As the digital frontier expands, so too do the risks that businesses face. In this rapidly evolving landscape, cyber insurance has emerged as a critical mechanism for risk transfer, yet its effectiveness and accessibility remain subjects of intense debate. SecurityWeek’s Cyber Insights 2025 report delves into the expected evolution of various cybersecurity domains over the next year, drawing on the collective wisdom of hundreds of experts. Our focus here is on cyber insurance – a sector grappling with unprecedented challenges and poised for significant shifts.
Often viewed merely as a safety net, cyber insurance is increasingly recognized as a silent driver for improved cybersecurity. By incentivizing better risk management practices, it holds the potential to reduce premiums, offering tangible value for money. But can the cyber insurance industry truly keep pace with the ever-changing nature of threats and the burgeoning attack surface? Can insurers strike a balance between comprehensive coverage and sustainable costs?
The Evolving Cyberinsurance Market: Growth, Gaps, and an Artificial Softness
The adoption of cyber insurance as a crucial tool for cyber risk transfer is undeniably on an upward trajectory. However, despite this growth, a significant portion of the market remains untapped, particularly among Small and Medium-sized Enterprises (SMEs). Less than half of all SMEs are currently thought to carry cyber insurance, representing a vast, underserved segment. In the US alone, with approximately 33 million businesses categorized as SMEs, the market potential is immense.
The hesitation among SMEs often stems from a misplaced sense of security or a misunderstanding of existing coverage. Many SMEs erroneously believe they are too small to be targeted, or that their general business insurance policies will cover cyber-related incidents. This misconception can prove catastrophic.
Kimberly Holmes, senior counsel at Dykema law firm, highlights this critical gap: “All too often I see businesses in the midst of a data privacy / cybersecurity event scrambling to see which business insurance policy they have might assist in reimbursing legal and forensic expenses (both immediate, up-front costs that are very expensive to pay for out of pocket without cyber insurance coverage).”
When a compromise occurs, SMEs are frequently ill-prepared for the immediate legal and forensic expenses that follow. Regulations increasingly demand rapid reporting of breaches or security incidents involving data privacy, necessitating quick access to specialized legal and forensic expertise – resources SMEs typically lack in-house. Cyber insurance, unlike general business insurance, is specifically designed to respond swiftly, approving the retention of defense counsel and forensic vendors at the crucial outset of an incident.
The ‘Artificial Soft Market’ and Impending Hardening
The cyber insurance market is currently experiencing what Prashant Pai, EVP global head of business development for KnowBe4, describes as an “artificial soft market.” He explains, “Essentially, even while claims are growing and losses are increasing, there are large amounts of new capital entering the market, which is leading to low premiums.” This influx of capital has created a temporary buyer’s market, but experts predict this won’t last.
“2025 should see the market catch up to reality and see a gradual hardening over the latter part of 2025,” Pai forecasts. “This means premiums will go up, but also with potentially tighter sublimits and increased underwriting scrutiny.” This shift will compel businesses to reassess their cybersecurity postures and the value of their insurance policies.
The fundamental challenge for insurers lies in balancing their books amidst a continuous rise in breach costs and the sheer volume of attacks. Their options for maintaining profitability are limited: either increase premiums and exclusions (a simpler, albeit less sustainable, path) or somehow contribute to reducing breaches (a complex task not entirely within their control). By the time equilibrium between income and claims is achieved, the risk landscape invariably expands, perpetuating this cycle.
The Underwriting Conundrum: Calculating Risk in a Dynamic World
One of the most significant hurdles for cyber insurers is the inherent difficulty in accurately assessing risk and calculating appropriate premiums and exclusions. The sheer complexity and diversity of modern technology stacks make this a formidable task.
Kai Roer, CEO and founder at Praxis Security Labs, elaborates: “One customer may have an old IBM mainframe in their basement, while also having a large cloud infrastructure, and everything in between. Another customer may only have a small cloud infrastructure, with well documented integrations and regular testing. These two companies should most likely have different premiums – but how does cyberinsurance determine the right premium for each one?”
