2025 Market Outlook: Cyber Insurance

Despite an ever-evolving threat landscape, growing attacker sophistication, and frequent and severe cyberattacks, the cyber insurance segment softened in 2024. Most policyholders encountered modest, single-digit rate increases.

This market improvement was driven by several factors, including increased competition among carriers, a surplus of capacity and a steadfast focus on cyber hygiene among insureds (i.e., fewer claims mean lower loss ratios). Rate improvement was particularly noticeable among accounts that could demonstrate year-over-year improvement in their cyber risk management practices.

Overall, 2024 continued to be a buyer’s market in the cyber insurance space, especially considering the expanded presence of surplus lines carriers and strides made in policy design (e.g., increased customization, improved coverage options and nuanced underwriting practices).

Still, with the fast-changing nature of cyberthreats, cyber insurance can be an especially volatile and dynamic segment, and frequent market changes can make pricing predictions difficult to pin down. The CrowdStrike and Change Healthcare incidents highlighted the greater impact of just one cyberattack across multiple organizations and business sectors. Given the potential impact of systemic events like these, it’s possible insurers will implement stricter underwriting guidelines in 2025 and may be less aggressive when it comes to lowering rates. Higher-risk industries (e.g., health care) are already being treated more cautiously. While current price predictions indicate lower rates, mileage may vary from policyholder to policyholder.

In 2025, insurers will continue to emphasize cybersecurity controls, leveraging advanced risk management assessment tools (e.g., AI-powered data analytics) to predict losses and price policies more accurately. More than anything, a strong cybersecurity posture and a deep understanding of the current threat landscape will best equip policyholders to navigate the coming year’s cyber insurance market. This means that insureds who fail to adopt proper cybersecurity protocols or experience a rise in cyber losses may encounter ongoing premium hikes and coverage restrictions for the foreseeable future.

Developments and Trends to Watch

Ransomware threats

Ransomware attacks involve cybercriminals compromising devices or servers and demanding that large payments be made before restoring the technology (as well as any data stored on it). These cyberattacks impact businesses of all sizes and sectors, especially small- and medium-sized organizations. What’s worse, they often carry costly losses as a result of substantial payment demands, technology and data recovery efforts, business interruption and regulatory consequences. Ransomware attacks have skyrocketed over the past decade, and blockchain analysis firm Chainalysis reported that 2024 could be the largest grossing year yet for ransomware payments. Notably, in what’s being touted as the highest ransomware payment on record, cybercrime group Dark Angels received a ransomware payment of $75 million—nearly double the highest amount from 2023. What’s more, the frequency of these attacks continues to rise, and ransomware incidents were up 18% during the first five months of 2024. Perhaps most concerning still is the evolving nature of ransomware attacks. Historically, ransomware attacks focused primarily on data extortion and profit; however, cybercriminals are targeting critical infrastructure more frequently. One such attack that stole headlines in the early part of 2024 was the Change Healthcare incident. Not only was sensitive patient information compromised during this ransomware attack, but Change Healthcare was unable to deliver essential services—all despite paying a $22 million ransom.

Moving into 2025, it’s expected that health care providers, schools, government agencies and other infrastructure-related organizations will be increasingly targeted in ransomware attacks. Given the essential nature of these operations, attackers believe victims in these sectors are more likely to pay a ransom to avoid prolonged disruption. Beyond this, criminals are also targeting so-called “big game” organizations they perceive to have the financial ability to pay higher ransoms. Ransomware will continue to be a pervasive issue for insurers and insureds alike in 2025, especially as cybercriminals evolve their tactics. For example, while it’s true major players in the ransomware criminal network like ALPHV/BlackCat and LockBit have declined as a result of law enforcement crackdowns, new groups have emerged to take their place. Moreover, some threat actors are employing a ransomware-as-a-service (RaaS) business model where cybercriminals sell or rent ransomware out to buyers (also called affiliates) and share the profits of an attack. RaaS is particularly concerning as it enables malicious parties who otherwise have no technical know-how to execute a ransomware attack.

AI exposures

While AI technology can certainly offer benefits in the realm of cybersecurity—streamlining threat detection capabilities, analyzing vast amounts of data and automating incident response protocols—it also has the potential to be weaponized by cybercriminals, therefore exacerbating cyber losses and related claims among businesses. Cybercriminals can utilize AI technology to create and distribute malware, crack passwords, deploy social engineering scams, identify software vulnerabilities, and analyze stolen data. This technology can enable such activities to be carried out faster and with greater success rates, which allows cybercriminals to cause major damage and even evade detection. One of the most significant risks associated with AI technology in the hands of cybercriminals is the ability to formulate persuasive phishing messages with minimal effort, making these scams much more prevalent. For example, cybercriminals can use AI-powered chatbots to impersonate legitimate sources, such as banks and other businesses, to trick unsuspecting individuals into sharing sensitive information. To help combat losses stemming from weaponized AI technology, some businesses have begun implementing more comprehensive cybersecurity measures, particularly as they pertain to threat identification and data protection initiatives (e.g., updated security software, advanced access controls, and routine employee training). Heading into 2025, businesses should be particularly mindful of emerging AI-driven threats like deepfake scams, where synthetic audio or video is used to impersonate executives or employees in order to commit financial fraud or initiate data breaches. Additionally, AI-powered automated attacks, such as rapid vulnerability scanning and exploitation, can overwhelm traditional defenses, making it crucial for businesses to adopt advanced threat detection tools and robust incident response strategies.

