The cyber insurance market is expected to maintain stable conditions into 2025, according to Gallagher's outlook.
Softening market conditions that began in 2024, driven by increased competition among carriers, are expected to persist, creating a buyer-friendly environment with abundant capacity, higher limits, and flexible underwriting. Rates remain flat or have slightly declined in some cases.
Gallagher noted that while the market has stabilized, several challenges emerged in 2024. These included persistent ransomware and social engineering attacks, as well as the growing threat of supply chain disruptions. Wrongful data collection claims also began maturing, becoming a notable concern for insurers.
Additionally, the potential risks posed by generative artificial intelligence are drawing increased scrutiny from the underwriting community, both in terms of heightened threat capabilities and regulatory compliance.
Data breaches remain a costly issue for organizations, with the IBM-Ponemon report revealing the average cost of a data breach reached $4.88 million in 2024, a 10% increase from the prior year.
Gallagher highlighted that ransomware attacks have continued to evolve, with decreasing initial ransom demands and lower average payments – falling from $568,705 in 2023 to $381,980 in 2024.
However, ransomware incidents increased in frequency, and business email compromise remains a significant tactic, with $2.9 billion in losses reported in 2023.
Gallagher also pointed to the growing impact of supply chain attacks, which targeted industries such as healthcare, automotive, and transportation in 2024. The rise of non-breach privacy claims, particularly those related to wrongful data collection, was another trend that emerged last year.
Claims tied to website tracking technologies and biometric data have been amplified by state laws allowing private rights of action.
Gallagher emphasized the role of regulatory risk in shaping the cyber insurance landscape. Publicly traded companies are now required to report material cyber incidents to the Securities and Exchange Commission (SEC) within four business days, as well as to provide annual reports detailing their cyber risk management efforts.
The Cybersecurity and Infrastructure Security Agency (CISA) proposed rules for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), set to be finalized by mid-2025. Gallagher highlighted that failure to comply with these regulations could result in penalties and legal consequences.
Cyber insurance products are also evolving in response to regulatory and market pressures. Gallagher observed that coverage for regulatory risk has become more restrictive, with increased attention on exclusions related to website tracking claims and privacy laws.
Policy language surrounding terms like "unauthorized" versus "wrongful" is becoming critical in determining claim coverage.
Reinsurance continues to play a key role in supporting the cyber insurance market, Gallagher said. Reinsurers are utilizing tools like insurance-linked securities, proportional reinsurance transactions, and catastrophic bonds to spread risk across capital markets.
Gallagher noted that primary insurers are improving data-sharing practices with reinsurers to refine loss modeling and enhance coverage solutions.
The global cyber insurance market has seen significant growth, with premiums doubling over the past five years to reach $14 billion in 2023. Gallagher cited projections that estimate premiums could rise to $29 billion by 2027. Carriers have achieved improved loss ratios through underwriting discipline and security control measures, positioning the market for continued expansion.
Despite current market stability, Gallagher warned that emerging risks, including those tied to artificial intelligence, geopolitical instability, and supply chain disruptions, will require close monitoring. The underwriting community is expected to adapt policy terms and coverage offerings to address these challenges.
What are your thoughts on this story? Please feel free to share your comments below.