2026 Q1 Cyber Market Update

As ransomware resurges and litigation intensifies, cyber insurance in the US is entering a new phase defined by data‑driven underwriting, evolving regulatory obligations and increased market competition. For retail agents and brokers, success in 2026 lies in combining analytics with expertise to guide clients to the best solution for their businesses and strengthen long‑term resilience. Here, in our 2026 Q1 Cyber Market Update, we'll discuss the current cyber landscape, provide insights on what's new and look ahead to what agents can expect.

Ransomware Activity and the Insurance Industry Response

Until 2019, the cyber insurance industry largely revolved around data breaches. Insurance companies designed policies to address the monetization of stolen personal information, such as credit card numbers or medical records, which criminals sold through underground marketplaces. This model required time, infrastructure and buyers willing to purchase the stolen data.

Ransomware changed the equation. By encrypting corporate networks and demanding payment for decryption keys, criminals discovered a faster and more lucrative way to profit. The rise of ransomware‑as‑a‑service made attacks accessible to non‑technical actors, who could launch targeted spear‑phishing attacks with minimal effort.

Between 2019 and 2022, ransomware activity surged and caused heavy losses across multiple industries. During the tail end of the COVID-19 pandemic, attacks slowed briefly as law enforcement intensified pressure and geopolitical conflicts diverted attention. That deceleration provided temporary false hope that ransomware had perhaps reached its apex and was not as serious of a concern. In response, many carriers lowered premiums and sold large volumes of cyber insurance capacity, reducing restrictions on ransomware that had helped protect their profitability.

Now ransomware has returned to pre‑pandemic levels.

Rising losses combined with a stable rate environment create an unsustainable situation for long-term success.

This renewed pressure highlights why appropriate limits and comprehensive coverage are no longer optional: Clients who fail to reassess their protections risk being underinsured in the face of increasingly sophisticated cyber threats. While insureds are less likely to pay ransoms than they once were,¹ the costs remain significant as insider enablement threats are an increasing concern.

Beware of New Policy Conditions

With the rise in ransomware attacks, particularly those initiated through supply chain and vendor-related cyber incidents, we're witnessing longer tails, relative to first-party losses. As insureds quantify their expenses, coordinate with third-party forensic accounting firms and wait for vendor responses, the path to resolution has become longer.

We're seeing carriers respond to protracted resolutions with new conditions wording in policies to get more certainty around loss development sooner. It's important for agents and brokers to be aware of first-party loss reporting requirements, some of which now require quantification within 90-180 days, which previously wasn't the case. The cost of waiting could be significant if insureds aren't aware of these new requirements finding their way into today's policies.

Coverage and Underwriting Developments

After a multi-year period of relative stagnation in cyber policy language innovation, we're again beginning to see some signs of creativity. A flurry of endorsements surfaced in the second half of 2025, largely giving further assurances to items already covered. As insureds increasingly heard about AI and how it was enabling adversaries, some wanted to see the acronym specifically mentioned in policy wording. Alas, some markets addressed this with affirmative language around AI-assisted attacks, including when deepfakes were found to be involved in social engineering scams. In 2026, however, we're seeing actual insuring agreements address more than what was previously covered, with at least one market offering coverage for technical assessment, authenticity de-validation and costs to take down content from online platforms.

From an underwriting perspective, we're beginning to see the first introductions of AI usage assessments accompanying cyber insurance applications. Carriers are starting to examine an organization's strategy with respect to internal and customer-facing applications, policies, procedures and approaches to managing this rapidly developing area of opportunity and risk. We expect this scrutiny to expand in the months ahead.

Additionally, in the coverage innovation category, one market has recently introduced a new coverage in response to last year's highly publicized outage of a British auto manufacturer. Many connected businesses relied on this company to purchase their parts. When the customer was down, it had a cascading effect on many businesses' ability to sell their products as the car maker struggled to get back online. This new coverage involves a sub-limited business interruption extension for small to medium-size enterprises with an underwriting process that pre-identifies named customers and provides a unique twist on dependent business interruption when one of these customers suffers a covered cyber event.

Agents Showing Value

The softer pricing environment over the past few years has, along with some changes in the coverage landscape, created room to negotiate more favorable terms while also guiding clients toward better‑aligned coverage. This dynamic positions brokers not only as market navigators but also as trusted advisors who can help clients transition from minimal compliance to true cyber resilience.

Meanwhile, the competitive landscape itself is evolving. A surge of new entrants, supported by expanded capacity and alternative funding mechanisms such as insurance‑linked securities, has diversified the marketplace. This diversification is reshaping how coverage is structured and priced.

This influx of new players has created more competition, with aggressive pricing strategies aimed at capturing market share. All the while, the more seasoned carriers in this space are beginning to exercise a more disciplined approach to pricing, and we're seeing surgical pricing increases in industries such as healthcare, as well as in specific event-effected classes such as auto dealers. In this environment, it's essential to partner with wholesale brokers who understand both the evolving threat landscape and the dynamics of the insurance market.

As the cyber market continues to mature, these developments present strategic opportunities for brokers to deepen relationships across a broader range of markets. But this moment also calls for discipline: Long‑term viability must remain at the forefront. The lessons from the previous soft market should not be forgotten. By balancing innovation with prudence, brokers can help clients capitalize on today's changing conditions while ensuring that coverage remains effective and aligned with the realities of an evolving threat landscape.

Beyond Benchmarking: Strategies That Strengthen Client Resilience

Traditionally, the insurance industry has relied on benchmarking to measure one's insurance program against its peers, identify gaps, examine retentions and set coverage limits. But in cyber risk, that approach falls short. Effective assessment requires more than mirroring: It demands a deeper understanding of each client's individual needs and tailored solutions that fit their risk profile.

