RATE TRENDS: -2% to -3%

Even as cyberattacks grow more frequent and sophisticated, tighter underwriting standards and stronger resilience measures by policyholders are keeping claims costs in check and loss ratios stable, supporting continued market stabilization into late 2025 and 2026.

Market Update | Q3

The cyber insurance market has shifted from the volatility of 2021–2023 into a period of relative stability. Rate hikes that once peaked at 34.3% in late 2021 have cooled, with Q3 2025 showing average reductions of 2–3%, and select insureds still achieving double-digit decreases. Increased underwriting profitability, new entrants, and expanding capacity have made the market buyer-friendly. Some carriers, however, remain cautious and are walking away from accounts where pricing adequacy is in question.

Most insureds are now seeing flat premiums or modest rate declines, with average reductions of 2–3% in the third quarter of 2025. Some policyholders continue to secure double-digit decreases, reflecting strong competition and available capacity. Still, a number of insurers are declining higher-risk accounts, underscoring ongoing concerns about profitability and pricing adequacy in the segment. Looking ahead to 2026, rates are expected to remain stable to slightly down for well-protected risks, while underwriters may tighten terms and push selective increases in higher-exposure industries such as healthcare, financial services, and public entities.

Current Market Trends & Cost Drivers

Although the cyber insurance market has stabilized, several cost drivers remain a concern. The use of tracking technologies such as biometrics, pixels, and cookies exposes organizations to privacy risks that are increasingly attracting regulatory action. Enforcement under laws like the Biometric Information Privacy Act (BIPA), Video Privacy Protection Act, and California Invasion of Privacy Act has accelerated. In July 2025, California fined Healthline $1.55 million for failing to honor opt-out requests and sharing sensitive-implying data, while a class action in Illinois accused Home Depot of using facial recognition at self-checkout without consent, with potential damages up to $5,000 per violation.

These cases highlight how privacy missteps are now leading directly to costly settlements, lawsuits, and nonbreach claims, a trend expected to intensify in 2026 as regulators broaden oversight and raise penalties.

Advances in artificial intelligence (AI) continue to raise cybersecurity concerns. Criminals are deploying AI-driven tools to craft sophisticated scams, breach vulnerable systems, and analyze stolen data undetected. Deepfake attacks, in particular, remain a serious risk. The largest known loss occurred in 2024, when scammers conned a multinational firm out of $25 million, none of which has been recovered.

By 2026, underwriters are expected to demand stronger AI-risk management programs, including authentication controls, voice and video verification protocols, and supply chain assessments.

Similar to previous years, ransomware remains a key exposure in the cyber insurance space. Analyses from threat intelligence platform Cyble found that attack frequency jumped nearly 150% year over year in early 2025, though claims costs are stabilizing thanks to broader adoption of backups and incident response planning. More organizations are refusing to pay ransoms, helping reduce payouts.

Still, insurers are tightening requirements, and by 2026 will likely mandate ransomware readiness testing and third-party verification to secure favorable terms.

CYBER CLAIMS

By Q3 2025, Business Email Compromise and Funds Transfer Fraud account for 60% of cyber insurance claims.

Finally, social engineering remains the dominant driver of claims. Business email compromise (BEC) and funds transfer fraud (FTF) now account for about 60% of cyber claims, with small and midsized businesses the most frequent targets. In Q3, underwriters increased scrutiny on email protections, secure payment protocols, and employee training.

Looking to 2026, carriers are expected to further condition coverage on the deployment of advanced email security solutions and multi-factor authentication, making these safeguards essential for insurability.

The Road Ahead: Late 2025 into 2026

Solid loss ratios and heightened competition are expected to keep cyber premiums stable and coverage widely available through the end of 2025 and into 2026, with some expansion in offerings. At the same time, insurers are intensifying scrutiny of security controls and compliance in response to stricter privacy laws, AI-driven threats, ransomware, and social engineering exposures. High-profile incidents such as the CrowdStrike outage and Change Healthcare breach show how quickly one event can upend the market, making strong, tested cybersecurity programs the best defense for insureds seeking favorable terms in the year ahead.

Cyberattacks affect businesses of every size.

Small and mid-sized companies are often easy targets, making strong protection critical for your data, clients, and employees. Below are tips to help reduce your exposure:

Educate Employees

Provide ongoing, practical training so employees know how to spot phishing attempts, avoid unsafe downloads, and use good password practices.

Protect Continuity

Back up critical data often and store copies in secure cloud or offsite locations. Test recovery to confirm backups will work during a crisis.

Strengthen Your System

Use firewalls, spam filters, antivirus, and endpoint protection across all devices. Keep everything patched, and require VPN use for remote connections.

Establish Clear Policies

Clearly define how employees should handle device use, email, internet, remote access, and incident reporting. Keep policies short, direct, and practical.

Control Access

Restrict sensitive data to trusted users only. Require strong passwords, multifactor authentication, and updates. Review access permissions regularly.

Plan Ahead

A strong response plan is built before an incident, not after. Establish clear responsibilities, communication channels, and tested procedures to reduce damage and downtime.

Closing Out 2025. What to Expect:

  • Continued rate stabilization
  • Stringent underwriting standards
  • Emphasis on security controls and compliance
  • Closer review of AI-driven exposures

Partnering with SterlingRisk

At SterlingRisk, we are closely monitoring these market dynamics and proactively advocating for our clients. Your account team is ready to review your current position and recommend steps tailored to your unique needs. Reach out today to ensure you are positioned for success heading into year-end.

 

Questions or need help preparing? For additional risk management guidance, contact us today.

DISCLAIMER: This article is provided by SterlingRisk for informational purposes only and should not be taken as legal advice. For legal advice, consult with your legal counsel.

Business Insurance, Consulting, Personal Insurance — We've Got You Covered!

What You Treasure Should Be
Rewarded & Protected

How Can We Help You?

Contact

If you have a question or need help, please fill out the below form and one of our specialists will be in touch with you shortly.


First Name is Required


Last Name is Required


Email is Required
Please enter a valid email address.


Phone is Required


What You Treasure Should Be
Rewarded & Protected

Do You Need Small Business Insurance?

Get Multiple Quotes in 5 Minutes?

Find your best options for low-cost Small Business insurance in 5 minutes!

By submitting this form, you agree to the SterlingRisk Privacy Policy


* Our Privacy Policy describes how we collect, use, and disclose your information across the websites we operate and services we provide.