The aftermath of several high-profile cyber-attacks in 2025 has cast a long shadow over corporate risk management, forcing organizations to re-evaluate their defenses and financial safeguards against digital threats. The staggering £1.9 billion economic cost of the attack on Jaguar Land Rover, a company that reportedly failed to finalize a cyber insurance policy before the incident, serves as a stark warning of the potential for catastrophic losses. In contrast, retailer Marks & Spencer, which did have coverage, managed to file a claim of around £100 million following its own breach. These divergent outcomes highlight a perplexing and often contradictory market. While the frequency and severity of cyber incidents continue to climb, the insurance market intended to mitigate these risks is described by experts as “soft.” Data from insurance broker Howden shows that premium growth slowed significantly from 2022 to 2024, with rates continuing to fall through the first half of last year. This trend, which saw a 12% decline in European premiums in 2025, stands in sharp opposition to the massive 50-100% premium hikes of 2021 and 2022, creating a complex decision-making environment for security leaders.
1. Navigating a Complex and Demanding Market
Although organizations may find more negotiating power for cyber insurance policies in 2026, the softer premiums of the past year have introduced a new layer of complexity. Buyers are now contending with a broader array of policy exclusions, the possibility of higher deductibles, and a significantly increased burden to prove the sufficiency of their security controls. Some industry observers anticipate that this period of lower premiums is temporary and will soon reverse. The stakes are incredibly high, as evidenced by the fact that UK insurers paid out £197 million in claims in 2024 alone, a year-over-year increase of more than 200%. Marie Wilcox, VP at Binalyze, notes that the current landscape is particularly challenging for Chief Information Security Officers (CISOs). Insurers are tightening their underwriting criteria, raising premiums in certain sectors, and enforcing stricter compliance expectations, driven by new regulations like DORA and NIS2. This shift is starkly reflected in recent research indicating that over the last year, a concerning 56% of CISOs reported having their cyber-insurance payouts denied by their providers.
The rising number of denied claims often comes down to a critical failure: a lack of evidence. According to Wilcox, a common reason for rejected payouts is the inability of organizations to prove they had adequately mitigated risks or to produce a complete, verifiable timeline of a breach that can withstand the scrutiny of insurers and regulators. This demand for meticulous documentation and demonstrable security posture is only set to intensify. The implementation of the EU’s DORA and NIS2 regulations, coupled with the UK’s upcoming Cyber Security and Resilience Bill and new rules in the United States, is creating a formidable compliance environment. Security teams must now operate under the assumption that every aspect of their incident response will be audited. This requires a fundamental shift from merely having security tools in place to maintaining a state of constant readiness, with comprehensive logging, detailed risk assessments, and robust procedural documentation that can be presented on demand to justify a claim and satisfy regulatory inquiries.
2. The Escalating Landscape of Liability and Risk
The strategic importance of cyber insurance is growing as it now represents a much larger portion of corporate spending, a trend directly fueled by expanding liability. As noted by George Manuelian, chief strategist at RapidFort, recent changes to data breach notification laws in the U.S. are escalating personal exposure for board members, making robust insurance coverage a critical component of executive protection. Furthermore, compliance mandates such as FedRAMP and the Cybersecurity Maturity Model Certification (CMMC) are creating a ripple effect throughout the supply chain. If a vulnerability within one company’s system leads to a partner’s breach, that partner can initiate legal action, positioning insurance as an indispensable safety net against third-party litigation. This interconnected web of risk means that a security failure can have far-reaching financial and legal consequences that extend well beyond the initial incident, making the quality and scope of an insurance policy more important than ever for maintaining business continuity and solvency.
Complicating matters further, both CISOs and the insurers underwriting their risks are struggling to contend with the accelerating speed of cyber exploits. The bar for coverage is rising, with underwriting decisions becoming increasingly tied to how quickly an organization can identify and remediate its exposure to new vulnerabilities. This puts immense pressure on security teams to shorten their patch cycles and improve their threat detection capabilities. The proliferation of AI-driven threats adds another layer of complexity. Malicious actors are now leveraging Large Language Models (LLMs) to conduct highly targeted reconnaissance, automate exploit development, and even reverse engineer security patches to find new attack vectors. This new class of threat is so novel and unpredictable that many insurers are hesitant to cover it, leading to new exclusions for AI-related risks. According to Ryan Rubin of Ankura, while the market remains soft due to new entrants, insurers are becoming more cautious about offering wide coverage given the continued high costs of ransomware and business interruption claims.
3. Redefining the Value Proposition of Insurance
In response to the tightening market and the high cost of comprehensive coverage, many enterprises are fundamentally changing their approach to risk transfer. A growing number are choosing to “self-insure” for a larger portion of their risk by accepting significantly higher deductibles or self-insured retentions, which can amount to hundreds of thousands or even millions of dollars. This strategy reflects a pivotal shift in how organizations view cyber insurance. The focus is moving away from simple financial compensation for losses and toward securing the critical, on-demand services that are bundled with modern policies. While a payout serves as a crucial backstop against potentially catastrophic financial ruin, the real value for many large corporations lies in the immediate access to an ecosystem of elite incident response, legal, communications, and forensic investigation capabilities—resources that even the largest and most sophisticated enterprises often lack in-house and cannot procure effectively in the midst of a crisis.
This strategic use of high deductibles allows organizations to drastically reduce their premium costs while retaining access to what is essentially a crisis management retainer. As cyber insurance expert Michael Colao explains, most large corporations simply cannot handle a modern, cross-border data breach on their own. By accepting a self-insured retention of $200 million or more, they can secure a policy that provides them with the insurer’s specialized services, which are indispensable during an attack. However, this approach requires careful planning and due diligence. All insurance policies are not created equal, and pursuing savings in a soft market without scrutinizing the fine print can prove to be a false economy. It is crucial for organizations to first determine their specific coverage needs before engaging with a broker. Paying a small amount extra to avoid damaging exclusions and carefully matching an insurer’s profile to the organization’s actual risk are essential steps in this process. The choice of the primary insurer is particularly critical, as this is the partner that will be managing the claim and orchestrating the response when an incident occurs.
4. A Strategic Framework for Securing Coverage
The period of falling premiums suggested that acquiring cyber insurance was becoming a straightforward task, but the reality proved to be far more nuanced. While costs initially appeared more favorable, organizations soon discovered that this affordability came with significant trade-offs. Insurers implemented stricter underwriting processes, introduced a wider array of policy exclusions, and raised the bar for compliance, making the path to securing meaningful and reliable coverage more challenging than ever. The primary hurdle for CISOs and risk managers shifted from a question of budget to one of qualification. It became clear that simply wanting a policy was not enough; companies had to actively demonstrate a high level of cybersecurity maturity and provide exhaustive evidence of their risk mitigation efforts to even be considered for the most desirable coverage terms.
This evolution in the market forced a necessary recalibration of strategy among the most prepared organizations. The focus moved decisively away from chasing the lowest possible premium toward achieving a deep alignment between the insurance policy and the company’s specific risk profile. Successful enterprises came to view their insurance provider not as a vendor but as a strategic partner in their overall resilience framework. This meant they were willing to invest more to avoid critical coverage gaps and were highly selective in choosing a primary insurer whose expertise and claims-handling philosophy matched their needs. Ultimately, the experience taught a valuable lesson: the true purpose of cyber insurance was not merely to serve as a financial backstop but to provide an integrated and robust crisis response capability. This understanding transformed the procurement process from a simple transaction into a strategic imperative for long-term survival.
