After years of rapid expansion, premium growth has slowed—but the market remains profitable and full of untapped opportunity, particularly among mid-sized and smaller enterprises.
By Sam Tashima
The cyber insurance market has witnessed significant premium growth and popularity as an insurance coverage over the past 10 years. However, that growth in gross written premium has slowed significantly on a year-over-year basis over the past few years. From 2017 to 2022, global cyber insurance premiums grew by over 30%. While still increasing on an overall premium basis, the cyber insurance market growth slowed to roughly 5% from 2022 to 2025, according to a 2025 Swiss Re report.[1]
The significant growth from 2017 through 2022 was driven by both increased uptake of cyber insurance and higher limit purchases, as organizations evaluated and more accurately quantified their potential financial exposure to a cyber event. Growth slowed from 2022 to 2025 due to increased competition in the cyber insurance market. This competition was driven by favorable loss ratios, which attracted new capital from insurance carriers to write cyber insurance.
Even though the cyber insurance market is nearing an inflection point from a growth perspective, it remains a profitable line of business, and its opportunities for growth will need to extend beyond the current core regions, which predominantly have been the United States and portions of Western Europe. The United States and Europe account for approximately 87% of all cyber insurance premiums worldwide.[2]
Within the United States, 2024 was the first year in which overall cyber insurance written premiums declined. The direct gross written premium for cyber fell from approximately $7.25 billion in 2023 to $7.08 billion in 2024, according to Aon’s 2024 U.S. Cyber Market update, which draws information coming from the National Association of Insurance Commissioners (NAIC) Cyber Insurance Supplemental report.[3]
Cyber Insurance Loss Ratios Continue to be Profitable
The overall profitability of the cyber insurance product has remained fairly stable, as recent years (2022-2024) saw a total average loss ratio between 40% and 50%. The firming of the cyber insurance market began in 2020 and 2021, and it started to soften with negative year-over-year premium changes in Q4 2022. Compared with 2022 and 2023, the 2024 loss ratio experience was slightly higher, at a 49% loss ratio. This increase is not unexpected; given that the rate environment continues to be negative, and the year-over-year rate environment has now reached 11+ consecutive quarters of negative rate change.[4]
Beazley, one of the leading cyber carriers that specifically reports its cyber insurance results within its investor relations disclosures, recently reported a 48.5% loss ratio through the first half of 2025. Also notable is that the cyber-specific rate change experienced by Beazley in the first half of 2025 was a negative 6.8%. This negative rate change indicates that substantial competition still exists in the market, which contributes to the negative rate change.[5]
The number of direct U.S. cyber insurers from 2020 through 2024 has remained relatively static. The number of direct cyber insurance writers has stayed above 200, and 2024 was consistent with 2023 at 218 U.S. insurers reporting direct cyber written premium.
However, the market concentration continues to shift slightly. The distribution of written premium by the largest cyber insurers has continued to decline. The top five cyber insurers accounted for approximately 30% of the market in 2024, down from 32% of the market in 2023. The premium concentration difference for the largest cyber insurance carriers in 2024 is even more pronounced when compared to 2020, when the top five carriers represented 48% of the written premium.[6]
Opportunities for Growth
While the premium growth rate for the cyber insurance market slowed slightly beginning in 2022, there remains significant opportunity for growth within the sector. This growth can be achieved in two major ways:
- By analyzing the proportion of potential customers who do not purchase cyber insurance
- By driving awareness of the risk of uninsured or underinsured cyber events
Approximately 60% to 70% of all corporations with more than $1 billion in topline revenue purchase cyber insurance. However, only 40% to 50% of mid-market companies with $100M to $1B in topline revenue have purchased cyber insurance. This gap reflects both the reality that cyber insurance is often a net-new cost for organizations and a persistent lack of understanding—particularly among small and mid-market companies—of what cyber insurance actually covers. There is a sizeable, unaddressed market that could lead to further growth in the cyber insurance industry, provided non-purchasing companies better recognize the value of a discretionary insurance product like cyber insurance. The number of non-purchasing entities is even more pronounced among SME companies, those ranging from $10M to $100M in total revenue. For this sector of the economy, only 10% to 20% of organizations are purchasing cyber insurance.[7]
When analyzing large cybersecurity incidents, numerous incidents across a wide range of industries have resulted in total financial impacts exceeding $100M USD. The Scattered Spider threat group affected numerous industries in the first half of 2025, especially retail organizations.[8] For example, Marks & Spencer disclosed a £324M impact on operating profit[9], while the Co-op Group disclosed a £120M in lost profit due to its event. However, in comparing these two retailers, Marks & Spencer is expected to recover more than £100M through its cyber insurance program, whereas Co-op did not purchase cyber insurance and instead opted to enhance its cybersecurity posture.[10] This is a stark example of how organizations differ in their risk appetite and prioritization of capital expenditures when it comes to cyber insurance.
