The cyber market still looks buyer-friendly, but the smarter players in broking are starting to act as if that window is already closing, especially as some big risks, notably data theft and business interruption, continue to be underestimated by clients.
Experienced cyber brokers such as Jack Petts (pictured), principal in Marsh Specialty’s cyber practice, say that rather than chasing one more premium reduction in a competitive market, brokers should use this phase of the cycle to future-proof clients’ programmes before underwriters become more selective and policy wording starts to narrow.
The real threat is not simply a breach, but a business that can no longer trade, invoice, deliver or manufacture because a ransomware event, cloud outage, software supply-chain compromise or internal system failure has taken its core systems offline. While the market remains soft and “a great time to be a buyer”, CRC Group warns that a large cloud outage, critical infrastructure ransomware event or major supply-chain cyber catastrophe could quickly push conditions back toward hardening.
Petts said too many insureds still frame cyber as a breach problem when it is increasingly a continuity problem. Claims data suggests that is where the current market is moving. CRC has reported that business interruption is now the biggest driver of cyber claim severity: over a five-year period, business-interruption claims were on average more than 650% more costly than claims without interruption losses and ransomware was behind about 81% of them. Data from Allianz has shown that ransomware made up 60% of the value of large cyber claims above €1mn in the first half of 2025. Coalition added another warning sign, reporting that initial ransom demands jumped 47% in 2025.
In that environment, Petts said there are three main areas brokers should work on with clients.
“The first is securing strong coverage wording now,” he said. For brokers, that means treating today’s soft market as the moment to fight for the terms that will be hardest to win later: clear business interruption triggers, stronger cyber liability language, system failure cover for non-malicious events and contingent business interruption protection that reflects dependency on both IT and non-IT suppliers. Rather than policy housekeeping, this can be the difference between a cyber programme that responds to modern loss drivers and one that doesn’t.
That is especially true now that operational loss is no longer confined to the insured’s own network. Petts points to third-party dependency risk and the external data supports him. Marsh has found that 70% of organisations experienced at least one material third-party cyber incident in the past year. IBM has reported that large supply-chain and third-party compromises nearly quadrupled since 2020, while Black Kite says third-party breaches scaled in 2025 because impact cascaded faster than disclosure and the most relied-upon vendors remained structurally exposed.
Petts’ second line could be pinned above every cyber broker’s desk: “Second, I would say helping clients to improve their cyber posture,” he said. “Insurers are increasingly differentiating between organisations based on their security maturity.”
Many firms are at least planning to head in this direction. Marsh data says 66% of organisations worldwide plan to increase cybersecurity investment in 2026, with incident planning, mitigation and talent among the priorities. Improving cyber posture is becoming more important as some attacks become more difficult to control. CrowdStrike has said that the average eCrime breakout time fell to just 29 minutes in 2025.
The third pillar in Petts’ answer is limit strategy.
“A lot of organisations still buy limits based on historical benchmarks rather than actual exposure modelling,” he said.
Too many buyers still purchase limits by habit, benchmark or budget, not by exposure modelling tied to downtime, vendor concentration and actual revenue reliance on digital systems. If the next systemic event pushes the market back into harder territory, those conversations get more expensive very quickly. Broking value, then, is not merely finding capacity, it is using this moment of softer pricing and broader terms to persuade clients to buy the right structure before that leverage disappears.
Cyber brokers should be warning clients that the quiet danger in this soft market is complacency. The market is giving buyers room but the threat environment is not. That suggests brokers should use today’s conditions to lock in wording, raise security maturity and reset limits around real interruption risk, before the market remembers how to say no.
