A multiyear lull in insurance rates and insurers’ over-dependence on large U.S. policyholders have led to more restrictions and exclusions in coverage.
Enterprises holding cyber insurance policies are undergoing more scrutiny in their claims as rates decline and insurers scramble to remain profitable.
The stakes are high for both sides. Insurance companies around the globe increasingly fear their business is overly dependent on large U.S. policyholders, which make up nearly two-thirds of their global market share. They worry that one large supply chain event or outage could escalate and ultimately wipe out the cyber insurance industry as a whole.
These market pressures have led to a shift in the cyber insurance business model, where cyber insurers are developing sophisticated risk models to prepare for large-scale attacks that could disrupt a wave of policyholders at the same time.
Meanwhile, insurers are also pressuring policyholders to make sure they button up governance and security controls and have mitigations in place for any risk incurred by their third-party technology partners.
“Insurers today generally have a better understanding of cyber risk quantification and are placing greater emphasis on security controls, technology dependencies and exposure to systemic cyber events,” said Anjali Nagrani, principal cyber cat r isk product adviser at CyberCube, a firm specializing in cyber risk modeling. “Organizations with weak cyber hygiene may face more scrutiny and coverage restrictions, whereas well-prepared companies can access broader coverage and improved terms.”
“Insurers today generally have a better understanding of cyber risk quantification and are placing greater emphasis on security controls, technology dependencies and exposure to systemic cyber events.”
Principal cyber cat risk product adviser at CyberCube
Ransomware and other cyber intrusions can add up to millions of dollars in recovery costs or more if the attack forces a company to halt order-taking, manufacturing or shipping.
A 2025 report co-authored by Marsh McLennan and cybersecurity firm Dragos found that OT cyber incidents could lead to $329 billion in direct financial losses. The report, which was based on a review of 10 years’ worth of insurance claims, showed an average annual global risk of $12.7 billion, which includes the impact of business interruption.
And a March report from Aon showed the average cost per global ransomware claim nearly doubled, to $713,000, in 2025, up from around $374,000 in 2024.
The majority of the global market for cyber insurance is currently dominated by large corporations that have sophisticated risk management and mature cyber programs.
But there’s “a huge protection gap” in cyber insurance coverage, said Martin Kreuzer, senior risk manager for cyber risks at Munich Re, who added that across all industries, smaller organizations mostly go uninsured.
The data says it all: Coverage among small- to medium-sized businesses is relatively weak, with some estimates showing only about 20% of SMEs are cyber-insured.
Small businesses typically don’t obtain coverage, because they don’t consider themselves a valuable target for cyber threat actors. They also often lack the resources to properly identify their cyber risk. Michelle Faylo, U.S. cyber at technology leader at Lockton, said this is due to a lack of understanding of the financial risks.
“When we look at the volume of buyers that are missing in the middle market and the small business space,” Faylo said, “it’s because they don’t understand it.”
Given the financial squeeze on cyber insurers over the past year, they have been more closely scrutinizing claims and pressuring customers’ security teams to prove they are properly maintaining their security controls.
The result: Policyholders are recovering a smaller percentage of the total cost of a breach, according to Gavin Mead, cyber, data and tech risk partner at PwC. Disputes between the insurance provider and policyholder often center around whether security practices — particularly multifactor authentication — were actually enforced during the breach.
A significant amount of data breach costs are incurred by the victim organization’s response to a cyberattack, including forensic investigation, breach notification, credit-monitoring services and breach counsel. However, the larger exposure to a company is often the legal fallout, including class action data-breach suits from customers.
“That tail can rival the incident itself in financial terms,” Mead told Cybersecurity Dive. In some cases, companies work to make sure they identify every last customer that is exposed to a breach, thus extending the time and expense required to complete the incident response process, he noted.
Part of the frustration for buyers is a disconnect in how they are rewarded for strong security controls, according to Adam Abresch, executive vice president, cyber solutions at Acrisure.
Insurance buyers can get coverage if they have managed detection and response or endpoint detection and response, but they don’t always benefit in terms of pricing, deductibles or breadth of coverage.
“There is still a disconnect between security posture and underwriting recognition, which remains a point of frustration for buyers.”
Executive vice president, cyber solutions at Acrisure
“There is still a disconnect between security posture and underwriting recognition, which remains a point of frustration for buyers,” Abresch told Cybersecurity Dive.
The cyber insurance recovery process in several recent cyberattacks — such as that of toymaker Hasbro — will be a bellwether for what insured organizations can expect from their providers in this compressed and mature cyber insurance environment, experts said.
