The cyber insurance market has reached a durable equilibrium after years of volatility, but the threat landscape underneath it is evolving faster than most organizations can track. Christopher Keegan (pictured), senior managing director and cyber and technology national practice leader at Brown & Brown Risk Solutions in New York, says the market is competitive and profitable, with modest softening that he expects to persist for the next two to three years, absent a major systemic attack.
"We've been in this for about three years now with a very similar market dynamic," Keegan said. "Some coverages are getting broader, some narrower. There are little pockets of the market that are hardening, healthcare for example, but for the most part it's maintained a sustainable equilibrium."
New entrants have kept rate pressure in check. Keegan notes that while some market leaders have tried to push rates higher, incoming capacity has absorbed that pressure. Only one or two markets have exited over the past two to three years, while significantly more have entered, many of them actively expanding capacity with management support.
Larger organizations have made real strides in shoring up their defenses, Keegan said, with widespread adoption of multifactor authentication, endpoint detection and response, and managed detection and response tools. But identity management remains an area of meaningful exposure, even among organizations that have otherwise improved their posture.
"Those tools are expensive, not easy to implement, and require real behavior changes from the people inside those organizations," he said. "Identity and access management has become such a priority because groups like Scattered Spider have demonstrated just how effectively they can fraudulently gain access to people's identities."
In the small and midsize business segment, the gap is wider. Keegan said carriers are increasingly seeing losses driven by funds transfer fraud as much as by ransomware or data breach incidents. Threat actors have grown highly sophisticated in assuming and exploiting identities, and the off-the-shelf tools available to smaller companies often fall short.
"Getting smaller companies, those under $25 million or even $100 million in revenue, to purchase cyber coverage remains very difficult," he said. "Those organizations really have to rely on tools from companies like Microsoft to get the protections they need. They often don't believe they're vulnerable until they find out they are, after losing money or being taken down."
Keegan is candid about the trajectory. AI is not a future risk, it is a present one, and its primary effect so far is compression. Attack cycles are faster, social engineering is more convincing, and the window available to defenders is getting shorter.
A widely reported 2024 incident in Hong Kong, in which a finance employee transferred $25 million following a deepfake video call in which the CFO was cloned by voice and video, has become a reference point in the industry. Keegan said his team has seen similar demonstrations internally.
"The level of sophistication is already there and only growing," he said. "Once a threat actor gains access to an identity, AI is extremely effective at moving that identity laterally across systems to reach the crown jewels."
He added that automated AI-powered response is not yet standard, and the decisions that need to be made during a large-scale attack, including whether to take systems entirely offline, still fall to human beings, often under severe time pressure.
“It is likely the CIOs who will be making those calls, often at 10 or 11 at night, and time available to make those decisions is getting shorter."
On the underwriting side, Keegan said the shift over the past three years has been toward more active intelligence gathering. External scans and threat intelligence feeds now supplement application forms, with sharper focus on whether purchased controls are actually deployed and managed correctly.
"You can purchase the tools, check the box, but if the management of those systems is incomplete, or if alarms are generated and ignored, the protection isn't real," he said. Underwriters are pressing harder on MFA configuration and on the human-layer controls designed to prevent social engineering through help desk impersonation and phishing.
AI governance has also entered the underwriting conversation. Keegan said carriers want to know whether organizations have designated ownership of AI policies, whether shadow AI use is being addressed, and whether employees understand appropriate use.
For Keegan, the broker's role has shifted substantially toward what he calls pre-underwriting. That means working with clients before renewal to assess controls, map posture to frameworks like NIST and ISO, and build a coherent narrative for underwriters.
"We take what they actually do from a control standpoint and interpret it," he said. "We're also helping directors and officers understand risk in real dollar terms. That resonates with executives far more than technical information does."