Jaguar Land Rover experienced significant operational disruptions due to a cybersecurity incident over the course of September, which affected three of its major manufacturing facilities. Compounding the impact of Jaguar, it did not have cyber insurance in place, meaning the entire economic loss from the cyber incident will directly affect its financial statements.[11] In addition to the retailer and manufacturing business interruptions previously mentioned, UNFI, a large food distributor, disclosed that its cyber business interruption issue adversely affected its net sales in fiscal year 2025 by $400M.[12] Business interruption and ransomware incidents are not the only issues impacting corporations, as AT&T settled its 2024 data breach for $177M in 2025[13], demonstrating that pure data breach liabilities continue to pose significant financial risk alongside major business interruption events.
In Alllianz’ 2025 Risk Barometer, cyber incidents rank as the top corporate risk concern, followed by business interruption.[14] Interestingly, despite cyber risk’s place at the top of the list of risk management experts’ concerns, data from Swiss Re show that many organizations still choose not to purchase cyber insurance. Given these top corporate concerns and the significant financial impacts from cyber related incidents, opportunities still exist within the insurance community to help organizations both understand the financial impact from a cyber incident as well as educate organizations on how cyber insurance can help protect the impact from a cyber incident. As leaders within organizations increase their understanding of cyber insurance as an insurance offering, potential exists for the uptake of cyber to grow, especially within the mid-market segment.
Impact of Privacy-Related Litigation
Outside of cyberattacks that may lead to data breaches or ransomware incidents, organizations need to be careful about their data usage and the privacy of the data they collect. In July 2024, Meta settled with the state of Texas for $1.4B over the unauthorized capture of personal biometric data.[15] Similarly, Alphabet settled for $1.375B in May 2025, also with the state of Texas, to resolve allegations of unlawful data collection practices.[16] These are just two examples of billion-dollar privacy settlements. Within the broader cyber insurance marketplace and the ever-changing data landscape, organizations need to strengthen their overall cybersecurity posture while developing a firmwide understanding regarding how they are using and collecting consumer data.
SEC Cybersecurity Disclosure Requirements
On Dec. 18, 2023, the Securities and Exchange Commission’s (SEC) cybersecurity disclosure requirements came into effect. The disclosure rules require publicly traded companies to file an Item 1.05 Form 8-K within four business days of determining that a cybersecurity incident is “material.”[17] This reporting has proven useful for actuaries by providing increased transparency around cybersecurity incidents that have has a material impact on organizations and by codifying the reporting rules. The Academy’s Committee on Cyber Risk published a paper describing the overall process and details around the SEC disclosure rules: “SEC Cybersecurity Disclosure Requirements and Related Directors & Officers Liability Risks.” The paper is part of the Academy’s Cyber Risk Toolkit.
Within these disclosure requirements, the SEC has imposed penalties against corporations for misleading cybersecurity disclosures. In October 2024, four organizations were charged and faced civil penalties for misleading disclosures related to the SolarWinds’ Orion software exploits.[18] In addition to SEC fines and penalties associated with cybersecurity rules and disclosures, there is the potential for securities class action settlements related to cybersecurity and privacy incidents. While not as common as Form 8-K disclosures, Equifax[19], SolarWinds[20], Google[21], and Okta[22] have all faced securities class action settlements associated with events that initially arose from cybersecurity and privacy incidents.
