SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyberinsurance.

Cyberinsurance offers a risk transfer option for the management of cybersecurity risk. This risk is complicated by the ever-changing nature of the threats and the attack surface. The cybersecurity industry has so far failed to get ahead of the attackers. Can the cyberinsurance industry do any better?

Is it even possible for insurers to match cover with cost in a mutually beneficial manner on an ongoing basis?

While the adoption of cyberinsurance as a means of cyber risk transfer is growing, less than half of SMEs are currently thought to carry cyberinsurance. Most US businesses, probably around 33 million, are categorized as SME – so the untapped market remains huge

The difficulty is that SMEs traditionally believe they are too small to be attacked until they are, and frequently hope they are covered by their general business insurance. When a compromise happens, they may survive the breach itself but are poorly prepared for the immediate legal and forensic expenses that follow a compromise. 

Whether it is an actual breach or just a security incident involving data privacy, regulations are increasingly demanding rapid reporting – which requires quick access to legal and forensic experts. SMEs will not have this expertise in-house so must pay for expensive outside help.

“All too often I see businesses in the midst of a data privacy / cybersecurity event scrambling to see which business insurance policy they have might assist in reimbursing legal and forensic expenses (both immediate, up-front costs that are very expensive to pay for out of pocket without cyber insurance coverage),” comments Kimberly Holmes, senior counsel at the Dykema law firm. “Cyberinsurance (as opposed to business insurance) typically responds quickly to approve the retention of defense counsel and forensic vendors at the time-sensitive outset of an organization’s need to respond to a data privacy or security event (whether an actual breach or not).”

The untapped market for cyberinsurance remains massive, and we can expect insurers to double down on finding ways to expand throughout the next few years. 

Continuing flip flop between a hard and soft market for insurers

“Cyber insurance is going through an artificial soft market,” explains Prashant Pai, EVP global head of business development for KnowBe4. “Essentially, even while claims are growing and losses are increasing, there are large amounts of new capital entering the market, which is leading to low premiums. 2025 should see the market catch up to reality and see a gradual hardening over the latter part of 2025. This means premiums will go up, but also with potentially tighter sublimits and increased underwriting scrutiny.”

The biggest problem is that the cost of a breach and the number of breaches continue to rise. The only options for insurers to balance the books and maintain their own profitability is to increase premiums and exclusions (simple to do), or somehow reduce breaches (not something the insurers can do on their own). By the time they achieve balance between income and claims, the risk is likely to expand, and the process must repeat.

Premiums and Exclusions

“One of the biggest challenges insurers face is their (lack of) ability to accurately calculate relevant premiums and exclusions. This is inherently hard due to the complexity of the technology stacks used by their customers,” comments Kai Roer, CEO and founder at Praxis Security Labs. 

Kai Roer, CEO and founder at Praxis Security Labs

“One customer may have an old IBM mainframe in their basement, while also having a large cloud infrastructure, and everything in between. Another customer may only have a small cloud infrastructure, with well documented integrations and regular testing. These two companies should most likely have different premiums – but how does cyberinsurance determine the right premium for each one?”

To a large extent, he continues, insurers must “guestimate premiums, exclusions, and – if a breach occurs – payouts.”

Shaping forces expected in 2025

Cyberinsurers suffer a similar problem to that of regulators: technology and threats advance so rapidly that it is difficult to keep pace. This will be further complicated in 2025 by a new Administration in the US and the suspicion that it will take a step back from all forms of regulation. Quite simply, it is difficult to predict what will happen.

Nevertheless, there are three areas in particular that are likely to affect cyberinsurance in 2025: the sudden rise and proliferation of gen-AI, the unknown quantity of supply chain / third party threats, and the potential for increasing geopolitical cyberthreats. Each one has the potential to elevate risk into systemic risk – which, in simple terms, just means ‘too big to handle’.

Artificial Intelligence

The conjunction of privacy and generative AI is complex and difficult, especially since the major systems have all been trained on data widely scraped from the internet. Has that data been lawfully obtained under GDPR and other privacy laws, and does it involve copyright theft?

The complexity of the issue is made clear in an Opinion from the European Data Protection Board dated December 18, 2024. A key component of privacy is that details should be held anonymously. Firstly, the Opinion states that not all AI models are equal. Then it says, “the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to develop the model and (2) the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant, taking into account ‘all the means reasonably likely to be used’ by the controller or another person.”

