Cyber Insurance 2025: A Review & Outlook

Cyber Insurance Market Review

At the beginning of 2024, most underwriters believed that ransomware would be the main threat to businesses, and many said cyber risk could increase significantly. These predictions definitely didn’t fall short in a year filled with new cybersecurity policies from the US Securities and Exchange Commission (SEC), ongoing cyber warfare, and evolving AI use.

Cyber Trends of 2024

Gearing up to fend off cyber threats is all about knowing which risks are looming large in the current landscape. Here are some of the most relevant ones:

• AI-powered attacks: While AI has been a major advantage in automated cybersecurity, malicious actors are also using the technology to power attacks. Social engineering is among its most common uses, ranging from deepfakes to sophisticated phishing attacks. It’s also helping hackers detect weak attack surfaces and exploit them much faster.
• More severe ransomware: The cybersecurity industry sighed in relief at the beginning of the year when ransomware attacks seemed to have decreased. However, it wasn’t long until the severity of attacks got worse, meaning they became more targeted and demanded higher ransoms from victims. For example, businesses with $100 million or more in revenue experienced a 140% increase in losses due to ransomware.
• Supply chain: Many critical supply chain attacks in 2024 originated from third-party vendors like cybersecurity or SaaS companies that are crucial to many operations. From the JavaScript to the Cisco Duo attacks, these disruptions in vital services created a domino effect across the supply chain that delayed services in sectors like healthcare, finance, aviation, and more.
• Geopolitical cyber warfare: With many geopolitical conflicts escalating across the globe, nation-state targeted cyber attacks have also risen as a result. Insurers have taken note of this phenomenon, beginning to make exclusions for war in cyber liability coverage.

With all these trends unfolding, the following CRC Monthly Renewal Pricing Analysis graph from October 2024 is a reflection of the current pricing trends.

Source: Cyber REDY Index Q3 2024

Industries with the Most Cyber Attacks

How robust should your cybersecurity be? While every organization should be prioritizing it, the following industries should be even more careful when securing their systems and assets. To illustrate, we’ve included their share of cyber attacks reported by IBM in its X-Force Threat Intelligence Index 2024:

• Manufacturing: 25.7% of all attacks
• Finance and Insurance: 18.2%
• Professional, business and consumer services: 15.4%
• Energy: 11.1%
• Retail and wholesale: 10.7%
• Healthcare: 6.3%
• Government: 4.3%
• Transportation: 4.3%
• Education: 2.8%

Cyber Liability Claim Examples

To better understand the scope of cyber liability coverage, let’s examine some real-world examples of common cyber claims

Over four dozen lawsuits against Change Healthcare

As a surprise to no one, Change Healthcare has been the target of numerous lawsuits due to the ramifications of its ransomware attack in early 2024. This incident caused several medical practices to stop receiving insurance payments and patients to receive deficient services as a result.

The cases have been consolidated into one multidistrict litigation in the state of Minnesota, and talks of a possible settlement were scheduled to take place in mid-December 2024. This data breach shook a large chunk of the US healthcare system, renowned since then as one of the most infamous cyber attacks the industry has ever seen.

Cascade Eye and Skin Centers settles lawsuit with the HHS and OCR

The healthcare industry took major hits in 2024. This time, the Washington-based private healthcare provider Cascade Eye and Skin Centers was victim of ransomware with approximately 291,000 files containing electronic Protected Health Information (PHI) affected.

The company failed to disclose this, which led the Office for Civil Rights (OCR) to lead an investigation that found multiple potential HIPAA Security Rule violations. Subsequently, the OCR and the US Department of Health and Human Services (HHS) sued Cascade Eye and Skin Centers, settling for $250,000.

Columbus, Ohio, receives class action lawsuit from two police officers

The city of Columbus, Ohio, suffered a wave of ransomware attacks during the summer, potentially stemming from nation-state cyber warfare sponsored by Russia. This specific lawsuit comes from two police officers, one undercover, who claim the city didn’t promptly inform them of a data breach involving personally identifiable information like Social Security numbers, email addresses, and more, from police officers, firefighters, and other current and retired city employees.

The officers argue that the city has an implied agreement to safeguard their employees’ data, which they broke with this breach. The undercover officer also alleges that, in particular, his identity, ongoing investigations, and his own safety and that of his family is in danger as a result of his information being stolen and auctioned by the ransomware group.

Factors Impacting Cyber Insurance Pricing

The rocky times cybersecurity has experienced lately reflect on cyber liability prices as well. According to CRC Group’s Cyber REDY Index study on Q3 2024 — which informs on overarching trends that could roll over to 2025 — rates continue to increase for underwriters.