Opportunities for Growth Across an Increasing Risk
Despite slower premium growth over the past few years, the cyber insurance industry continues to offer significant opportunities for growth that can benefit both insurers and insureds. Threat actors have imposed considerable financial costs on organizations such as Marks & Spencer, Jaguar, and AT&T. Furthermore, privacy litigation from state attorneys general and consumer class actions continues to burden corporations. Despite these events, cyber loss ratios remain below 50% on average, and many organizations still do not purchase cyber insurance. In this context, the challenge is less one of actuarial sophistication—which is already developed and evolving in sophistication — and more one of carrier expansion, public understanding, and regulatory dynamics. Because cyber insurance remains a discretionary purchase, risk management budgets are often constrained, particularly among organizations that have not yet experienced a major event. As organizations reevaluate their need for cyber insurance and capital continues to flow into the cyber insurance market, both insurers and insureds can benefit from the increased adoption of cyber insurance and the financial statement protection it provides.
Sam Tashima, MAAA, FCAS, is chairperson, Committee on Cyber Risk.
Academy Resources on Cyber Risk
Here are several key resources from the Academy and the Committee on Cyber Risk:
- Read An Overview of the Global Cyber (Re)Insurance Market, the latest addition to the Cyber Risk Toolkit.
- Read the Actuarially Sound blog post on how the committee and Academy helps keep stakeholders informed on cyber risk.
- Listen to the Actuary Voices podcast episode in which committee member Bobby Jaegers discusses building a strong U.S. cybersecurity infrastructure and strengthening cyber resilience at the personal level.
- Watch the recording of the annual Committee on Cyber Risk 2025, which provides an overview of the 2025 cyber insurance market and highlights the latest additions to the Academy’s Cyber Risk Toolkit. Access the recording through Academy Learning.
ENDNOTES
[1] Shifting cyber insurance growth into the next gear; Swiss Re; Sept. 3, 2025.
[3] 2024 U.S. Cyber Market Update: 2024 U.S. Cyber Insurance Profits and Performance; Aon; July 2025.
[4] Cyber and E&O: Pricing Holds, but Market Momentum is Shifting; Aon; Oct. 6, 2025.
[5] Beazley Interim Report 2025; Beazley; 2025.
[6] 2024 U.S. Cyber Market Update: 2024 U.S. Cyber Insurance Profits and Performance; Aon; July 2025.
[7] Shifting cyber insurance growth into the next gear; Swiss Re; Sept. 3, 2025.
[8] “Marks & Spencer Breach Linked to Scattered Spider Ransomware Attack”; Bleeping Computer; April 28, 2025.
[9] https://corporate.marksandspencer.com/sites/marksandspencer/files/2025-11/m-and-s-half-year-results-2025-26.pdf
[10] “Jaguar Land Rover Failed to Finish Cyber Insurance Purchase”; Insurance Business America; Sept.24, 2025.
[11] Ibid.
[12] UNFI Form 8‑K Filing; SEC.
[13] “Time’s running out to claim your part of the $177 million AT&T data breach settlement”; CNBC; Oct. 8, 2025.
[14] “Allianz Risk Barometer 2025”; Allianz Commercial; January 2025.
[15] Attorney General Ken Paxton Secures $1.4 Billion Settlement with Meta; Texas Attorney General; July 2024.
[16] Attorney General Ken Paxton Secures $1.375 Billion Settlement with Google; Texas Attorney General; May 2025.
[17] SEC Statement on Cybersecurity Disclosure Requirements; SEC; Dec 14., 2023.
[18] SEC Charges Four Companies With Misleading Cyber Disclosures; SEC; Oct. 22, 2024.
[19] Equifax Settlement Stipulation; 2020.
[20] SolarWinds Securities Litigation.
[21] “Google to Pay $350 Million to Resolve Shareholders’ Data Privacy Lawsuit”; Reuters; Feb. 6, 2024.
[22] Stanford Securities Filings: OI00107949; Stanford Law School; 2024.