To a large extent, Roer suggests, insurers are forced to “guestimate premiums, exclusions, and – if a breach occurs – payouts.” This imprecise methodology underscores the industry’s struggle to keep pace with rapid technological advancements and the ever-evolving threat landscape. Compounding this challenge, the political climate in 2025, particularly a potential shift away from certain forms of regulation in the US, adds another layer of unpredictability.
Cyberinsurance vs. General Business Insurance: Key Differences for SMEs
| Feature | Cyberinsurance | General Business Insurance (e.g., CGL) |
|---|---|---|
| Primary Scope | Specific to cyber risks: data breaches, cyberattacks, ransomware, business interruption due to cyber events. | Broader business risks: property damage, bodily injury, general liability, some limited tech errors. |
| Incident Response | Typically includes access to and reimbursement for legal counsel, forensic experts, breach coaches, notification costs. | May offer some legal defense for specific liability claims but generally lacks cyber-specific incident response. |
| Data Privacy Liabilities | Covers regulatory fines, legal defense, and settlement costs related to privacy violations (e.g., GDPR, CCPA). | Very limited or no coverage for data privacy regulatory fines or specific cyber-related liabilities. |
| Business Interruption | Covers lost income and extra expenses directly resulting from a covered cyber incident. | Typically covers business interruption from physical damage; cyber-related interruption is often excluded or very limited. |
| Ransomware Payments | Often covers ransomware demands, negotiation, and decryption costs (subject to policy terms). | Generally does not cover ransomware payments. |
| Underwriting Focus | Detailed assessment of cybersecurity controls, policies, and incident response plans. | Focus on physical assets, operational procedures, industry risks, and past claims for general liabilities. |
Three Critical Areas Shaping Cyberinsurance in 2025
Beyond the general challenges, three specific areas are set to profoundly impact cyber insurance in 2025, each carrying the potential to elevate localized risks into systemic, ‘too big to handle’ catastrophes:
- The sudden rise and proliferation of generative AI (gen-AI).
- The unknown quantity of supply chain / third-party threats.
- The potential for increasing geopolitical cyberthreats.
1. Generative AI: A Double-Edged Sword for Cyber Risk
The conjunction of privacy concerns and generative AI presents a complex and difficult challenge. Major AI systems have been trained on vast datasets scraped from the internet, raising significant questions about the lawful acquisition of this data under privacy laws like GDPR and CCPA, as well as potential copyright infringement.
An Opinion from the European Data Protection Board (EDPB) dated December 18, 2024, underscores this complexity. While acknowledging that not all AI models are equal, it states that “the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to develop the model and (2) the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant, taking into account ‘all the means reasonably likely to be used’ by the controller or another person.”
The ambiguity of terms like ‘likelihood’ and ‘insignificant,’ especially in the context of advanced techniques like jailbreaking and prompt injections, illustrates the immense difficulty regulators face. This regulatory confusion, while not a criticism of the EDPB, highlights the challenge of balancing personal protection with promoting innovation. AI models, often freely downloadable from platforms like Hugging Face with limited security or legality guarantees, introduce substantial new risks for businesses.
Kimberly Holmes believes this will “put a greater onus on the cyberinsurance industry to consider the privacy and other impacts to businesses (from a potential litigation standpoint, if not a regulatory one).”
Omid Safa, a partner at Blank Rome LLP, adds: “Because AI applications rely on the collection and processing of vast amounts of data, it will be important for companies to consider the AI tools they are using, and the information being collected when assessing their exposure and purchasing cyber insurance. Moreover, to the extent they have not done so already, policyholders will increasingly push insurers for policy language that confirms coverage for the ‘collection’ of such data.”
This discussion around policy language will intensify in 2025, with potential outcomes cutting both ways. Scott Seaman, a partner at Hinshaw & Culbertson LLP, warns: “The power of AI presents opportunities that companies cannot afford to ignore, yet the losses can be catastrophic. We expect to see more generative AI coverage endorsements, both granting coverage and excluding coverage.”
