The cyber insurance market remains firmly in soft-market territory, despite repeated predictions that conditions would begin to tighten. Two years after industry warnings that pricing had fallen too far, competition continues to intensify, particularly in the SME and mid-market space.
For Sam Cheshire (pictured), head of cyber (UK Retail) at Gallagher, the more important question is not whether rates are still falling, but whether the market fully understands the risks it is accumulating.
“We’re definitely still in a soft market at the moment,” he said. “I’m not 100% sure we’ve reached the bottom either.”
As premium reductions become harder to sustain, insurers are increasingly competing on coverage breadth and additional services rather than headline price alone.
Cheshire said insurers have expanded indemnity periods, broadened policy wordings and introduced more proactive cyber risk management tools as part of their offering. “There’s not too much rate left to take off,” he said, particularly within the SME market.
That competition has accelerated the expansion of cover. “Most insurers that historically maybe even offered 90 or 180 days now [are] offering a 365-day indemnity period on the business interruption,” Cheshire said.
More traditional insurers entering the SME cyber market are also expanding their offerings beyond standalone cover, combining insurance with monitoring, prevention and broader cyber risk management services.
Despite broader market competition, underwriting outcomes are not uniform. Cheshire said organisations investing in cyber security controls continue to receive the strongest pricing benefits.
“If they’ve gone through significant improvements in reducing their cyber risk, then the insurers are more happy to offer them premium discounts,” he said.
That remains one of the more positive features of the current market from a broking perspective. “We would like our clients that are investing in reducing their risk to reap the rewards of reduced premiums,” Cheshire said.
He suggested some insurers are becoming increasingly aware that current pricing levels may not be sustainable indefinitely. “There are a number of insurers and MGAs that have realised that potentially these rates aren’t sustainable and they’re trying to rein it in a little bit,” he said.
The larger concern, however, lies in whether the cyber market has developed a sufficiently mature understanding of its own loss profile.
Cheshire drew comparisons with the D&O market, which experienced years of deteriorating profitability before pricing eventually corrected. The question, he said, is whether insurers recognised those losses in real time or only fully understood them retrospectively.
“If they didn’t know it,” he said, “could we in the cyber world be repeating that same mistake?”
That uncertainty is particularly relevant for cyber claims with longer-tail characteristics, including privacy-related losses that may develop over time. “Our loss ratios may be higher than we actually think they are,” Cheshire said.
At the same time, the cyber market continues to attract new buyers. Cheshire said organisations that previously declined cyber insurance have increasingly entered the market following high-profile incidents and losses over the past year.
That growth may itself be sustaining soft-market conditions. If premium growth continues to outpace claims development, insurers can continue writing aggressively while remaining profitable in the short term. Whether that balance holds over time remains less certain.
For Cheshire, the defining issue for the next phase of the market cycle is not day-to-day claims activity, but systemic cyber exposure.
“If there is a very large and grand scale incident that is systemic and impacts the world, then that will trigger a change,” he said.
The challenge is not whether such an event will occur, but how prepared the market is when it does. “There is going to be a systemic loss,” Cheshire said. “We know that that’s going to happen eventually.”
He suggested current market conditions remain heavily focused on growth and competition, rather than on how the industry would absorb a large-scale correlated event.
“At the moment the current market conditions aren’t necessarily looking at that,” Cheshire said.
As insurers continue competing aggressively on pricing, coverage and services, the underlying question is whether the cyber market is still expanding sustainably, or whether some of its underlying pressures have yet to fully emerge.