The most salient figure shows that, for those renewing their cyber liability policy, there was a 44% increase in Q3, a 5% increase year-over-year. Twenty-nine percent of accounts remained flat, a 3% decrease from last year.

The report also highlights that ransomware, business email compromise, and social engineering attacks continue to rise, but policy prices can’t continue to increase — price stabilization is expected for next year.

The most common claims reveal MFA for remote access and email, offline backups, employee training on security and phishing issues and dual authorization for wire transfers are the biggest starting risks. This shows a general need for more security in remote work environments.

Lastly, industries like manufacturing, architects or engineering firms, healthcare, real estate, municipalities, schools, managed service providers, utilities, law firms, and other industries that handle PHI must seek specialized cyber brokers to ensure comprehensive coverage.

Cyber Insurance Outlook for 2025

Based on cyber insurance pricing and the cybersecurity landscape in 2024, let’s explore what we can expect this year.

• Specialized coverage: As cyber threats become more sophisticated and targeted depending on the industry, insurers are developing specialized coverage options to address specific risks, such as ransomware, data breaches, and business interruption. We anticipate seeing more and more specialized coverage in 2025.
• Stricter underwriting: As cyber liability insurers adjust to a rising number of cyber attacks, they’re implementing rigorous underwriting processes to assess the cybersecurity posture of potential clients, focusing on factors like data protection practices, incident response plans, and third-party vendor security. This means the more secure a company chooses to be, the higher the chances will be to have a seamless renewal or new signing process. Take note of this sharpening — underwriters undoubtedly will!
• Increased focus on risk management: Due to more stringent underwriting processes, as mentioned, insurers are encouraging policyholders to adopt strong cybersecurity practices, such as regular security assessments, employee training, and incident response planning. Risk management has become a mighty tier in your ultimate defense, so now is the time to fortify.

7 Tips to Manage Cybersecurity Risks

In light of rising pricing trends alongside difficult cybersecurity blows in many industries in 2024, a few tips are due. While companies can’t see their future, the best way to ensure they won’t end up as a data breach headline is by planning and enforcing proper risk management strategies.

1. Employee Training

Talent is the beating heart of a startup. Without gifted employees, daily operations wouldn’t be possible, and goals wouldn’t be met. At the same time, cyber attacks largely happen through social engineering targeting employees, which is why it’s crucial to train your team. Cybersecurity awareness programs are the best way to keep staff informed on the latest phishing and social engineering trends, plus instruct them about how to act regarding suspicious activities and the aftermath of an incident.

2. Strong Password Policies

Passwords are still a seminal part of an organization’s security practices. It might seem like an insignificant matter, but weak passwords make it much easier for hackers to log into internal accounts and wreak havoc. As such, it’s crucial for everyone with access to company software to use strong passwords to keep assets safe.

3. Regular Software Updates

Outdated systems are often an easily exploited weak spot by hackers. Keeping software updated means it’s caught up with the latest security patches, where developers catch attack surfaces and secure them before malicious actors can seep through these cracks. Without an update, none of these improvements can reach users, representing a major albeit imperceptible gap in cybersecurity.

4. Network Security

This is the most basic form of cybersecurity, yet many companies might overlook it in favor of more complex security practices. Securing networks is all about implementing firewalls, intrusion detection systems, and other security measures that protect the network infrastructure of an organization. That way, the most visible entry point of any business is safe from harm.

5. Data Backup and Recovery

Thinking ahead also includes planning for the worst case scenario. In the event of an attack, where data is often encrypted, a simple backup and recovery plan can make all the difference. Regularly backing up systems allows companies to regain access to their data even when hackers steal and encrypt it, minimizing business interruptions in the midst of a stressful incident.

6. Incident Response Plan

Similar to running a data backup, an incident response plan prepares every party in an organization to react accordingly whenever an attack takes place. The better prepared teams are, the less downtime is experienced, which translates into a smaller financial and reputational burden. This plan should also include immediately assessing the scale of the event and reporting it to the necessary parties

7. Cybersecurity Insurance

Insurance is vital for keeping businesses afloat in the event of a cybersecurity incident. Cyber liability insurance can be as tailored as companies need it to be, offering industry-specific approaches that ensure assets, employees, executives, and clients are protected when situations arise.

In today’s complex cybersecurity climate, companies must equip themselves with a mix of outstanding risk management strategies and appropriate cyber insurance that will see their difficult time through. As industries face a new normal in cyber attack volume, insurance prices are set to increase and eventually stabilize depending on how well companies can secure their systems when renewing their policies.

Insurance Rebuilt, End-to-End

We've supported startups from stealth mode to huge funding rounds.

Get a Custom Quote