Cyber Insurance in 2025

Introduction

With over 25 years in risk management, I’ve seen insurance evolve through everything from natural disasters to financial meltdowns. But nothing has changed as rapidly, or as unpredictably, as cyber insurance. In 2025, the market remains at a crossroads, shaped by emerging technologies, evolving threats, and increasing pressure from leadership teams.

In this post, I’ll walk you through where cyber insurance stands today from my perspective including rate trends, coverage updates, emerging carriers, and the top concerns keeping risk managers, CISOs, and boards up at night. If you’re new to this space, check out the Cyber Insurance Primer at the end.

Remember: These observations reflect broad market patterns, not guarantees. Your organization’s specific renewal terms will vary based on your risk profile, security controls, claims history, and industry dynamics.

The Market Landscape: Stabilization Amid Complexity

After the post-pandemic premium volatility, the market has largely stabilized. Renewal rate changes are mostly in the –5% to +5% range (though some see larger reductions), a welcome shift for companies that endured steep hikes (often over 50%) during the 2021-2022 surge. Capacity remains strong, and competition is high. New entrants are bringing fresh capital and creative underwriting strategies, expanding options for buyers.

However, the influx of new carriers could dilute underwriting discipline over time. Questions also remain about long-term consistency and viability, particularly around claims handling.

Coverage Trends: Expanding Scope, Sharpening Focus

Cyber policies in 2025 go far beyond data breach response and ransomware. Key trends include:

• Ransomware Still Dominating Claims: Despite a decline in ransom payments, ransomware remains the top driver of cyber insurance losses. Business interruption accounts for over 50% of related costs. Triple extortion tactics and AI-enhanced attacks are increasing severity.
• Contingent Business Interruption (CBI): Losses from third-party outages, such as cloud providers or software vendors, continue rising. Insurers remain cautious due to aggregation risk.
• AI-Driven Threats (and Assessments): Generative AI has enabled deepfake scams and automated phishing. Some carriers are introducing AI exclusions or endorsements to address “silent” coverage, while others demand stronger controls. On the flip side, AI is also improving underwriting and claims efficiency.
• Security Requirements Are Critical (and Often Mandatory):Advanced controls like MFA, EDR, MDR, and privileged access management are increasingly required to qualify for coverage or to earn premium discounts.
• Parametric Options: More insurers are offering parametric cyber coverage, which enables faster payouts. However, these require clearly defined triggers and aren’t yet ready to replace traditional policies.
• SMEs Are Increasingly Targeted: Companies of all sizes are now in the crosshairs. Every organization must assess its security posture and incident response readiness.
• Privacy Litigation and Regulatory Pressure: Non-breach privacy claims, such as biometric misuse and wiretapping violations, are rising. Regulatory changes like CIRCIA and SEC disclosure rules are prompting insurers to tighten terms and expand legal cost coverage.

New Carriers and Market Dynamics

Legacy insurers no longer dominate the market, though they still play a major role. In 2025, MGAs and niche carriers are offering tailored, flexible solutions appealing to mid-market and tech-forward firms. But more choice can mean fragmented coverage. Always scrutinize exclusions and claims processes to avoid surprises.

CISO Concerns: Budget Pressures and Strategic Alignment

CISOs are under constant pressure. Threats are growing, budgets often stagnate, and expectations around prevention, detection, and response continue to rise. Delayed upgrades, tool consolidation, and increased reliance on cyber insurance are becoming the norm.

CISOs now demand policies tailored to their unique risk profiles, not one-size-fits-all forms. Bridging the gap between board-level decisions and operational needs is more critical than ever. Many CISOs are also seeking personal protection for decisions made under constrained circumstances.

Boardroom Priorities: Governance, Resilience, and Risk Transfer

Boards are more engaged in cyber risk than ever. A recent NACD survey (2025 Board Practices and Oversight Survey) found that 77% of directors now focus on the financial fallout from cyber incidents, up from 52% in 2022. Yet oversight gaps persist, especially around metrics and response planning.

Key board concerns include:

• Supply Chain Vulnerabilities: Ensuring resilience across ecosystems after high-profile third-party outages. Visibility and interconnectivity mean organizations can be hit from multiple angles.
• Cyber Insurance Strategy: Understanding what policies cover, how claims are handled, and whether coverage aligns with the organization’s risk appetite.
• Regulatory Exposure: SEC rules and a patchwork of state, national, and global regulations are prompting boards to scrutinize disclosures and liability protections.

Guidance for Risk Managers: What to Do Now

1. Evaluate Probable Losses: Buying cyber insurance is almost always a smart move, but how much to buy is a strategic decision. Consider your organization’s risk tolerance, potential financial impact, and reputational harm.
2. Run a Cyber Risk Gap Analysis: If you already have coverage, identify exposures your policy doesn’t address. For example, around third-party risks and AI-driven threats.
3. Build Relationships with CISOs and Legal Teams: Ensure alignment between technical controls, legal obligations, and insurance. CISOs are now central to underwriting meetings, and insurers assess their capabilities and credibility.
4. Read Policy Language Carefully: Watch for exclusions, waiting periods, and retention clauses. Especially in CBI or system failure coverage. Review endorsements to see what’s added or removed.
5. Keep the Board Informed: Share updates on cyber trends, market shifts, and incident readiness. Boards have a fiduciary duty to address major risks, and cyber remains a top concern.
6. Build Long-Term Carrier Relationships: Don’t chase the lowest premium each year. Seek partners who support your long-term resilience. Meet them in person when possible. Insurers value relationship-building.

Conclusion

In 2025, cyber insurance is no longer a nice-to-have, it’s a core component of enterprise risk management. As threats evolve and expectations rise, organizations need a proactive, informed approach to coverage selection and risk transfer. That transfer must align with both the organization’s risk appetite and its broader strategy for managing cyber threats.

At 221B Consulting, we help clients navigate this complex market with clarity and confidence. Whether you’re a CISO, board member, or risk leader, we’re here to support your journey toward cyber resilience.

Cyber Insurance Primer

New to cyber insurance or need a refresher? Check out our Cyber Insurance 101 Primer in the Resource Library for a quick overview of key concepts, coverage types, and practical buying tips to help you get started.