Cyber insurance is growing quickly, but it still has big holes and problems. Matthew Belkin, head of cyber services at Acrisure Cyber Services, says the industry is young and evolving fast. While the first cyber insurance policy was issued by AIG back in 1997, the sector is still far behind traditional insurance lines, especially when it comes to coverage.
Many small and mid-sized businesses (SMBs) are not protected. A recent Acrisure survey found that 82% of U.S. businesses with fewer than 500 employees don’t have a dedicated cyber insurance policy. This creates a major risk for insurers but also a chance to expand the market.
A key event that highlighted these issues was the 2024 CrowdStrike outage. It wasn’t a hack, but a software update that caused system failures worldwide. This led to huge disruptions, like grounded flights and crashed systems, with global damages estimated at $5.4 billion. Insurer losses were much smaller, partly because many policies excluded this type of problem or had waiting periods that made coverage useless. Now, lawsuits from big companies like Delta Airlines are focusing on whether CrowdStrike acted with gross negligence.
Customer demands are changing. Instead of just covering attacks, clients want protection against any operational problems caused by their software providers or internal errors. To keep up, insurers are shifting from yearly questionnaires to continuous data collection using APIs. This lets them monitor a company’s risk in real time based on security tools, which makes pricing more accurate and responsive.
The biggest gap and opportunity is with SMBs. More than half of those without coverage say they are very likely to buy a policy in the next year. Yet many still don’t understand cyber insurance or have never been offered it. A 2024 Munich Re survey showed 28% of companies said they were never offered cyber insurance, while 26% didn’t even know it existed. On top of that, 23% were confused about what is covered.
To address this, Acrisure launched Simple Cyberâ„ , a package that combines managed detection and response, email security, and insurance. This approach aims to provide both protection and financial backup in one solution.
However, there’s still work to do in understanding systemic risks. Belkin explains the industry needs better tools to predict big-scale failures, much like how natural disaster risks are modeled for property insurance. Right now, current methods don’t fully capture threats from digital supply chains or coordinated cyber events.
Looking ahead, Belkin says managed service providers (MSPs) can no longer rely just on reselling cybersecurity products. With rising cyber threats and a shortage of skilled experts, MSPs will have to offer automation, unique tools, and expert advice. This shift is necessary to stay competitive and relevant in the changing landscape.
In short, cyber insurance is on the rise but faces many challenges. The industry must improve coverage, educate businesses, and develop smarter risk models to meet today’s cyber realities.