top of page

The Cyber Insurance Paradox: Why Falling Premiums Won't Last (And What to Do Before They Spike)

Updated: Feb 23

The cyber insurance market is experiencing something bizarre.


Premiums are falling while ransomware attacks reach record highs.


This is the equivalent of flood insurance getting cheaper during hurricane season. It doesn't make sense. Until you understand what's actually happening, and why it can't last.



The Numbers That Don't Add Up


According to Marsh McLennan and multiple insurance industry analysts, the global cyber insurance market is projected to grow from roughly $16-20 billion in 2025 to between $30 billion and $50 billion by 2030. That's a market expanding 15-20% annually - faster than most insurance lines.


Yet in Q3 2025, global cyber insurance rates declined by 6%.


What does this mean? In essence, the market is doubling in size, but prices are dropping.


For comparison, when the property insurance market expanded after major hurricanes, premiums increased 30-40%.

When auto insurance demand surged post-pandemic, rates jumped 20%+.


But cyber insurance, facing an unprecedented wave of ransomware, attacks is getting cheaper?


Welcome to the paradox.


The Soft Market Mirage

What's driving prices down isn't decreased risk. It's increased competition.


Between 2022 and 2025, dozens of new insurers entered the cyber market, hungry for market share. When supply exceeds demand, Economics 101 kicks in: prices fall. Carriers are betting they can underwrite cyber risk profitably at lower premiums—if they're selective about who they cover.


The key phrase: "if they're selective."


According to AM Best's Cyber Insurance Market Review, carriers have become significantly more sophisticated in underwriting, using detailed security control assessments to separate well-protected organizations from vulnerable ones.


The soft market isn't soft for everyone. It's bifurcating.


If you have multi-factor authentication (MFA), endpoint detection and response (EDR), tested backups, documented security training, and a Written Information Security Plan (WISP), you're golden. Premiums are falling 5-15% for you. Multiple carriers want your business.


If you don't have these controls? You're getting non-renewed. Or facing 50%+ premium increases. Or discovering that "soft market" doesn't apply to firms that can't prove basic security hygiene.


The market isn't softening. It's sorting.


Threats Are Accelerating

While premiums fell 6% in Q3 2025, here's what was actually happening in the cyber threat landscape:


Ransomware: According to Sophos's State of Ransomware 2024 report, 59% of organizations were hit by ransomware in 2023.⁴The average ransom payment reached $2.73 million, with total recovery costs averaging $3.1 million per incident.


Business Email Compromise (BEC): The FBI's Internet Crime Complaint Center reported that BEC attacks caused $2.9 billion in losses in 2023—up 18% year-over-year and representing the costliest category of cybercrime.


Data Breach Costs: IBM's Cost of a Data Breach Report 2024 found the average global breach cost hit $4.88 million (up 10% from 2023), with U.S. breaches averaging $9.36 million (up 9%).


So we have: Market growing 15-20% annually. Premiums falling 6%. Ransomware payments averaging $2.73M. Data breach costs up 10%.


Why This Can't Continue

Insurance markets operate in predictable cycles. Always have, always will.


The Cycle:

Phase 1: Soft Market (where we are now)

  • Competition drives prices down

  • Carriers chase growth over profitability

  • Underwriting standards become more lenient (relatively)

  • New entrants flood the market

  • Customers enjoy lower premiums and abundant capacity


Phase 2: Loss Event (the catalyst)

  • Major cyber incident causes widespread claims

  • Or: Accumulated losses exceed premium income across the industry

  • Carriers realize they're underpriced for the risk

  • Financial results disappoint shareholders


Phase 3: Hard Market (the snap-back)

  • Carriers exit the market entirely

  • Remaining carriers raise premiums 50-100%+ overnight

  • Underwriting standards tighten dramatically

  • Coverage becomes scarce; many buyers become uninsurable

  • Market stabilizes at new, higher baseline


We've seen this pattern before and recently.


The 2020-2022 Precedent

2017-2019: Cyber insurance in soft market. Premiums falling. Coverage easy to obtain. Carriers competing aggressively.


2020-2021: Ransomware explodes. Colonial Pipeline. JBS. Kaseya supply chain attack. CNA Financial (an insurance company!) pays $40M ransom. Insured losses skyrocket.


2022: Hard market snaps back with brutal force.

  • Premiums increase 50-100%+ year-over-year

  • Carriers add strict underwriting requirements (MFA mandatory, no exceptions)

  • Sub-limits on ransomware payments appear

  • Social engineering exclusions become standard

  • Hundreds of firms become uninsurable


2023-2024: Market stabilizes at new baseline. Premiums remain elevated but stop accelerating. Underwriting standards remain strict.


2025: Soft market returns. New carriers enter. Competition increases. Rates decline 6%.


2026-2027: [This is where we are in the cycle. The next loss event is coming.]


What the Smart Money Is Doing

According to Marsh McLennan's guidance for organizations navigating soft markets, sophisticated buyers are using the current environment strategically:

✅ Locking in multi-year policies before rates snap back upward

✅ Increasing coverage limits while capacity is abundant and affordable

✅ Improving security posture to qualify for the best available rates

✅ Documenting everything in preparation for stricter underwriting ahead

✅ Building relationships with multiple carriers (not just taking the cheapest quote)


What the smart money is NOT doing:

❌ Assuming cheap coverage will last indefinitely

❌ Delaying security investments to save short-term costs

❌ Reducing coverage limits to minimize premiums

❌ Ignoring carrier requirements because enforcement seems lax


The firms positioning themselves for the next hard market aren't the ones maximizing savings today. They're the ones investing in controls that will keep them insurable tomorrow.


