6 Min. Read

15.3 billion US dollars in premium volume, a 15 to 20 percent price increase for 2026, and new exclusion clauses that eliminate entire damage categories. The cyber insurance market has fundamentally changed. What once started as a calculable risk transfer is becoming an increasingly expensive policy with shrinking coverage for many companies. 27 percent of all data breach claims and 24 percent of all first-party claims are now fully or partially denied. The calculation no CFO wants to see: premiums are rising, coverage is shrinking, and in the event of a claim, insurers pay out less often than expected.

Key Takeaways

The market is tilting: premiums rising in double digits again

After two years of relative calm, the cyber insurance market is turning. S&P Global Ratings forecasts a premium increase of 15 to 20 percent for 2026. That sounds moderate unless you know the context: between 2020 and 2022, premiums had already doubled or tripled for many companies. After a brief decline of 22 percent from the 2022 peak, they are now rising again.

Global premium volume stood at 15.3 billion US dollars in 2025, an increase of 7 percent. Analysts expect the market volume to double by 2030, reaching approximately 30 billion US dollars. For companies in high-risk industries such as healthcare and financial services, premiums already sit 50 percent above the market average.

The drivers behind the price increase are structural, not cyclical. This is not about a cyclical market normalizing after a cooling phase. It is about a fundamental reassessment of risk by insurers. Ransomware incidents rose by 126 percent in the first quarter of 2025. Major loss events regularly exceed the one billion US dollar mark, challenging traditional coverage limits. Insurers are responding with higher premiums and tighter terms.

For CFOs who have primarily treated IT risk as an insurance line item, this development is a wake-up call. The days when a cyber policy covered the entire digital risk are over. What is sold as insurance today is a conditional financial product with significant limitations. Those who do not know and actively manage these limitations are paying for an illusion of security.

The coverage gap by company size

Market penetration is extremely unevenly distributed. While 80 percent of large enterprises have cyber insurance, only 40 to 50 percent of mid-market companies with revenues between 100 million and 1 billion euros have taken out a policy. For small and medium-sized enterprises, the rate drops to 10 percent.

These numbers mean: precisely the companies that are most vulnerable – because they invest less in cybersecurity and have lower resilience – are most frequently uninsured. SMEs rarely have dedicated security teams, run older systems, and have less formalized incident response processes. A successful ransomware attack can be existentially threatening for an uninsured company of this size. The average total cost of a cyber incident – including business interruption, forensic analysis, recovery, and reputational damage – frequently exceeds annual earnings for mid-market companies.

A new phenomenon is emerging in the mid-market: companies that want to insure themselves are increasingly failing to meet underwriting requirements. Insurers demand demonstrable security controls – endpoint detection, multi-factor authentication, tested incident response plans, secure backup strategies. Those who cannot demonstrate these basics either receive no policy or only one with significant limitations and deductibles. Gallagher describes this development as a shift to “conditional coverage” – insurance is no longer sold but earned. The policy is no longer a product you buy but a certification you must work for.

What the policy no longer covers: the new exclusions

The most critical development concerns not premiums but coverage. Cyber insurers have introduced a series of new exclusion clauses over the past 18 months that significantly restrict the scope of protection.

Ransomware sub-limits. Payouts for ransomware incidents are increasingly capped below the overall policy limit. A company with a 10 million euro policy may find that ransomware coverage is capped at 2 million euros. Given average ransomware damages of 292,000 US dollars per insured incident, that sounds sufficient – until a major attack affects the entire infrastructure and costs run into the millions.

Nation-state exclusions. Attacks allegedly originating from state actors can be excluded from coverage – unless the insured can prove that no state attribution applies. The burden of proof lies with the policyholder, and distinguishing between state-sponsored and criminal actors is virtually impossible in practice. NotPetya in 2017 demonstrated how this clause works in a loss event: billions in damages that insurers classified as an act of war and refused to pay.

