Cyber market stabilizes, but risk and exposure still escalating

The cyber insurance market may have cooled from its peak volatility, but the risks haven’t gone anywhere. “The state of the cyber market is stabilizing post a very hard market cycle,” said Ben Zviti (pictured), president of ANV Cyber. “But volatility still remains due to increased regulatory scrutiny, as well as the evolving threats and longer tail third party claims.”

Threat actors have become faster, smarter, and harder to predict – and they’re hitting all corners of the business world. “It’s a game of cat and mouse between the threat actors and the IT professionals,” said Zviti. With digital infrastructure now embedded into every layer of enterprise operations, cyber exposure has become constant – and increasingly systemic.

Cyber moves from IT to the boardroom

Cyber is no longer a technical or back-office problem. It’s a strategic threat – one that boards and executives are now treating as a top-line risk. “Cyber risk is completely a board-level concern today,” said Zviti. “It has now exceeded to number one at the C-suite level.”

That elevation comes with new expectations. Organizations investing in their information security want to see that effort recognized by the market. “Every day is a continuation in the cyber security journey,” Zviti said. “The more investment they put into their information security, the more recognition by the insurance market is expected.”

Insurers, in turn, are incentivized to support clients in building cyber resilience – not just transfer risk. “We, as an industry, need to help our clients become more cyber resilient and cyber ready to help thwart the bad guys,” he said.

Cyber exposures cut across product lines

Cyber risk doesn’t exist in a vacuum. It crosses into multiple lines – D&O, E&O, media, even crime/fidelity – and triggers more than just technical incidents. “Cyber threats impact all facets of business whether it’s business interruption, theft of funds, theft of data, the operability and viability of a business, their reputation,” Zviti said.

A single attack can activate several insurance policies, each carrying different timelines and consequences. “A cyberattack can trigger multiple lines of coverage and how you respond to a cyberattack in the immediate moments is really what dictates the knock-on effects,” he said. “Directors and officers will be looked at with 20/20 hindsight as to how they handle the cyber event.” This is why robust table top exercises are a crucial component to good cyber hygiene.

Coverage gaps, AI threats and the speed of change

Emerging risks – including AI-driven threats like deepfake scams – are adding complexity to underwriting. Zviti recalled a recent example: “A deep fake videocall displaying an AI-generated CFO was used to convince a bank branch employee to transfer $25 million to fraudsters. I was amazed at how sophisticated the threat actors have become.”

Threat actors, he stressed, don’t discriminate by size or sector. “They’re agnostic to the types of victims they go after – large enterprise, small business, for-profit, nonprofit, government entities. They’re looking for the weakest link to exploit.”

The rise in third-party dependencies has also widened exposure. Increased reliance on vendors and cloud platforms has added “a greater lack of awareness of all the different moving parts,” he said. That’s where the insurance market can deliver more than indemnity – by closing visibility gaps and reinforcing weak links through risk services.

“Everyone is aligned in making sure that buyers of insurance are the most protected they can be,” said Zviti. That includes pre-breach support like incident response testing, MDR licenses, and tabletop exercises.

The market’s ability to respond is being tested daily. But Zviti pointed out that cyber insurance has evolved into the most agile segment of the industry. “It’s the most agile product and most agile facet of the insurance space that I’ve seen in my career,” he said.

Affordability, aggregation, and the road ahead

Looking forward, systemic risk and affordability are emerging as key challenges – especially in the large enterprise segment. “Systemic aggregation risk, migrations to the cloud and software dependencies… may create correlated exposures,” Zviti said.

At the same time, the pricing  of cyber insurance is under pressure.  With an eye towards pricing stabilization, Zviti reflects “the affordability of the coverage versus the coverage breadth – you know the saying, you get what you pay for,” he said. “How do you bridge that gap between the spend and actually what you’re buying, both for the large and small businesses? The key is to partner with markets that know how to understand and underwrite exposure while offering services to make buyers more resilient.”