AI Regulation and Insurers’ Own Use of AI
Insurers themselves must navigate the careful use of AI. In July 2024, the New York State Department of Financial Services (NYSDFS), a proactive regulator, adopted a final circular on the ‘Use of Artificial Intelligence (AI) Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing.’ Seaman notes, “This Circular was issued as guidance to the insurance industry and imposes significant obligations on insurers using artificial intelligence systems or external consumer data and information sources for underwriting and pricing.” The interplay of AI, regulation, and cyber insurance seems destined for extensive legal challenges.
2. Supply Chain Vulnerabilities: The Hidden Tail of Cyber Risk
The increasing frequency and impact of supply chain attacks represent a current and growing concern for cybersecurity. Incidents like SolarWinds (proprietary software) and Log4j (open source) have exposed the long, often invisible, tails of interconnected systems. How insurers will adapt their coverage for supply chain risks will be a critical issue in 2025.
Joe Silva, CEO at Spektion, advocates for a shift in focus: “Cyberinsurers should shift their focus to understanding and underwriting third-party software risk. This area significantly contributes to breach events and is often under-addressed in risk assessments.” He emphasizes the need for insurers to evaluate the sprawl, oversight, and compensating controls related to third-party software usage, which is crucial for predicting an organization’s susceptibility to the growing volume of software vulnerabilities.
Scott Seaman points to an additional supply chain complication: “The CrowdStrike incident has caused insurers to focus on outages as well as cyberattacks and to focus more on the need to limit supply chain exposures in dependent or contingent interruption and other coverages.” This highlights that not all supply chain disruptions are traditional cyberattacks, yet their impact can be equally devastating.
As insurers better grasp the complexities of supply chain risk, their primary recourse to rebalance income and claims will likely be to increase premiums or implement stricter exclusions. Michael Lieberman, CTO and co-founder of Kusari, notes, “It’s hard for an insurance company to underwrite a policy for software supply chain security incidents when many organizations don’t do the bare minimum to keep track of the software in their supply chain in the first place.”
Achieving a mutually beneficial balance between cost and cover will remain a struggle, exacerbated by supply chain risks, throughout 2025. Peter Hedberg, VP, cyber underwriting at Corvus Insurance, states, “Balance is achieved only momentarily. As exposures and threat actors continue evolving, we meet that with our own evolution in security.” He adds, “The continued rise of third-party litigation which has quite a long tail but is also difficult to underwrite will be without question something we put more effort into underwriting next year.”
Challenges for Insurers in Underwriting Evolving Risks (2025 Outlook)
| Challenge Area | Impact on Insurers | Potential Recourse for Insurers |
|---|---|---|
| Generative AI Proliferation |
|
|
| Supply Chain & Third-Party Threats |
|
|
| Geopolitical Cyberthreats |
|
|
| Overall Risk Assessment |
|
|
3. Geopolitical Tensions: The Blurring Lines of Cyber Warfare
The direct impact of global geopolitics on cybersecurity beyond existing hot zones like Ukraine and Gaza is a matter of ongoing debate. However, it’s vital to acknowledge historical precedents and current realities. The ‘axis of evil’ concept, though coined in a different era, finds a modern cyber parallel in nations like Iran, North Korea, Russia, and China – all established cyber adversaries. To assume that geopolitics will not affect cyber threats across the Western world from these actors would be naive.
Andrew Churchill, director of policy at the CSBR, warns about “the geopolitical tensions at play with NCSC (National Cyber Security Centre) highlighting the state actors threatening large scale cyberattacks against western CNI (Critical National Infrastructure), and organized crime groups extorting money from private businesses and public sector, typically through ransomware.” He notes that the blurring border between state-sponsored attacks (often carried out by proxies) and criminal activities complicates risk assessment. While this might limit the likelihood of a full-scale ‘cyber Armageddon,’ it significantly increases the debate surrounding ‘force majeure’ as an insurance policy exemption in the context of ‘hybrid war.’
This blurring line presents a formidable problem for insurers: Is a specific attack the work of a nation-state, a criminal group, or the former masquerading as the latter? And if it is unequivocally a nation-state, does that constitute an ‘act of war’ – an event often covered by explicit exclusions?
