insurers with outsized exposure to the CDK ransomware attack.2 Whether or not we will we see a similar effect in the K-12 education vertical,3 proportionate to insurer exposure in a late 2024 breach, remains to be seen.

Aggregate Event Resilience

The Cyber insurance market has withstood the stress of "micro-agg" events that third-party vendors experienced in the healthcare, automotive and education sectors, which had a ripple effect throughout the market. This resilience is yet another sign that underwriting processes and pricing models have matured in the Cyber insurance space.

Cyber Underwriting Trends

While Cyber insurance as a product line continues to mature, so too do the tactics underwriters employ to manage the risk. Here are the trends we're seeing today.

More "Inside-Out" Underwriting

When policyholders permit, underwriters can gain much greater insight into the data hygiene practices and vulnerability exposures of an organization when they can see behind the firewall. Verifying multifactor authentication (MFA) implementation and the presence of tools for endpoint, managed and extended detection and response (EDR/MDR/XDR) provide a higher degree of confidence than a traditional PDF application can provide. While underwriters prefer this transparency, many policyholders are still reluctant to allow this kind of insight.

More Focus on EDR/MDR/XDR and 24/7 Security Operations for Middle Market and Large Risk

With increased claims frequency, underwriters want to know that insureds are monitoring all activity around the clock, identifying anomalies and proactively countering threats before unauthorized access occurs. This 24/7 monitoring is where a security operations center (SOC) becomes critical, allowing monitoring and proactive defense to continue beyond 5 p.m. on a Friday. Answers on Cyber insurance applications that contain the phrase "ad-hoc" or "email alerts" are no longer going to cut it for insureds outside the small- to midsize enterprise (SME) sector.

Looser Control Requirements on Certain SME Industry Verticals

As underwriters continue to benefit from claims data insight — coupled with the need for growth in the Cyber insurance sector — some underwriters are more likely to reduce requirements for coverage eligibility than before. Particularly in the sub-$25M insured revenue space, it's become easier to get coverage for organizations that still lag in controls such as MFA.

Questions About Third-Party Vendors

Because 2024 brought a plethora of high-profile third-party vendor events — both malicious and accidental — underwriters are increasingly trying to measure the potential for horizontal events that can affect hundreds or thousands of their insureds simultaneously. As a result, we're seeing more questions about the vendors insureds use for information security, software-as-a-service (SaaS) and data hosting. It remains to be seen how insurers will incorporate "vendor fencing" into underwriting standards. That is, when and how insurers will determine an oversaturated exposure to specific vendors, and the resultant impact on risk acceptability.

Increased Capacity

As we have reported in previous quarterly Cyber insurance updates, with increased capacity in the market, we can more easily obtain $5M and $10M primary and excess limits for insureds than in previous years. While higher limits still can present challenges for certain insurers — and for certain sectors such as public entity, education and healthcare — our ability to source adequate capacity has improved greatly. Incorporating data analytics tools in the pre-underwriting process has helped immensely. We're now can source not only the necessary limits, but also have better conversations with insureds about why they need the limits we're recommending.

Coverage Expansion

In the face of varied supply chain and third-party vendor attacks, the importance of obtaining the broadest possible language for the "who" and the "how" of business interruption coverage is essential. In this case, the "who" are IT service providers and non-IT service providers. The "how" are the triggers for coverage: security failure, system failure and operational error.

Because IT vendors have long been the focus of dependent business interruption, last year's ransomware attack on a medical billings company showed that insureds are well served to have this broadened coverage apply to non-IT vendors as well. While the billing function occurred in an online environment, insurers didn't consider it an IT provider, but rather a medical billings company. Minute details can have significant coverage implications, because many Cyber insurance policies either didn't have that expansion of business interruption coverage, or, if they did, many were offered at lower sub-limits.

It will be interesting to see the push-pull of consumer demand vs carrier discipline in this area, as every industry vertical has its own market share leader that could be causing next micro-agg event.

Carrier Dynamics

Carrier dynamics in today's Cyber insurance market are best described as "varied." Increased capacity has been further demonstrated by several new managed general agents (MGAs) entering the market in recent months. Additionally, mergers or partnerships between insurtechs and traditional insurers have created welcome combinations of innovation and stability. While new entrants, diversified capital availability and mergers are contributing to this varied dynamic, so too are certain players making moves in different directions — in some cases, away from the admitted space altogether.

We're seeing an increasing focus on insurers providing EDR/MDR/XDR solutions directly to insureds.4 Some automatically include the service with the cost built in for insureds who wish to engage, while others are offered at an additional, per-user/per-month expense, creating new revenue streams for carriers that perhaps found growth a challenge in the softening rate environment of the past two years.