Hasbro, one of the largest toy and entertainment companies in the U.S., experienced temporary delays in ordering and shipping in the wake of a cyberattack in late March. During an earnings call last month, the company said it would incur $20 million in operating expenses related to remediation from the attack.
The company also expects between $40 million and $60 million in consumer product revenue to be delayed from the second quarter through the second half of the year. “We’re going to see, given the cyber event, a little bit of lumpiness in cash as we move through the year,” Gina Goetter, the CFO and COO as Hasbro, said during the earnings call.
It remains unclear what costs Hasbro will recover via its cyber insurance policy. The company plans to seek reimbursement for “certain costs, expenses and losses” related to the incident from its cyber insurance providers, according to a filing with the Securities and Exchange Commission. However, the company said it’s still documenting claims and has no immediate details of the claims or the “receipt, timing or amount” of any reimbursement.
Cyber insurance companies have been closely monitoring geopolitical tensions across the globe as well. The ongoing war between Russia and Ukraine and the U.S. war with Iran have become major flashpoints in the insurance sector. Threat activity linked to Iran-nexus actors has increased in recent months, including malicious attacks against key critical infrastructure providers in the U.S. What is not immediately clear is just how these attacks will be treated in the cyber insurance claims process.
The geopolitical cyber pressures will lead to more reimbursement claims by large companies to cyber insurers. War exclusion language traditionally has placed major limits on cyberattack insurance coverage, particularly when state-linked threat actors are involved. But a shift began in a 2023 New Jersey appellate court ruling that upheld insurance claims by pharmaceutical giant Merck, which sought $1.4 billion in claims related to the 2017 NotPetya nation-state sponsored cyberattack.
The Merck case was closely watched in part due to malicious cyberattacks related to the ongoing war in Ukraine. Then Lloyd’s issued guidance in 2024, noted Sridhar Manyem, senior director, industry research and analytics at AM Best, that said if insurer policies cover state-backed cyber incidents, the coverage must be granted in a “controlled and measurable way.”
That could have wide-ranging coverage implications for a wide range of industries, including energy companies, water utilities and other sectors that have been targeted by Iran-linked cyberattacks in recent months. Legal experts say victim organizations’ security teams will need to closely review the specific language in their respective cyber insurance policies to determine what is specifically coveredd and they also must ensure they had the proper controls in place at the time of their attacks.
“ The proliferation of global conflicts and the comparatively relative ease with which ‘war’ can now be conducted, including by unmanned drones, cyberattacks or otherwise, may cause a continued rise in efforts by insurers to exclude such losses,” Jason Rosenthal, an attorney at Much Law, told Cybersecurity Dive. This will lead to “a rise in premiums for insureds who try to purchase specific insurance for such events,” he added.
Insurance providers have increasingly become more proactive in prescribing how insured companies must manage the incident response process.
“Insurers are increasingly positioning themselves as active risk partners rather than just financial backstops that truly do want to provide a great claims experience and support the customer through what everyone agrees is a complex and stressful experience,” said Kevin Kiser, senior director of insurance alliances and solutions at cybersecurity firm Arctic Wolf .
Most insurance carriers route their policyholders through a “defined incident response ecosystem,” according to Kiser. The process may include a set of preapproved advisers, including a breach coach, who usually functions as legal counsel to the victim organization. Cyber insurers also often require preapproved security vendors to work with victims in the response phase, Kiser said.
The explosion of AI adoption and weaponization also has raised alarm bells across the insurance sector. Threat actors are using AI to develop zero-day exploits , for example, as cited in a May report from Google Threat Intelligence Group.
Businesses, meanwhile, are rolling out agentic AI and other programs that incorporate AI into their systems in the hopes that the technology will boost productivity and efficiency. But many AI implementations lack proper governance and security guardrails.
“ Real-world cases show AI improving phishing, fraud and large-scale exploitation while compressing attack timelines so that recovery capability, not detection, becomes the main driver of loss-severity,” said William Altman, director of cyber threat intelligence services at CyberCube.
Rachel Turk, chief of market performance at Lloyds, echoed the AI concerns of cyber insurers during the company’s second quarter market presentation last month. She warned that AI would raise the specter of unmanaged risk to Lloyds’ clients and that no baseline scenarios currently exist to properly assess that risk.
“The risk vectors for cyber continue to evolve, and AI adds another dimension and future uncertainty,” Turk said, “both by being used by threat actors and raising the question of potential coverage.”
The bottom line concern for CISOs and other leaders in this new cyber insurance risk climate is to factor in the ability to withstand a cyberattack, protect the integrity of your systems and minimize downtime.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said, “Organizations are really looking at what do we need to do to make sure that we can keep our major systems running if major IT systems start going down for whatever reason —whether it’s a bad guy or a bad update.”