The cyber insurance market has undergone a remarkable transformation over the past three years. From the crisis of 2021-2022, when ransomware losses drove combined ratios above 100% and capacity contracted sharply, the market has emerged as one of the most sophisticated and analytically driven segments of the global insurance industry.
Market Size and Growth
Global cyber insurance premiums are estimated at $15 billion in 2025, representing compound annual growth of approximately 25% over the past five years. While growth rates have moderated from the explosive pace of the early 2020s, the underlying demand trajectory remains strong. Increasing regulatory requirements for cyber incident disclosure, rising awareness of digital dependency risks, and the expanding attack surface of connected organisations continue to drive purchasing activity.
Underwriting Evolution
The most significant development in cyber insurance is the maturation of underwriting methodologies. First-generation cyber underwriting relied heavily on qualitative assessments and limited historical loss data. Current practices incorporate continuous vulnerability scanning, threat intelligence feeds, and machine learning models that assess organisational cyber hygiene in near real-time.
Several specialist cyber insurers have developed proprietary scoring systems that evaluate an applicant’s security posture across multiple dimensions, including patch management, access controls, backup resilience, and employee security awareness. These tools enable risk differentiation at a granularity that was unimaginable five years ago and have contributed to a meaningful improvement in loss ratios across the market.
The Aggregation Challenge
While individual risk underwriting has improved dramatically, the systemic aggregation risk inherent in cyber insurance remains the industry’s greatest challenge. A single vulnerability in widely deployed software, a coordinated nation-state attack on critical infrastructure, or a catastrophic failure of a major cloud service provider could generate correlated losses across thousands of policies simultaneously.
Reinsurers and ILS investors are actively developing cyber accumulation models, but the lack of historical precedent for truly systemic cyber events makes calibration challenging. The emergence of dedicated cyber catastrophe bonds provides some structural capacity for tail risks, but the market remains in its early stages compared to natural catastrophe risk transfer.
Regulatory Landscape
Regulators worldwide are paying increasing attention to cyber insurance. The EU’s Digital Operational Resilience Act (DORA) has created mandatory cyber resilience requirements for financial services organisations, indirectly supporting insurance demand. In the United States, SEC cyber disclosure rules have elevated board-level attention to cyber risk management, translating into increased insurance purchasing by public companies.
FINMA has published specific guidance on Swiss insurers’ own cyber resilience requirements, reflecting the dual nature of cyber risk for the insurance industry: insurers are both providers of cyber risk transfer and potential victims of cyber attacks themselves.