Take-up rates are generally held close to the vest as insurers try to navigate the dynamics of an insured population that wants to improve their infosec posture, but can, at times, be reticent to have additional eyes behind the firewall — particularly those whose very job it will be to indemnify them if the technology they provide ultimately fails.

As a wholesale broker, RPS regularly fields questions from our retail agent customers regarding the "what-ifs" of coupling cyber technology solutions with insurance coverage. Among the questions:

  • What if the very event you're insuring is caused by a failure in the security solution your insurer sold you?
  • How can the two be "un-joined" when market pricing causes insureds to seek more affordable solutions?
  • I'm an insurance agent, not a technology consultant, so how can I recommend one solution over another when suddenly we're not talking about insurance anymore?

Regardless of on which side of the argument you sit, the fact remains that insurers continue to be a major catalyst of positive change in the cyber risk posture of businesses both small and large.

This combination of freshness, familiarity, creativity and change of strategic direction will surely lead to changes in ways not yet fully understood. What is more certain, is that the pace of change will remain swift as the Cyber insurance market continues to develop — much like the nature of the risk it's insuring.

Cyber Claims Trends

AI and Financial Fraud

When it comes to AI and financial fraud, the Federal Bureau of Investigation (FBI) provides several tips for individuals to protect themselves:
  • Create a secret word or phrase with your family to verify their identity.
  • Look for subtle imperfections in images and videos, such as distorted hands or feet, unrealistic teeth or eyes, indistinct or irregular faces, unrealistic accessories such as glasses or jewelry, inaccurate shadows, watermarks, lag time, voice matching, and unrealistic movements.
  • Listen closely to the tone and word choice to distinguish between a legitimate phone call from a loved one and an AI-generated vocal cloning.
  • If possible, limit online content of your image or voice, make social media accounts private and limit followers to people you know to minimize fraudsters' capabilities to use generative AI software to create fraudulent identities for social engineering.
  • Verify the identity of the person calling you by hanging up, researching the contact of the bank or organization purporting to call you and then calling the phone number directly.
  • Never share sensitive information with people you've met only online or over the phone.
  • Don't send money, gift cards, cryptocurrency or other assets to people you don't know or have met only online or over the phone.
If you believe you've been a victim of a financial fraud scheme, file a report with the FBI's Internet Crime Complaint Center.

On the Cyber insurance claims front, 2025 opened with a bang. As a direct reflection of the news headlines, we're witnessing significant surge in claims frequency, predominantly resulting from third-party vendor incidents. SaaS platforms that cater to specific industry verticals have accounted for the lion's share of these incidents. Some involve ransomware and restricted network access, others are more data breach-focused, but reports allege the presence of an extortion nonetheless. As the facts differ, so too do the various ways Cyber insurance policies respond.

Third-party vendor incidents causing significant network downtime are resulting in protracted claims timelines as business interruption losses are accounted for and negotiated.

We're noting some interesting trends in the RPS SME Cyber insurance internal customer base when it comes to claims activity:

  • Business Interruption losses are up a staggering 72% over 2023.
  • Litigation settlements are up more than 74% over 2023.
  • The frequency of ransomware events remains high, victims are less likely to pay, and the average payment amount remains north of $300,000 for businesses with less than $100M in annual revenues.
  • The top five drivers for Cyber claims expenses among our SME client base are:
    1. Breach counsel
    2. Forensic investigation
    3. Payment fraud
    4. Extortion payment
    5. Defense counsel

Not surprisingly, because customers can't access their networks and data when the host systems are down, income losses mount quickly. Additionally, as Business Interruption insuring agreements have continued to expand coverage for the "who" and the "how," Cyber insurance policies are responding. We expect that our next market update could see business interruption loss creep into the top five drivers for total claims expenses.

Notable also is the uptick in litigation for privacy incidents. Since the inception of Cyber insurance coverage, the first-party side of the policy has garnered the most attention for the "red phone" services available to reimburse those affected, returning them to operational normalcy as quickly as possible. Now, we're seeing increased discussions about Liability insuring agreements and policy wording as the regulatory landscape continues to evolve and class action privacy lawsuits are on the rise.

Our colleagues at data privacy law firm Mullen Coughlin provide some additional insight about privacy and cybersecurity incidents for clients they assisted in 2024, in their proprietary report Mullen Coughlin Matter Statistics 2021-2024.

  • Business email compromise (BEC) incidents were up more than 19% over 2023. As a BEC is often the doorway threat actors walk through to execute social engineering financial scams, this data correlates with RPS claims data showing payment fraud losses in the top five category.
  • Ransomware frequency continues to escalate, up 14% over 2023, inching closer to 2021 highs.
  • Median ransomware payments increased 32.5% in 2024.
  • Total incident count was up nearly 10% over 2023.

