Cyber insurers have invested heavily in data, incident response and underwriting technology over the past five years. But according to Eric Rentsch (pictured left), chief product officer at Zywave, buyers and brokers are struggling to keep pace as cyber risks evolve faster than traditional insurance processes can accommodate.
Global commercial insurance premiums have grown by around 8% annually over the past five years, according to McKinsey, while insurance employment growth has remained below 1%, increasing pressure on already stretched broker teams.
Data-driven cyber underwriting has accelerated as carriers pair incident response services directly with policies, giving insurers richer information about how businesses manage cyber risk. But Rentsch said the scrutiny on policy wording that followed the hard market of 2021 to 2022 has made cyber cover more precise and, in some cases, more difficult for buyers to navigate.
“Firms are getting better, maybe too good. The challenge is coverage gaps, or cyber risks that clients may not fully appreciate or don’t feel are properly reflected in the policy. Those conversations are still very fluid and, dare I say, in some cases a bit less than you would want to see.”
“Every top 50 broker that I talk to that works in a cyber specialty practice has staff that know the conversation with the end insured is needed,” Rentsch said. “But they’re slammed. They don’t have enough time to actually get to every possible submission or renewal.”
James Willison (pictured right), managing director of Zywave’s wholly owned subsidiary WCL in London, said the same dynamic is playing out in how business is placed. The model of brokers collating information, printing it and physically walking it into the market is becoming increasingly difficult to sustain as carriers demand faster and more structured data flows.
“What we’re seeing across the market is underwriters looking at their distribution strategy and asking how they can have a digital front door, how they can accept data from brokers, do the analysis of the risk information, generate indicative appetite, and support their customers much more quickly.”
The demand for data, Willison said, consistently outstrips the ability of internal systems to use it effectively.
“People are crying out for more data,” he said. “Whether their core systems today are able to adequately deal with that data is a slightly different question.”
One of the clearest areas of consensus between Rentsch and Willison is that the annual renewal cycle is increasingly mismatched with the nature of cyber risk.
“The availability of data and this idea of doing a risk assessment once a year, setting a premium and then doing that again a year later, I think that’s going to change if it hasn’t already.”
Willison compared cyber risk to a constantly evolving threat rather than a static physical exposure. Traditional fire risks change slowly once sprinklers, detectors and alarms are installed. Cyber threats, by contrast, continuously adapt.
“It’s an ever-evolving risk which is almost learning as it goes,” he said. “It knows how to switch off the sprinklers and not trip the alarms. The damage can be a lot more insidious. It can carry on for longer without people being aware of it.”
The most significant emerging challenge, Rentsch said, is also one of the least well understood: the insurance implications of agentic AI, where AI systems perform tasks autonomously within an organisation.
“Carriers are getting very cautious about AI-generated phishing, deepfake fraud, AI-assisted malware. That’s really going to accelerate as organisations adopt agentic AI, where they actually have AI agents doing work within their systems.”
Simply excluding AI-related risks from cyber policies is not, he argued, a sustainable long-term position. As AI adoption becomes more widespread, coverage gaps are likely to become commercially significant.
“Just excluding it is not a tenable thing,” Rentsch said. “You’re going to need coverage for this type of capability in your organisation as everybody increasingly adopts it.”
Willison said cyber training exercises are becoming increasingly important as regulatory notification obligations begin the moment a breach is identified. Rentsch said supervisory systems that monitor AI tools for compliance may eventually become as routine as phishing awareness training is for employees today.
“Prompt injection is phishing for LLMs - instead of tricking a human into clicking a link, you trick a model into following instructions hidden in its inputs,” Rentsch said.
For brokers navigating this landscape, the message from both Rentsch and Willison was consistent: conversations about what cyber policies actually cover can no longer happen once a year at renewal. As cyber risks evolve faster than traditional insurance cycles can accommodate, buyers, brokers and carriers are all being pushed towards a more continuous model of risk assessment, monitoring and coverage review.
