The cyber insurance market’s prolonged soft pricing cycle is increasingly out of step with the rapid escalation of digital threats, as artificial intelligence accelerates both the sophistication and scale of cyber attacks.
According to executives at some major insurers and reinsurers, the market has yet to fully account for the systemic risks posed by AI-enabled attacks, despite a growing series of “near misses” involving cloud outages, ransomware and third-party vendor disruptions.
Adrien Robinson (pictured below), head of global specialty at The Hartford, told Insurance Business that cyber rates appeared “a little disconnected” from the underlying trajectory of risk, comparing the current environment to the gap between climate science and insurance pricing in natural catastrophe markets.
“Cyber is probably the quintessential example of risk changing in real time,” Robinson said. “These technologies create new risks, and they evolve at a pace that’s difficult to fully understand. We need to be vigilant as an industry.”
The comments come as cyber insurers grapple with an unusual paradox: a competitive market characterized by declining or stabilizing premiums, even as executives acknowledge that the threat environment is becoming more volatile and interconnected.
“To me, the pricing environment feels a little disconnected from that risk,” said Robinson. “Cyber has been a very competitive market for a few years now. It’s actually a bit like climate change — there seems to be a disconnect between long-term trends and short-term pricing decisions in parts of the industry.”
For now, the sector has avoided the kind of systemic catastrophe long feared by underwriters. Events such as the CrowdStrike outage, the CDK software disruption and cloud-service interruptions at major technology providers caused significant operational disruption but stopped short of triggering industry-wide insured losses. Executives repeatedly referred to such incidents as “near misses” rather than full-scale cyber catastrophes.
However, some corners argue that AI-driven tools are fundamentally changing the economics of cyber attacks. Cyber experts have pointed to emerging artificial intelligence systems such as Mythos, which could allow threat actors to propagate attacks at unprecedented speed and scale.
“We haven’t had our (Hurricane) Katrina event,” noted Bob Parisi (pictured below), head of cyber solutions – North America at Munich Re, referring to the insurance industry’s defining natural catastrophe benchmark.
“If AI causes a security breach or privacy breach, all things being equal, that’s not going to be the differentiator in determining whether it’s covered or not. We don’t exclude it, and I think that’s fairly typical across the marketplace right now.”
The growing concern is not simply the frequency of attacks, but the accumulation risk created by interconnected digital infrastructure. As companies become more reliant on cloud providers, outsourced software and third-party vendors, a single failure can cascade rapidly across industries.
Tim Nunziata (pictured below), vice president of cyber risk for excess and surplus/specialty at Nationwide, said insurers were increasingly focused on the “web of interconnectivity” linking businesses and technology providers.
“The fear of systemic loss has been there from the beginning,” Nunziata said. “As more buyers come online and smaller companies become more reliant on third-party providers, we look to underwrite that web of interconnectivity as best we can.”
Despite those concerns, pricing has remained under pressure after several years of intense competition. Nunziata said the market had experienced a “negative rate environment” for roughly three years, though he added that conditions were beginning to stabilize following sequential improvement over the past 11 quarters.
Underlying claims trends also remain mixed. Insurers report higher frequencies of cyber incidents but lower average severities, partly because many attacks are being contained more quickly and companies have improved baseline cyber hygiene.
Ransomware illustrates that dynamic, said Parisi. He said available industry data suggested the number of attacks had declined while the severity of successful incidents had increased.
“There aren’t as many attacks, but the ones that hit, hit hard,” he said.
The larger long-term concern regarding accelerating cyber threat activity remains the risk of business interruption. Businesses are increasingly vulnerable not because of stolen data, but because digital infrastructure now underpins core operations.
A cyber incident affecting industrial control systems, logistics software, or cloud computing platforms could inflict losses comparable to – or even greater than – traditional physical catastrophes such as fires or floods.
Even so, executives acknowledged that modelling cyber catastrophe risk remains exceptionally difficult because the threat landscape evolves far faster than traditional insurance risks. Robinson pointed out that underwriting increasingly depends on forward-looking scenario testing, cybersecurity expertise, and collaboration with technology firms and law enforcement agencies.
“With cyber especially, you can’t just rely on historical data because the risk evolves in real time,” said Robinson. “You need forward-looking expertise in addition to the data.”
Despite the threat, some market participants are quick to emphasize the upsides of AI. “Something we don’t talk about enough is organizations’ ability to deploy AI as a benefit,” said Nunziata. “Identifying vulnerabilities or deficiencies in their cybersecurity network enables them to respond more rapidly and shore up those concerns.
“So, AI is obviously a concern and something we’re underwriting to — not just asking whether AI is part of your operating system, but how you’re using it to improve your risk profile and defend against bad actors. That’s the flip side of the coin that gets lost in the uncertainty.”