Insights gleaned from claims data from wholesale brokers such as RPS and law firms such as Mullen Coughlin underscore the importance of continual improvement in cybersecurity practices, particularly as the ability of threat actors are super-charged with the continued development of AI.5

On the Horizon in the Cyber Insurance World

With overall claims frequency up, median ransomware payments on the rise, BEC events skyrocketing and business interruption losses piling up, here are some things we see on the horizon.

Increased Focus on Cyber Insurance Application Data and Its Relevance in Claims Adjudication

The days of having an admin person complete a Cyber insurance application are over. Professionals in IT, legal, finance, HR, marketing and risk management should be involved to provide accurate insights into the business's or organization's information security and privacy practices. A small business that doesn't have the luxury of a fully stacked C-suite in all of these disciplines should, at the very least, employ the services of a credentialed managed service provider for an accurate read on your information security posture.

As Cyber insurance applications have more technical specifications, we're seeing a difference between what's represented in applications and the facts that unfold in the forensic investigation of an incident. These differences can lead to unfavorable results, ranging from claim denial and policy recension (worst-case scenario) to the retroactive application of sub-limits and/or co-insurance. Involving experts on the front end could help avoid these situations on the back end.

A Hard-Line on the Use of Pre-Approved Vendors for Cyber Incidents

As many cyber insurers reported slowing growth rates in cyber due to a softening rate environment,6 managing costs becomes more critical to protecting loss ratios. Insurers assemble their cyber security vendor panels to ensure the best outcome for their insureds. Insurers are far less willing to pay when insureds chose their own firms and look for reimbursement after the fact. As a result, allowances for businesses that engage vendors such as IT forensics or law firms without first securing their insurer's approval will be less common.

This underscores the importance of having conversations of this nature when a Cyber insurance policy is first purchased, or at renewal — not after an incident.

More Sector-Specific Micro-Agg Events

Every industry vertical uses technology platforms. And every vertical has a leader. When one vendor has significant market share in a segment and that vendor experiences a data breach, a system malfunction or an attack that makes their platform inaccessible, the pain cascades horizontally through the entire sector.

We've seen this play out in the healthcare sector, auto dealer industry2 and in K-12 education.3 We expect to see similar events on the horizon in verticals such as financial services, manufacturing and hospitality. From a Cyber insurance underwriting perspective, look for more questions about vendors, contractual risk transfer and redundancies to account for over-reliance on any one provider.

Continued Influence of AI — for Bad and for Good

Yes, AI is in all the headlines and developing at a breakneck pace. Predicting the continued influence of AI is indeed a safe prediction. It will be interesting to see how cybercriminals use AI to more efficiently (and believably) execute their crimes and distribute attacks on an increasingly wide scale.7

Equally as interesting will be how cybersecurity firms use AI to help prevent attacks, recognize patterns and analyze attacks for future prevention purposes. Lastly, we're already witnessing the rise of AI in our own industry to analyze risk, underwrite more precisely and predict and manage losses.8

We've taken a pause on predictions about rate expectancy for Cyber insurance. When the confluence of a heightened threat environment, the proliferation of AI-enabled attacks, increasing claims costs and decreasing premiums are in play, we feel at times that common sense in this area has left the building. While factors such as a diversified capital base, increased capacity and the need for top-line growth from investor-backed insurance players push rates lower, we expect the market to find more equilibrium in the coming months.

Regardless of how rates develop, we'll continue helping our agents help their insureds in this ever-changing, increasingly important area of coverage. Now more than ever, it's essential that agents work with an expert to ensure the best outcomes for clients. With hundreds of millions of dollars in cyber premiums placed for tens of thousands of insureds, RPS stands ready to help agents help their clients prepare for what's possible.

Contributor Information

Sources

1Townsend, Kevin. "Cyberinsurance Premiums are Going Down: Here's Why and What to Expect," SecurityWeek, 2 Jul 2024.

2Rothenberg, Eva. "Months to Correct, If Not Years': Car Dealerships and Customers Feel the Impact as CDK Outage Drags On," CNN Business, 25 Jun 2024.

3Abrams, Lawrence. "PowerSchool Hacker Claims they Stole Data of 62 Million Students," BleepingComputer, 22 Jan 2025.

4"Resilience Enhances Industry-Leading Cyber Insurance Loss Prevention With Integrated Features," PR Newswire, 1 May 2024.

5"Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud", Internet Crime Complaint Center, 2 Dec 2024.

6Ingerslev, Jacob. "Opportunities to Revitalize Growth in the US Cyber Insurance Market, TMHCC Report Reveals," Tokio Marine HCC, 7 Jan 2025.

7"Cybercrime in 2025: What to Look Out For," Panda Security, 7 Jan 2025.

8Gurtcheff, Jeff. "How Gen AI Will Revolutionize Claims," InsuranceThoughtLeadership.com, 10 Jul 2024.