What, really, does this mean? What does ‘likelihood’ mean, and is it measurable and therefore gradable? Can the likelihood of extracting personal data be insignificant (and what does insignificant mean?) given the widespread skill of jailbreaking and prompt injections. And that’s before we get into the quagmire of ‘legitimate business interest’.

This isn’t meant to be a criticism of the EDPB, just an illustration of the problem facing all regulators: balancing personal protection while simultaneously promoting innovation leads to confusion. But it could be part of a big problem. AI models can freely be downloaded from Hugging Face, with little guarantee of their security and, strictly speaking, little guarantee of their legality. Holmes believes this will “put a greater onus on the cyberinsurance industry to consider the privacy and other impacts to businesses (from a potential litigation standpoint, if not a regulatory one).”

Omid Safa, a partner at Blank Rome LLP, adds, “Because AI applications rely on the collection and processing of vast amounts of data, it will be important for companies to consider the AI tools they are using, and the information being collected when assessing their exposure and purchasing cyber insurance. Moreover, to the extent they have not done so already, policyholders will increasingly push insurers for policy language that confirms coverage for the ‘collection’ of such data.”

That policy language discussion will likely increase in 2025 but could cut both ways. “The power of AI presents opportunities that companies cannot afford to ignore, yet the losses can be catastrophic,” warns Scott Seaman, a partner at Hinshaw & Culbertson LLP. “We expect to see more generative AI coverage endorsements, both granting coverage and excluding coverage.”

Scott Seaman, partner at Hinshaw & Culbertson LLP.

Meanwhile, insurers must beware how they use AI as well as how they cover it. Seaman also notes that in July 2024, the New York State Department of Financial Services (NYSDFS – never a laggard in regulating matters involving finance) adopted a final circular about the ‘Use of Artificial Intelligence (AI) Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing’.

“This Circular,” says Seaman, “was issued as guidance to the insurance industry and imposes significant obligations on insurers using artificial intelligence systems or external consumer data and information sources for underwriting and pricing.”

The whole question of AI and regulations, and AI and cyberinsurance, seems tailor made for a season ticket at the courts.

Supply chain risks

A current concern for cybersecurity is the increasing number and effect of supply chain attacks. Proprietary software supply chains (such as the SolarWinds incident) and open source supply chains (such as the Log4j incident) have long and often invisible tails. How insurers tackle coverage for supply chains will be an important concern in 2025.

Joe Silva, CEO at Spektion, suggests, “Cyberinsurers should shift their focus to understanding and underwriting third-party software risk. This area significantly contributes to breach events and is often under-addressed in risk assessments. Just as insurers have emphasized identity and privileged access management, they need to evaluate the sprawl, oversight, and compensating controls related to third-party software usage. This insight is critical for predicting an organization’s susceptibility to the growing volume of software vulnerabilities and attackers’ increased exploitation of this vector– an area where traditional defensive technologies often fall short.” 

Seaman notes an additional supply chain complication that insurers will need to consider and address. “The CrowdStrike incident has caused insurers to focus on outages as well as cyberattacks and to focus more on the need to limit supply chain exposures in dependent or contingent interruption and other coverages.”

But as insurers begin to better understand the complications and potential implications of supply chain risk, their only recourse to address any growing imbalance between income and claims will be to revert to increasing either premiums or exclusions.

“They will continue to increase exclusions and premiums at least until it feels like your average organization is performing reasonable safety, reliability, and security measures to reduce the risk the cyberinsurance organizations take on,” says Michael Lieberman, CTO and co-founder of Kusari. “It’s hard for an insurance company to underwrite a policy for software supply chain security incidents when many organizations don’t do the bare minimum to keep track of the software in their supply chain in the first place.”

A mutually beneficial balance between cost and cover will remain an issue, exacerbated by supply chain risk, through 2025. “Balance is achieved only momentarily,” notes Peter Hedberg, VP, cyber underwriting at Corvus Insurance. “As exposures and threat actors continue evolving, we meet that with our own evolution in security. It’s only asymmetrical for brief periods, but those of course are times when claims happen. The continued rise of third-party litigation which has quite a long tail but is also difficult to underwrite will be without question something we put more effort into underwriting next year.”

