Bigger claims, breach-related lawsuits and a mix of policy standardization and fluctuating pricing characterize the 2025 Cyber insurance market.
Increasing Claim Severity
A significant concern for the 2025 Cyber insurance market is the anticipated increase in claim severity. This increase is particularly pronounced for cyber incidents affecting third-party vendors, where the interconnectedness of digital ecosystems can lead to widespread impact and substantial financial losses for multiple insured parties simultaneously. This interconnectedness has the potential to drive larger and more complex claims across the industry.
"A lot of insureds tend to say that they don't have any exposure to cyber," says Taylor Doll, RPS senior broker, Executive Lines. "But if you're connected to the internet, and you have a network, you have exposure. If you have employees and their private information, you have exposure."
The Rise of Post-Breach Litigation
Another growing area of concern is regulatory risk and the rise of potential litigation related to cyber exposures. As data privacy regulations become more stringent, organizations face increasing scrutiny and potential penalties following privacy breaches. There has also been a noticeable uptick in individuals initiating class action litigation initiated in the wake of cyberattacks.
A recent example is the litigation following the Change Healthcare data breach, a ransomware attack that exposed the medical records and personal data of an estimated 190 million people in February 2024. The incident resulted in substantial financial losses for the company — including a $22 million payment1 to the hacker organization BlackCat, the group behind the ransomware attack — but also triggered a class action lawsuit among the impacted parties, highlighting the potential for legal and reputational repercussions following a cyber attack.
Change Healthcare isn't alone: iHeartMedia2 and Hertz3 are among the companies facing class action lawsuits following recent data breaches. These lawsuits are a reminder that data breaches remain a costly issue for organizations, with the average cost of a data breach reaching $4.88 million in 2024,4 a 10% increase from the prior year. These litigation risks add another layer of complexity and potential cost for both insured organizations and their Cyber insurance providers.
The Underwriting Challenge
"Mostly these prolonged outages impact the dependent business interruption and privacy breach coverage of insureds, but it isn't something that carriers can really underwrite to," says Doll. "They can ask an insured or a prospect who their vendors are, what software companies they're using, but there's really no way to underwrite for that. It's just a way the carrier is able to see what exposure they have on their books."
In response to the evolving threat landscape in cyber, carriers are adapting their services to increasingly offer preventive resources such as training, risk assessments and security tool access, including free or discounted endpoint detection and response (EDR) and managed detection and response (MDR) services. Carriers are also adjusting the wording in their policies to consider increased vendor risk and to contemplate artificial intelligence (AI) as an attack vector source, for both the privacy and security liability side of the coverage as well as the cybercrime side.
While insurers still offer nuanced differentiation in areas such as sublimits, exclusions and additional coverages, the core language of many policies has become more aligned and commoditized. This increasing standardization, while potentially simplifying comparisons for policyholders, makes it more challenging for insurers to distinctly differentiate their offerings.
Despite this trend towards standardization in policy language, a notable inconsistency remains in carrier approaches. Inconsistency is particularly apparent in how different insurers handle claims adjudication and the methodologies they employ for pricing risk. This lack of uniformity can lead to volatility in the market, with similar risks potentially attracting significantly different premiums and terms depending on the carrier. Policyholders may also experience varying levels of support and responsiveness during the claims process.
What this means for the market long term remains to be seen, but as carriers adjust their pricing up and down to address the changing market, this inconsistency among carrier approaches is one of the reasons that the cyber market is so volatile.
"As cyber has increasingly become commoditized, and there's more parity in coverages, I'm finding that it's harder for non-specialist agents to differentiate between carriers," says Jack Rosen, RPS area assistant vice president, Executive Lines. "This is a mature product line now, unlike before when individual companies would have something new and novel to offer. But now, with everyone in the market offering cyber coverage, how do you compete? It's still somewhat of a race to the bottom on price."
Learn more about what's next for the Cyber insurance market in the 2025 Cyber Market Outlook.
Sources
1Gregory, Jennifer. "Change Healthcare Discloses USD 22M Ransomware Payment," IBM, 24 May 2024.
2King, Ashley. "iHeartMedia Faces Class Action Lawsuit After Suffering Major Data Breach," Digital Music News, 8 May 2025.
3Layden, Laura. "Estero-Based Rental Car Giant Hertz Faces Class-Action Lawsuits Over Data Breach," Yahoo, 8 May 2025.
4"IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs," IBM, 20 July 2024.