RPS brokers leverage modern tools to model exposures, analyze vulnerabilities and deliver data‑driven recommendations by combining client‑specific risk analysis with benchmarking ranges to set limits, retentions and markets based on actual exposure and risk tolerance, not simply on what peers buy.

In practice, brokers begin by scanning outward‑facing network infrastructure and evaluating both technological defenses and human capital investments, policies and procedures. With this data, they model how a cyber event could unfold and use those insights to guide more well-informed discussions about limit selection.

Proprietary tools also enable analysis of claims trends and pricing/coverage comparisons.

"We use a proprietary tool that compares policy language across multiple markets, ensuring that the language aligns with where claims are occurring. This capability allows RPS to proactively address emerging risks and optimize coverage strategies with precision," illustrates Lindsey Dean, senior attorney, claims director Executive Lines at RPS.

Advice carries more weight when backed by data. Whether discussing limits, retention levels or premium value, brokers position themselves as trusted experts who deliver solutions grounded in evidence. This transforms the conversation from finding a policy to providing insightful solutions that meet client needs and strengthen long‑term business resilience.

Case Examples: Delivering Value Through Analytics and Insight

When evaluating middle‑market and large‑risk accounts, data‑driven tools help test whether limits and retentions are fit for purpose. In a recent renewal for a client carrying a $20 million cyber limit, the first step was to evaluate whether that limit was appropriate.

By combining discussions of risk tolerance with software modeling various cyber-attack scenarios, we provided projections of potential losses, and those insights allowed the broker to refine recommendations, tailoring coverage to the client's appetite for retaining or transferring risk.

This approach extends beyond limit evaluation. Analytics help identify when clients are paying too much, or if their program is in line with the market. In another case, brokers examined a client's increased limit factors (ILFs), which measure the cost of additional coverage layers. The client's ILF stood at 90%, an aggressive rate by market standards; the analysis indicated room to secure better pricing without eroding protection.

The tools also help clients reassess long‑standing coverage habits. Many insureds have never considered higher limits until we provided the data to evaluate their options. For example, a client might say they carried a $1 million policy for years despite significant business growth. After reviewing analytics, they realize a $15 million limit is more appropriate, relative to their exposure. Even if they cannot afford that level of coverage immediately, we can develop a phased plan to gradually increase limits over time, aligning coverage with both evolving needs and financial realities.

Litigation as the Emerging Cost Driver in Cyber Risk

Dean points out that litigation has become a defining feature of cyber risk: "With nearly every breach, there is a high likelihood of follow‑on litigation."

Class actions from customers or employees whose privacy was impacted are now increasingly common, adding another layer of exposure beyond first‑party costs, such as ransom payments or forensic investigations.

Dean also notes that litigation related to companies' data collection practices also remains prevalent.

"Over the past few years, there have been hundreds of lawsuits filed against organizations of all sizes, from mom‑and‑pop retailers to large media conglomerates," she says.

These lawsuits allege that companies violate state and federal wiretapping laws and other privacy laws when they collect data from websites without securing proper consent. The growing volume of these claims reinforces the importance for brokers to consider litigation probability alongside direct breach costs when advising clients on cyber insurance strategy and expected policy response.

When Data Becomes Exposure

This expanding litigation environment is not just a client exposure: It sets the operating landscape for brokers as well. The same data‑collection practices that trigger lawsuits against insureds also elevate compliance expectations for those advising them. As brokers rely on data‑driven insights to compete and retain clients in a rapidly evolving cyber insurance market, they must also navigate a tightening web of data protection requirements. To operate effectively, brokers must balance the benefits of using advanced analytics with the responsibilities imposed by privacy frameworks and legal obligations. Examples include:

• The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (2017): As of 2026, 28 jurisdictions have implemented it. Requires brokers to conduct annual risk assessments, maintain an information security program, implement incident response plans and notify state insurance commissioners of a cybersecurity event within 72 hours, along with notifying consumers when required.
• The NAIC Consumer Privacy Protection Model Law Draft (2023): Sets detailed standards for how insurers collect, process, retain, share and secure personal information.

Next Levels of Cyber Underwriting

As cyber risks continue to develop, so too will underwriting practices and standards. The future of cyber insurance will increasingly move from yes/no questionnaires towards validation-based underwriting. Getting in front of this with your clients will lead to better results when requirements shift. Some things to consider:

• MFA for all remote access, including email, remote logins, backups, cloud access and admin accounts. These are table stakes today. Increasingly, underwriters in the future will want to know if the method of MFA is "phishing resistant." That is, are biometrics and/or hardware keys used, or just standard text/app codes? As MFA bombing, social engineering and session hijacking are increasingly used to thwart dual-authentication, taking validation to the next level will become even more important. Become familiar with terms such as "FIDO2 compliance"².
• In a day when having reliable backups that are separated from one's primary network would seem to be a given, we've recently seen ransomware encrypt systems and backups alike, leaving insureds in highly vulnerable positions. The future of ransomware resiliency will rely not only on segmented, immutable backups, but also a testing regime to ensure they work when called upon. A 90-day testing cadence to ensure backup efficacy is a sound risk management tactic of increasing importance. Even as attackers more often extort for the threat of private data suppression or exfiltration than encryption, implementing restore tests has never been more important and underwriters are expected to increase their focus here.

Long-term Value for Brokers and Clients

With years of claims data now available, brokers can provide relevant insights even to smaller businesses, addressing their specific needs and concerns. In 2026 and beyond, as ransomware and privacy litigation continue to rise, brokers who lead with risk quantification and clarity on policy wording will help clients make more well-informed decisions, regardless of where pricing lands next. RPS's cyber practice stands ready to help agents and brokers help their mutual clients with the tools, insights and experience necessary to approach these developing risks with greater confidence.