Why Cyber Insurance’s “Fire Sale” Won’t Last

Today the cyber insurance market appears to be having a “fire sale.” Rates are falling, capacity is abundant plus new players continue to enter the market, and buyers are enjoying some of the most affordable coverage in several years. When it comes to renewals, few corporate insurance buyers are bracing for less coverage at higher premiums. Based on these trends, you might easily conclude that the biggest market challenges are behind us. Don’t. Losses continue to climb and threats are growing more sophisticated. In 2024, U.S. cyber insurance premiums declined for the first time since AM Best began tracking the market in 2015. This pricing environment won’t hold indefinitely although like all insurance cycles, it may persist longer than expected.

Why Rates and Risk Are Moving in Opposite Directions

On the supply side, we’re starting to see the production line of new cyber MGAs begin to wane. A number of entrants that were attracted by strong loss ratios are now pulling back as the expected premium growth forecasted by many heading into 2026 hasn’t materialized. What looked like a straightforward growth story even a year ago is proving to be more constrained. A byproduct of this forecast miss across the board is an array of senior talent being relegated to the sidelines after Q1 2026 revenue was re-evaluated.

At the same time, the loss environment is shifting in ways the industry can’t afford to underestimate. For years, nation-state cyberattacks were treated as a government or military issue. That distinction is becoming increasingly irrelevant. In March 2026, an Iranian-linked group targeted Stryker Corporation, a Fortune 500 company, disrupting operations across 79 countries and making clear that geopolitical cyber risk is now a direct concern for public and private enterprise.

That event brings us back to a question the industry largely moved past after the early stages of the war in Ukraine: how do war exclusions apply when a state-sponsored actor targets a commercial organization? It’s an uncomfortable gray area, and one most policyholders won’t fully appreciate until they’re in the middle of a claim.

At the same time, several of the senior cyber insurance execs I speak to are seeing a different kind of exposure emerge with AI: one that looks a lot like an insider risk, but without the traditional controls. As AI tools become embedded in day-to-day workflows, employees are granting access to sensitive data e.g. calendars, inboxes, communications, internal systems, etc. and in ways that would have raised immediate concerns just a few years ago. Those frontline employee decisions are often happening without centralized visibility.

The challenge is that governance hasn’t caught up. Most organizations are still determining what should and shouldn’t be shared with AI efficiency tools. Meanwhile, carriers are working to limit their exposure to AI use or development via exclusions and terms & conditions language. The net effect is a widening gap between where exposure is growing and where coverage actually exists.

Rethinking Who Is Actually a Good Risk

These shifts require rethinking how cyber risk is assessed at the underwriting level.

For certain coverages, conventional wisdom often treats a prior breach as a red flag. The likelihood of an organization suffering the adverse consequences of a human decision sometimes rises with repeat situations. In practice though, the signal is more nuanced. If I was underwriting Cyber cover, the first question on my form would certainly be: “Have you experienced a breach before?” Organizations who have incurred a prior breach often emerge with stronger, more mature security postures. They have implemented multi-factor authentication, formalized incident response, and invested in continuous monitoring, and typically increased their arsenal of IT staff talent. Some have even added a CISO and set up regular training regimens for their employee base. More importantly, these various controls have been tested under real-world conditions, and these proactive defenses have made these insureds better risks.

By contrast, a clean claims history is not inherently indicative of resilience. It may reflect strong controls or simply a lack of exposure to a meaningful event. The more telling indicator for underwriters may not be past incidents, but rather the presence or absence of sustained investment in security infrastructure.

This assessment becomes even more complex when factoring in third-party and supply chain risk. An organization’s defenses are only as strong as those of its partners, and vulnerabilities often propagate through interconnected ecosystems. Effective underwriting must extend beyond the named insured to evaluate the broader network of dependencies.

What Brokers Should Do Now

First, it’s important to realize that cyber loss events are not going away. Zywave’s loss data tracks almost 300,000 cyber loss events and their financial impacts across all industries, all company sizes, and all geographies. This dataset currently documents well over $100B in aggregate loss value, which is orders of magnitude greater than any single insurer’s entire book of claims. There is no niche segment or dimension where we can’t demonstrate cyber losses, which have already occurred. The old cyber market adage of “It’s not if, but when” has shifted, in my view, to “Cyber threats are continuously happening; how are you responding?” However, market supply and demand conditions are not moving in sync with these escalating threats.

Accordingly, the cyber insurance executives whom I regularly talk with see 12 to 18 months left for this softening cyber insurance market under normal conditions. Of course, a major systemic event could upend that timeline considerably.

The industry has not yet experienced the kind of catastrophic cyber loss that forces a market-wide repricing. A large-scale grid attack, a significant data center outage, a coordinated assault on critical infrastructure would have far-reaching implications. When something of that magnitude occurs, the adjustment will be swift and there will be little warning.

While the current soft market persists, brokers have a concrete opening to showcase their strategic advisory skills. Sophisticated buyers of insurance do not reduce their total premium spend when rates fall; they redirect it. They understand that letting their premium budget erode in a soft market leaves them underprepared when rates harden.

The cyber savings available right now can be applied to emerging exposures that many programs were not designed to address, even a few years ago. AI liability is one clear example. As carriers continue to exclude AI-related losses from standard cyber policies, the gap between what organizations need and what they carry coverage-wise is widening. Supply chain risk and third-party vendor exposures are other examples. Brokers who raise these issues today will be the ones their clients turn to when it matters most.

Jeff Cohen is senior vice president, industry relations, at Zywave, where he serves as a chief evangelist, spearheading relationships with key clients and industry stakeholders. He also leads Zywave’s media business and is a member of the firm’s senior leadership team. With more than 35 years of experience spanning data, analytics, media and insurance-focused businesses, Cohen previously served as president of Advisen, which was acquired by Zywave in 2020, and held senior sales and marketing roles at Bloomberg.