Supply chain vulnerabilities (third-party vendors)

More often, instead of targeting an organization explicitly, cybercriminals are executing attacks against a business’s suppliers and vendors. Due to the interconnected nature of modern businesses, cybercriminals know that an attack on a third-party partner can have a significant downstream impact. What’s more, vendors and suppliers often don’t have the same level of cybersecurity as a target organization, making them an easier point of entry for a malicious party. Supply chain exposures can stem from a variety of parties and practices within an organization, including third-party services or vendors with access to information systems, poor information security practices by suppliers, compromised organizational software or hardware, software security vulnerabilities in supply chain management or among third-party vendors, or inadequate third-party data storage measures. Supply chain attacks prey on organizations’ inherent trust in their partners; once a partner is breached, a cybercriminal can move laterally through a network to gain deeper access to data, deploy malware or steal sensitive information. Supply chain attacks are an increasing challenge for insureds, and Gartner predicts that 45% of organizations will experience attacks on their software supply chain by 2025. Fortunately, there are some steps an organization can take to help decrease its supply chain cyber risk. These include incorporating cyber risk management into vendor contracts, minimizing the access third parties have to organizational data and monitoring suppliers’ compliance with supply chain risk management practices.

Data collection concerns

A growing number of businesses have begun leveraging biometrics, pixels and other tracking technology to gather personal information from stakeholders for various HR, advertising and marketing processes; however, doing so poses several data privacy concerns. For instance, businesses that don’t comply with applicable international, federal and state legislation (e.g., The General Data Protection Regulation, the Health Insurance Portability and Accountability Act, the Biometric Information Privacy Act and the California Privacy Rights Act) when collecting, processing and storing stakeholders’ data could face substantial regulatory penalties, costly lawsuits and associated cyber losses. Compounding concerns, cyber insurance carriers are increasingly excluding coverage for losses caused by the wrongful collection of data, leaving businesses largely unprotected against this exposure. It’s critical for businesses that leverage tracking technology to maintain compliance with relevant data privacy laws and prioritize obtaining stakeholders’ consent before using their personal information, thus keeping associated cyber losses to a minimum. Heading into 2025, businesses should be aware of heightened regulatory scrutiny and evolving privacy laws around data collection, especially as more states and countries strengthen their data privacy frameworks.

Tips for Insurance Buyers

• Work with your insurance professionals to understand the different types of cyber coverage available and secure a policy that suits your unique needs. Start renewal conversations early.
• Take advantage of loss control services offered by insurance carriers to help strengthen your cybersecurity measures.
• Focus on employee training to prevent cybercrime from affecting your operations. Employees should be aware of the latest cyberthreats (e.g., AI-powered attacks, cyberwarfare, ransomware and business email compromise scams) and how to mitigate them.
• Keep organizational systems secure by utilizing a virtual private network, installing antivirus software and endpoint detection and response solutions, implementing firewalls and email authentication technology, restricting employees’ administrative controls and encrypting all sensitive data.
• Store backups of critical data in a secure, offline location to minimize losses in the event of a ransomware attack.
• Update workplace software regularly to ensure its effectiveness, and consider using a patch management system to assist with updates.
• Establish an effective, documented cyber incident response plan to remain operational and minimize damages in the event of a data breach or cyberattack. Test this plan regularly by running through various scenarios with staff. Make updates to the plan as needed.
• Conduct thorough cyber risk assessments of third-party vendors before entering a partnership. Review their cybersecurity practices, ask about their data protection protocols and ensure they meet your company’s standards for safeguarding sensitive information.
• Consult insurance professionals and legal counsel to determine your organization’s regulatory exposures regarding applicable data protection and cybersecurity laws. Make compliance adjustments as needed.
• Develop workplace policies prioritizing cybersecurity, including an internet usage policy, a remote work policy, a bring-your-own-device policy and a data breach response policy.
• Be sure to consider potential nation-state threats when establishing your organization’s cybersecurity policies and protocols.

Read the Complete 2025 Market Outlook Series

• Commercial Property Insurance
• General Liability Insurance
• Commercial Auto Insurance
• Workers’ Compensation Insurance
• Cyber Insurance
• D&O Insurance
• Employment Practices Liability Insurance

Want more information? Contact Us. We’d be happy to walk you through any of these topics and all your risk management needs.