Ilia Kolochenko, CEO at ImmuniWeb

Ilia Kolochenko, CEO at ImmuniWeb, partner at Platt Law LLP, summarizes the current state and complexities. “The majority of existing cybersecurity insurance contracts do not expressly address the novel spectrum of risks, threats and attack vectors caused by rapid proliferation of gen-AI and third party incidents. Consider the notorious CrowdStrike outage, which was classified as a non-cybersecurity event by most cybersecurity insurances, eventually denying coverage. While from technical and legal viewpoints such classification is arguably correct, it certainly does not reflect reasonable expectations of insured companies.”

Geopolitical effects and exclusions

The extent to which global geopolitics will directly affect cybersecurity outside of Ukraine and Gaza is a matter for debate. But it is worth recalling that GW Bush coined the phrase ‘axis of evil’ back in 2002. It was not cyber related, but comprised Iran, Iraq and North Korea. Iran and North Korea are current cyber adversaries. Russia and China have long been cyber adversaries. It is not unreasonable to describe these four cyber adversaries as a current axis of cyber evil – but it is unreasonable to assume that geopolitics will not affect cyber threats throughout the western world from them.

Andrew Churchill, director of policy at the CSBR, warns about “the geopolitical tensions at play with NCSC (National Cyber Security Centre) highlighting the state actors threatening large scale cyberattacks against western CNI (Critical National Infrastructure), and organized crime groups extorting money from private businesses and public sector, typically through ransomware. Given many such state-directed attacks are carried out by proxies, be they parastatal or state-protected crime groups, the border between state attacks and criminal becomes blurred. Whilst this blurring may well limit the likelihood of Armageddon, in insurance terms hybrid war will increase the debate on force majeure as an insurance policy exemption.”

This is the problem for insurers. Is a specific attack the work of a nation state or a criminal group, or the former masquerading as the latter? And if it is a nation state, is that an ‘act of war’ that could be covered by an exclusion.

“Given the conflicts in Ukraine and Gaza,” says Safa, “we also anticipate more disputes regarding recent revisions to war exclusions that have attempted to blur the lines between traditional war-risks and cyber operations by hostile nation-states. Purportedly adopted to clarify coverage, such revisions have left much to be desired and only served to foster more confusion regarding the scope of coverage.”

Seaman delves deeper. “Insurers are adding updated War Exclusions, many are modeled on London [ie, Lloyds] forms and other exclusions to preclude coverage for systemic  or state sponsored cyberattacks.”

Back in June 2022, the GAO released a report titled Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks. It suggests that potential losses from severe cyber incidents could range between $2.8 billion to $1 trillion per event for the United States. If multiple events affect a single insurer, that is systemic loss in a nutshell.

“For the past couple of years,” continues Seaman, “Lloyds has been requiring that standalone cyberattack policies exclude liability for losses arising from any state-backed cyberattack. There are at least four exclusion forms available. The exclusions must exclude losses arising from war (whether declared or not) and must apply to losses arising from state-backed cyberattacks that significantly impair the ability of a state to function or that significantly impair the security capabilities of a state. As you can envision, determining whether a cyberattack is attributable to a state may present difficulties.”

Geopolitics may or may not be a threat, but it is certainly a risk, and for insurers, it is a murky one. One way or another, geopolitics and associated systemic risk will play a part in cyberinsurance discussions and coverage for the foreseeable future.

Future cooperation with government

Kimberly Holmes, senior counsel at the Dykema law firm

The new administration in the US in 2025 is expected to be a small government proponent with a hands-off approach to government oversight. “It is unlikely that we will see any federal government oversight, involvement or scrutiny over the cyber insurance industry, as had been the case to some degree with the previous administration,” suggests Holmes. “As the insurance industry is typically governed at the state level, with a likely absence of any federal oversight in the next several years, state governments may step in.”

This makes the potential for a government backstop unlikely. Hedberg further suggests it is unnecessary. “Policymakers must decide based on their own risk projections for the commercial enterprises that make up the U.S. We continue to write this product successfully with financial independence from any government sources of capital. Our underwriting and risk management is testament to this virtuous cycle.”

But not everyone agrees. Tom Srail, EVP of global cyber risk advisors at WTW, says active discussions continue “on some very critical priorities regarding cyber insurance, perhaps most importantly systemic cyber risk. In the US, government agencies are working with insurers, brokers, reinsurers, modelers, technology companies and other stakeholders to create solutions for a federal government response to such events.”

Safa adds, “Insurers have already indicated a desire to discuss a government backstop to address systemic threats to critical infrastructure and the risks associated with cyber warfare. Given the threat to the global economy and stability that such risks pose, it would not be surprising for the government to provide some form of backstop to ensure that coverage remains available, and insurers have the capacity to continue providing coverage.”