Unpatched systems exclusion. Policies can deny coverage if the incident is attributable to unpatched or end-of-life systems. In organizations where technical debt is a daily reality and patch cycles take months, this is not a theoretical limitation. It is a ticking time bomb in the contract. And it is ticking in every organization still running Windows Server 2012 or unpatched SAP systems.

Compliance carve-outs. Violations of industry-specific regulations – GDPR, NIS2, DORA in the financial sector – can reduce or void coverage. This means: at the very moment a compliance violation exacerbates an incident, the insurer withdraws.

Systemic events. Insurers define “widespread events” or “catastrophes” in ways that limit aggregate exposure during coordinated attacks. If a single ransomware attack affects hundreds of policyholders simultaneously – as in a supply chain attack – coverage can be restricted. The lesson from SolarWinds and MOVEit: the very scenarios that cause the greatest damage are the most threatened by exclusions.

Ransomware: the driver behind the calculation

Ransomware dominates the claims statistics. Depending on the survey, 29 to 41 percent of all cyber insurance claims are attributable to ransomware. The average cost per insured incident is 292,000 US dollars – a figure that is 17 percent higher than the previous year. Frequency is also rising: in the first quarter of 2025, the industry recorded a 126 percent increase in ransomware incidents.

For CFOs, the question is no longer whether a ransomware attack can hit their organization, but whether the cyber insurance will actually pay out in an emergency. The combination of ransomware sub-limits, nation-state exclusions, and the requirement for demonstrable security controls means: many companies are paying rising premiums for coverage that, in the most likely loss scenario – a ransomware attack – replaces only a fraction of the costs.

Munich Re identifies ransomware, data breaches, business email compromise, and DDoS attacks as the four main drivers of insured losses. What concerns the industry: the increasing professionalism and AI support of attackers meets an insurance landscape that is simultaneously restricting its coverage. The ratio between risk and protection is deteriorating for the policyholder.

Another factor is exacerbating the situation: AI-powered attacks. Phishing emails have become so convincing through large language models that traditional awareness training is losing effectiveness. Deepfakes enable social engineering attacks that deceive even experienced employees. Voice cloning attacks exceeded the one million mark in individual damages for the first time in 2025. Insurers see this development and factor it in – through higher premiums and tighter exclusions.

What the honest calculation reveals

The honest calculation that takes place in very few boardrooms looks like this:

An average cyber policy with 10 million euros in coverage costs a mid-market company between 100,000 and 300,000 euros annually, depending on the industry. With a denial rate of 27 percent for data breach claims and increasing exclusions, the actual expected reimbursement in a loss event falls well below the coverage limit. A company that pays 1.5 million euros in premiums over five years and has to bear 40 percent of costs itself in the event of a claim has made a bad deal.

The alternative is not canceling the policy but achieving a better negotiating position. Companies that have demonstrably raised their cybersecurity to a high level – endpoint detection, zero-trust architecture, tested incident response processes – negotiate better terms: lower premiums, higher coverage, and fewer exclusions. Investment in cybersecurity not only reduces risk, it also reduces insurance costs.

The second lever: actively reviewing the policy for exclusions. Many companies do not know the exclusion clauses of their own cyber policy in detail. An annual review of contract terms with a specialized broker, compared against the actual IT landscape and the most likely attack scenarios, is the best protection against an unpleasant surprise in the event of a claim.

The third lever: diversifying risk. Cyber insurance is an instrument of risk financing, not a substitute for risk management. Companies that channel their entire cyber risk financing through a single policy are putting all their eggs in one basket. Captive insurance, risk reserves, and contractual risk allocation with service providers are supplements that distribute overall risk better than a single policy with exclusions.

The honest assessment: cyber insurance remains a meaningful instrument of risk financing. But the market has shifted from a buyer’s market to a seller’s market. Companies that want the best coverage at reasonable terms must first invest in cybersecurity. Not because the insurer demands it, but because insurance without this foundation is becoming increasingly worthless. The premium alone no longer buys protection. It buys the right to an assessment whose outcome depends on your own security posture.

Frequently Asked Questions

Title image: Pexels / Monstera Production (px:5849553)