Omid Safa observes, “Given the conflicts in Ukraine and Gaza, we also anticipate more disputes regarding recent revisions to war exclusions that have attempted to blur the lines between traditional war-risks and cyber operations by hostile nation-states. Purportedly adopted to clarify coverage, such revisions have left much to be desired and only served to foster more confusion regarding the scope of coverage.”
Scott Seaman delves deeper, stating, “Insurers are adding updated War Exclusions, many are modeled on London [i.e., Lloyds] forms and other exclusions to preclude coverage for systemic or state sponsored cyberattacks.” Back in June 2022, a GAO report on Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks, highlighted potential losses from severe cyber incidents ranging from $2.8 billion to $1 trillion per event for the United States. Such figures clearly illustrate the systemic loss potential if multiple events affect a single insurer.
“For the past couple of years,” Seaman continues, “Lloyds has been requiring that standalone cyberattack policies exclude liability for losses arising from any state-backed cyberattack. There are at least four exclusion forms available. The exclusions must exclude losses arising from war (whether declared or not) and must apply to losses arising.” This move signifies a clear intent by the industry to limit exposure to state-sponsored attacks, yet the definition and attribution challenges persist.
The Path Forward: Balancing Cost, Coverage, and Proactive Security
Ilia Kolochenko, CEO at ImmuniWeb and partner at Platt Law LLP, encapsulates the current complexities: “The majority of existing cybersecurity insurance contracts do not expressly address the novel spectrum of risks, threats and attack vectors caused by rapid proliferation of gen-AI and third party incidents. Consider the notorious CrowdStrike outage, which was classified as a non-cybersecurity event by most cybersecurity insurances, eventually denying coverage. While from technical and legal viewpoints such classification is arguably correct, it certainly does not reflect reasonable expectations of insured companies.”
This disconnect between technical definitions, legal interpretations, and policyholder expectations is a core issue that needs resolution. The evolving risk landscape demands a similar evolution in insurance policies.
For businesses, especially SMEs, navigating this complex landscape means more than just purchasing a policy. It requires a proactive approach to cybersecurity. Better risk management practices are not merely a compliance burden but a strategic imperative that directly impacts insurability and premiums. Organizations that demonstrate robust cybersecurity hygiene, continuous monitoring, incident response plans, and third-party risk management will be better positioned to secure favorable terms.
The cyber insurance industry, in turn, must invest in more sophisticated underwriting models that can accurately assess dynamic risks, moving beyond ‘guestimates.’ This includes leveraging advanced analytics and potentially even AI (responsibly and ethically) to understand complex tech stacks and threat vectors. Collaboration between insurers, cybersecurity vendors, and government bodies will be crucial to developing standardized risk frameworks and fostering a more resilient cyber ecosystem.
Ultimately, the aim is to foster a symbiotic relationship where insurance incentivizes security, and improved security leads to more sustainable and comprehensive insurance offerings. This virtuous cycle is essential for widespread cyber resilience.
Conclusion: Cyber Insurance as a Cornerstone of Future Resilience
The insights from SecurityWeek’s Cyber Insights 2025 underscore that cyber insurance is far from a static product. In 2025, it will be shaped by an ‘artificial soft market’ transitioning to hardening, the disruptive potential of generative AI, the pervasive risks of supply chain vulnerabilities, and the volatile landscape of geopolitical cyberthreats. The debate around what constitutes adequate coverage, fair pricing, and clear exclusions will only intensify.
For businesses, particularly SMEs, understanding the nuances of cyber insurance and investing in robust cybersecurity measures is no longer optional; it is fundamental to survival and resilience in the digital age. For the insurance industry, the challenge lies in evolving underwriting methodologies, clarifying policy language, and aligning coverage with the dynamic realities of cyber risk, ensuring that policies genuinely meet the reasonable expectations of the insured. As the silent driver for improved cybersecurity, cyber insurance is poised to become an even more integral cornerstone of global digital resilience.
Leave a Reply