The cyber insurance market is softening at precisely the moment the threats driving demand for it are becoming more dangerous. That contradiction sat at the center of last week's Family Office Cybersecurity Forum in New York, where insurers, brokers and security specialists outlined a threat landscape reshaped by artificial intelligence and a coverage market where competition is outpacing risk.
"The market is expanding and more companies are getting into it," he said. "Insurance companies prefer you pay less in premiums than have to pay out a lot later. Family offices should shop around."
That advice is well-timed from a buyer's perspective. Despite an increase in both the frequency and severity of cyber losses, the marketplace remained favorable to buyers throughout 2025, with competitive conditions driving year-over-year premium reductions since 2022, according to WTW. Average premiums are expected to fall a further 11% in 2026 due to intense insurer competition, according to SentinelOne. Early indicators, however, suggested the rate of decline is beginning to slow.
The benign pricing environment masks a deteriorating risk profile. Warren Finkel, managing director at Omega Systems, told the forum that AI has introduced "an entirely new attack surface," citing deepfake impersonation attempts and AI-generated phishing campaigns as the most acute emerging threats.
The data supports the concern. The FBI's 2025 Internet Crime Complaint Center report logged a 37% rise in AI-assisted business email compromise incidents involving cloned voices of executives and officials. Deepfakes now account for 6.5% of all fraud attacks, a 2,137% rise since 2022, with Q1 2025 alone recording 19% more incidents than the entirety of 2024, according to research published by DeepStrike.
Attackers can now remain undetected inside a compromised system for 100 days or more. The cost to attack is tiny versus the cost to defend, detection is slow and the risk of prosecution is near zero.
The forum highlighted structural vulnerabilities that go beyond standard commercial cyber exposure.
Vishal Chawla, CEO of Blue Ocean Cyber, described family offices as "uniquely exposed" due to cultures of informal approvals, reliance on personal assistants, speed over process and multi-generational structures — all of which create exploitable gaps.
According to data cited at the forum, nearly half of US family offices were victims of cyberattacks in 2025, and just 60% are confident their employees can detect and prevent AI-powered attacks. For insurance professionals, the more consequential issue may be what is happening at the claims stage. Cheaper premiums are not translating into reliable protection.
More than 40% of cyber insurance claims are currently being denied, primarily due to missing controls, notification delays and absent policy provisions rather than exclusion clauses, according to SentinelOne.
Material misrepresentation — where forensic review after a breach reveals that controls attested to on the application were not actually in place — is the most common reason for claim denial in 2026, according to research published by Transform 42. Roughly three out of four carriers now run external attack surface scans during the underwriting process, replacing self-attestation as the primary verification method, according to Emerge IT Solutions.
Family offices and their advisers also face a tightening regulatory environment that directly mirrors insurer requirements. The SEC's amendments to Regulation S-P took effect for smaller registered investment advisers on June 3, 2026, introducing a written incident response program, a 30-day customer breach notification obligation and expanded vendor oversight requirements, according to Omega Systems. T
he SEC's Division of Examinations has identified Regulation S-P compliance as a fiscal year 2026 priority, with examiners focused on security controls, staff training and operational resilience against AI-related threats, according to Shulman Rogers.
The controls the SEC now mandates are, in most cases, the same ones cyber insurers require for coverage. The financial stakes are rising in parallel. Aon recorded a 38% jump in cyber and technology errors-and-omissions incidents in the US in 2025, with the average global ransomware claim reaching approximately $713,000 — nearly double the $374,000 recorded in 2024, according to TorchLight.
The forum's message pointed to a market with a structural tension: premiums are falling, claims are being denied at scale and the underlying risk is accelerating. The family office segment, with its informal governance and high-net-worth exposure, sits squarely at the intersection of all three.
