Cyber insurance prices are dropping, but insurers remain firm in the market. Despite buyers seeing a more favorable market, insurance companies are holding steady and not retreating, according to Matt Chmel, head of cyber solutions for North America at Aon.
This competitive environment is driven by existing insurers protecting their current clients and new companies entering the space. As a result, average cyber insurance rates fell by 4% in the second quarter of 2025, marking the eleventh consecutive quarter of price reductions. This downward trend is expected to carry on through the end of the year, although some segments are showing caution due to recent loss trends.
Chmel said some areas of the market are experiencing higher loss rates, mainly from claims in 2023 and earlier. While some insurers are approaching break-even or worse on their losses and expenses, no major players have exited the market. Coverage options remain strong, with insurance programs still expanding. Retentions—how much clients pay out of pocket before insurance kicks in—are stable, and there is plenty of capacity available. Clients can still adjust their retentions to lower premiums, but overall policy structures have not changed significantly.
Buyers are becoming smarter in how they purchase cyber insurance, using more data and analytics. Customers are optimizing their insurance programs by restructuring coverage layers and modeling their protection based on actual risk exposure. This shift is especially timely since ransomware continues to dominate cyber claims, while privacy-related claims are rising due to increased litigation linked to tightening regulations around data collection.
Interestingly, companies that once didn’t buy cyber insurance are now reconsidering. Many small and mid-sized businesses still skip coverage, but some are beginning to reach out after recent high-profile cyber attacks in sectors like retail, airlines, and healthcare. Incidents such as the CrowdStrike outage, CDK breach, and Scattered Spyder attacks have sparked fresh concerns about risk and how to handle it.
Not all firms rely on insurance alone. Some, like the UK’s Co-op supermarket, choose to focus only on IT security. Chmel advises against this approach. While strong security is vital, companies also need a financial safety net to protect their balance sheets if security measures fail. He suggests working closely with brokers and IT teams to understand both risk exposure and financial tolerance.
Artificial intelligence is adding new layers of risk. Chmel breaks AI-related exposures into four categories: companies using AI for defense, hackers using AI to improve attacks, businesses adopting third-party AI tools, and AI developers facing risks linked to their creations. Each comes with its own challenges requiring careful attention.
Privacy issues remain a big worry. With new state laws like CIPA, BIPA, and VPPA, privacy lawsuits are on the rise. Insurers vary widely in how they handle these risks; some underwrite them well, while others avoid offering coverage altogether.
One persistent challenge is the slow uptake of cyber insurance in small and mid-sized businesses. Chmel points out that these segments remain underinsured. Brokers are trying new methods like group purchasing and embedded coverage to expand access. Educating middle-market companies about how cyber insurance works is a key focus. Larger clients, meanwhile, need advanced analytics to match coverage precisely to their evolving risks.
Overall, cyber insurance is becoming more competitive and more tailored to specific risks. Buyers are getting sharper about what they need. Yet, challenges remain, especially in reaching smaller businesses and dealing with new threats from AI and privacy laws. It’s clear that both security measures and insurance protection are essential to managing today’s cyber threats effectively.