The Small Firm Reality

Here's what's actually happening in the SMB market right now:


Well-Controlled Firms (MFA enabled, EDR deployed, backups tested quarterly, WISP documented, staff trained):

  • Premium decreases of 5-15%

  • Increased coverage limits available

  • Multiple carriers competing for their business

  • Smooth renewals with minimal underwriting scrutiny

  • Access to favorable policy terms (lower deductibles, fewer exclusions)


Poorly-Controlled Firms (no MFA, no documented security program, no tested backups):

  • Non-renewals despite "soft market" conditions

  • 50%+ premium increases (if coverage available at all)

  • Carriers declining to quote

  • Extensive exclusions (social engineering, ransomware sub-limits)

  • High deductibles and co-insurance requirements


The "soft market" exists only if you qualify for it.

And qualification standards are higher than ever. According to Coalition, Beazley, and Corvus—three major cyber insurers—baseline underwriting requirements now include:

  • Multi-factor authentication on ALL systems (not just email)

  • Endpoint detection and response software

  • Tested backup and recovery procedures (with quarterly documentation)

  • Security awareness training with completion records

  • Written Information Security Plan with named security owner

  • Vendor risk management program


No controls = No coverage. Regardless of market conditions.


Why This Window Matters

Current environment (12-24 months):

✅ Coverage is available and competitive

✅ Carriers are willing to write new policies for qualified buyers

✅ Premiums are stable or declining for firms with strong controls

✅ Time exists to implement controls and build documentation

✅ Multiple carriers provide options and negotiating leverage


After the next major event (2026-2027):

❌ Coverage becomes scarce overnight

❌ Premiums spike 50-100%+ within a single renewal cycle

❌ Underwriting becomes extremely strict (think mortgage lending after 2008)

❌ Market exits accelerate (carriers stop writing SMB cyber entirely)

❌ Many firms discover they're simply uninsurable at any price


Insurance Information Institute analysis confirms cyber insurance remains one of the most volatile insurance lines, with potential for rapid market shifts based on loss activity.¹⁰


The window to prepare is finite. And narrowing.


What You Should Do Right Now

Action 1: Review Your Current Policy

Don't wait until 30 days before renewal. Review your policy now.


Questions to answer:

  • When does it renew?

  • What security controls are required (not recommended—required)?

  • What documentation must you maintain?

  • What's excluded (social engineering? ransomware sub-limits?)?

  • Can you prove compliance with all requirements right now?


If your renewal is within 6 months:

  • Ask about multi-year policy options

  • Request increased limits while capacity is available

  • Lock in current rates before market correction


Action 2: Implement Required Controls

Don't wait for your carrier to mandate these. Implement now:

✅ Multi-factor authentication (MFA) on all systems accessing sensitive data

✅ Endpoint detection and response (EDR) on all devices

✅ Tested backup and recovery with quarterly restore testing (documented)

✅ Security awareness training with completion tracking

✅ Written Information Security Plan (WISP) with named owner and annual reviews


Action 3: Document Everything

Carriers are underwriting based on proof, not promises.


What you need documented:

  • MFA implementation (screenshots, policy docs, enforcement logs)

  • Training completion records (who attended, when, topics covered)

  • Backup testing results (actual restore tests with dates and outcomes)

  • Security assessments (internal or third-party, annual minimum)

  • Incident response plan (tested via tabletop exercise, not just written)

  • WISP annual reviews (dated, signed by responsible party)


Why documentation matters: When you file a claim, carriers verify controls were active. No documentation = claim dispute or denial.


Action 4: Shop Strategically

In a soft market, carriers compete for good risks. If you have strong controls, get multiple quotes.


But don't chase the lowest premium blindly. Compare:

  • Exclusions: Social engineering covered? Ransomware sub-limits?

  • Requirements: Can you actually maintain documented controls?

  • Financial strength: Will carrier be solvent when you need them? (Check AM Best ratings)

  • Claims reputation: How do they handle disputes? (Ask your broker for data)

  • Incident response support: Do they provide IR services or just money?


The cheapest policy often becomes the most expensive when claims are denied.



The Bottom Line

The current soft market is a window, not a permanent state. Use it to:

✅ Lock in coverage while available and affordable

✅ Implement controls while you have time (not under renewal pressure)

✅ Document compliance before it's urgently needed for claims

✅ Build carrier relationships before you're desperate


Because when the market snaps back, and history says it will, premiums won't increase 10% or 20%. They'll double. Or triple.


And many firms won't be able to get coverage at any price.


Three Questions

  1. When does your cyber insurance policy renew?

  2. Can you prove you meet all policy requirements right now—with documentation?

  3. What's your plan when premiums double and coverage becomes scarce in 2027?

If you don't have confident answers, the soft market is your opportunity.


Don't waste it.


P.S. The best cyber insurance claim is the one you never have to file. But if you do file one, documentation is the difference between "approved" and "you're on your own."

bottom of page