The UK has a potential route through expansion or extension of Pool Re (a government-backed reinsurance firm for acts of terrorism). “Outside the cyber domain, the insurance industry has the likes of Pool Re – though Pool Re explicitly does not cover losses through ICT failings,” comments Churchill.

“So, 2025 may well see revised demands (the industry explored this in 2012 surrounding the London Olympics) either to strike out the Pool Re ICT exclusion, or the establishment of a Cyber Re, an item that will almost certainly be raised in Parliament as the CSR Bill [aka CSRA] progresses.”

While not necessarily having the force of law, there may be a level of national oversight in the US – in the form of guidance and advice – from the federal agencies. “We’ll see more guidance and documentation around technology risks come out of organizations like NIST and CISA in the US and their counterparts in the rest of the world,” believes Lieberman. 

“This documentation will provide guidance and a framework for the cyber incident actuaries to build better risk models for the evolving threat landscape,” he adds.

Cyberinsurance is a profit oriented industry. In simple terms, its income (premiums) must exceed its outgoings (operational overheads and especially payouts). These are the scales that insurers must profitably balance. 

The two options to reduce outgoings are more exclusions (fewer payouts), and more secure customers (fewer claims). The first is problematic, since more exclusions leads to fewer customers and less income. The second is difficult, since more than two decades of increasingly sophisticated security products have failed to stop breaches.

The obvious solution of linking premiums to customers’ use of specific security products is also problematic in a free market economy – companies being told to use product A when they believe product B is better for them does not sit well.

Roer believes the solution is in risk analysis rather than risk mitigation. “In 2025 I believe we are going to see a growing number of insurers leveraging services from [data collection] companies to aggregate more data from their customers, and thus potentially make it easier for themselves to make better decisions.” This would allow insurers to “create their own offers based on their own risk profile and understanding of the risk landscape.”

To this end, we may well see a growth in the new concept of Insurtech – technology designed to assist insurance. Such technology can continuously monitor organizational risk and provide risk data to insurers. “This technology driven movement in the cyber insurance industry,” explains Paul Ashwood, senior product marketing manager at Cymulate, “drives efficiency and accuracy in determining risk which enables the insurer to underwrite better policies, set better premiums, reduce the cost of claims and ultimately achieve a better book of business for cyber insurance.”

Lieberman believes insurers should place their faith in security standards. “Cyberinsurance shouldn’t require a specific security tool but require the organizations they underwrite to utilize security tools that meet things like ISO/IEC 25010 for software compositional analysis or follow emerging build security specifications like SLSA from the OpenSSF,” he says

Omid Safa, a partner at Blank Rome LLP, is more explicit: the insurance industry must remain neutral on mandating security products. “Remaining neutral helps to ensure that insurance does not inadvertently increase the load on any one vendor and contribute to the overconcentration of risk,” he says. 

“Overconcentrating risks with specific providers would only exacerbate the potential for catastrophic fallout to the extent those providers are compromised by a cyber event,” adding that by extension, insurers relying too heavily on a single provider who gets compromised could find themselves overextended for potential losses.

Hedberg agrees with this argument, also noting, “Philosophically there is merit to keeping those risk management functions separate (mitigation versus transfer).”

“Whether cyber insurance is an ‘essential’ part of risk management is not a real question – it is,” summarizes Holmes. “But whether more businesses will see the value in proactively putting cyber insurance in place before they need it – a best practice to be sure – remains to be seen. While one might expect 100% of businesses to have cyber insurance today, the reality is that less than half of them actually have the coverage in place right now.”

The great hope for cyberinsurance is that it will improve the overall level of cybersecurity. This can only be achieved by providing genuine value for money that is linked to demonstrably effective organizational risk management. Better risk management could lead to reduced premiums on top of value for money, making cyberinsurance a silent driver for improved cybersecurity.

But it is a complex process that remains in process and may never be complete. Risks continually change with advancing technology and expanding attack surfaces. Insurers are constantly seeking that sweet spot where premiums are an attractive option for organizational risk transfer. It is a struggle, but the insurers will not cease seeking – nor will they achieve it in 2025.

Related: Cyberinsurance Premiums are Going Down: Here’s Why and What to Expect

Related: Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government

Related: Cyberinsurance Backstop: Can the Industry Survive Without One?

Related: Talking Cyberinsurance With Munich Re