Cyber Insurance Rates Have Dropped – a Lot. What Gives?

After surging to brutal levels during the pandemic, when everyone suddenly had to work remotely, cyber insurance rates have fallen significantly. You read that right: fallen, significantly.

So what changed, and what’s the catch?

A recent report from Howden, a UK-based insurance broker and underwriter, showed cyber insurance premiums have fallen 15% globally since their height in mid-2022 despite an increasingly challenging threat landscape. In addition to the decreases, which vary by region, Howden says capacity is up, and insurers are now more willing to increase limits, remove ransomware-related coverage restrictions, and lower retention levels. Meantime, U.S. rates fell 5% in the second quarter this year, the fifth consecutive quarter experiencing a rate decline, according to Marsh, a New York-based insurer.

These risk assessments will demonstrate top-tier cybersecurity practices to cyber insurers. They can also lead to better terms and lower rates.

Howden and industry experts say industry maturation and increasing competition are most responsible for the price drops. In fact, S&P Global reportedly says cyber risk coverage is now one of the fastest-growing insurance products and is expected to exceed $20 billion by 2025, up from about $15 billion in 2023.

That wasn’t the case just a few years ago, when rates were peaking. Cyber insurance, at the time, was still a relatively new product compared to home, life, and auto insurance. Insurers hadn’t figured out what to charge to clear a profit.

Things grew considerably worse during the pandemic as millions of workers suddenly had to do their jobs remotely, increasing data privacy concerns and causing a spike in cybercrime. Some insurers responded by restricting coverage, adding exclusions (especially for ransomware attacks), and raising rates. Other carriers left the business altogether.

Now it’s a different ballgame. So far, though, businesses aren’t biting – at least not entirely. And there’s a good (albeit not entirely sound) reason for that.

A stabilized cyber insurance market

Insurers now have largely figured out their models, know how to make money, and are competing to land new customers, even as significant security incidents persist.

The cost of cyber insurance continu[es] to fall, despite ongoing attacks, heightened geopolitical instability, and the proliferation of Gen AI.

“Favourable (sic) dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall, despite ongoing attacks, heightened geopolitical instability, and the proliferation of Gen AI,” said Sarah Heild, Howden’s head of cyber retail, in a statement. “The foundations for a mature cyber market, with innovation and exposure-led growth at its core, are now in place.”

Translation: The cyber insurance industry has finally figured out its underwriting models, so things have stabilized. Underwriting profits are strong and expected to stay that way. And carriers are chasing customers by emphasizing growing cyber risks while offering tasty deals for insuring against them.

[Read also: 5 myths – and realities – about cyber insurance]

That sounds like a buyer’s market. And yet few buyers are taking advantage of it. While data shows most enterprise security technology decision-makers have some form of cyber insurance coverage, only one in four had a standalone policy in 2023, according to Forrester.

Why cyber insurance generates skepticism

Ilia Kolochenko, a partner at Platt Law LLP, a D.C. and New York–based law firm focused on cybersecurity, and CEO of ImmuniWeb, a global application security company, says a key reason is that many businesses don’t understand the product. Some see it as an either-or situation: You buy cyber insurance to hedge against an incident, or you invest in cybersecurity technology to prevent incidents. But you don’t do both. Kolochenko says that other companies are simply skeptical of insurers’ motives. They fear that if they suffer a cyber event, carriers will cite all sorts of hidden clauses, caps, limits, and exclusions to avoid paying, leaving them in the lurch.

For complex products like cyber insurance, when prices go down, it likely means something changed. If something improved, it’s more likely it improved for the insurer rather than the insured.

And there’s something to be said for that. Claims sure are climbing — for example, Marsh announced its U.S. and Canadian clients filed 1,800 cyber insurance claims in 2023, a record for the company. Yet, Security Boulevard states 99% of companies filing claims that year weren’t fully reimbursed because their expenses topped policy limits. Coverage limits range from $500,000 to $5 million per occurrence, according to Embroker, a commercial insurance firm. IBM, meanwhile, reported the global average cost of a data breach in 2024 was $4.88 million, a 10% increase from the prior year.

Kolochenko tells the story of a chief information security officer (CISO) at one organization who suffered a breach, filed a cyber insurance claim, and was pleasantly surprised when his carrier paid everything, no questions asked.

“He was super happy and said, ‘We should probably start reducing our cybersecurity budget. We no longer need those security controls; we have cyber insurance!’”

[Read also: In our two-part series, we discuss why making friends with your cyber insurer is not such a crazy idea – and how to do it]

Then, the enthusiasm faded. A few months later, the client called Kolochenko in a panic to say his company had been hit by another cyberattack and needed help.

“He told me, ‘Listen, Ilia, according to our contract, only one incident is subject to insurance coverage per calendar year. This is our second incident. It’s a major-disaster data breach, and we’ll probably suffer millions in losses. But our insurer respectfully sends us to hell, saying they already paid several thousand dollars for our prior claim. What should we do?’”

Keep those eyes wide open

Kolochenko says such horror stories shouldn’t dissuade companies from considering cyber insurance, especially with today’s lower rates. In fact, they should. However, he says companies need to evaluate policy options with their eyes wide open and take the time to understand them, because they can be complex.

You can bring your IT director in the room and have a pretty nerdy conversation about what’s on that application.

In addition to having your insurance buyer and CFO meet with your insurer, “You can bring your IT director in the room and have a pretty nerdy conversation about what’s on that application,” says Peter Hedberg, VP of cyber underwriting at Corvus Insurance. “If they can go deep on that stuff, that’s the sign of a pretty good agent. Because it’s technical now.”

That’s even truer when prices drop.

“When prices fall on simple commodities, like a can of Coke or a GM car, that’s generally a good thing for consumers,” Kolochenko says. “But for complex products like cyber insurance, when prices go down, it likely means something changed. If something improved, it’s more likely it improved for the insurer rather than the insured. If an offer seems too good to be true, it could be true. But I always suggest scrutinizing the terms and conditions, talking to your insurer, and ensuring you’re on the same page, while preserving all written communications with them about your mutual understanding of contract clauses and their meaning.”

[Read also: Ever wonder how a cyber insurer shields itself against cybercrime? Here’s how]

Scrutiny doesn’t mean having one company member review the paperwork or call an insurance broker. Rather, it suggests having a multidisciplinary group of people involved – just like insurance companies.

“Cyber insurance is a mix of science, art, and law,” Kolochenko says. “You really need to have techies, risk professionals, and lawyers with cybersecurity experience involved in evaluating policies.”