Global cyber insurance market could hit new highs by 2030, Gallagher forecasts

The global cyber insurance market is forecast to grow to between $30 billion and $50 billion by 2030, according to Gallagher’s 2026 Cyber Insurance Market Outlook. The market is currently estimated at $16 billion to $20 billion in 2025.

North America continues to hold the largest share of the market, accounting for 60% to 70% of global premiums. The Asia-Pacific region is expected to record the highest growth rate, driven by increased digitalization across the region.

Gallagher noted that pricing has stabilized following a three-year softening period, with most buyers experiencing flat rates. The healthcare sector remains an exception, facing single-digit rate increases due to elevated claims activity.

The threat landscape continues to evolve. The average cost of a data breach in the United States reached $10 million in 2025, according to the US House Committee on Homeland Security. Ransomware remains a persistent threat, though tactics have shifted from data encryption toward data exfiltration and extortion.

These findings align with separate data from Resilience showing a growing mismatch between claim frequency and severity. The average cost of an individual ransomware incident rose by 17% in H1 2025, while incurred claims volumes dropped by more than half at 53%. Ransomware accounted for 91% of incurred claims in that period.

Gallagher reported that ransom payment rates have declined, with only 28% to 32% of victims paying in 2025, down from 37% in 2024. Average ransom payments fell 10% to between $1.2 million and $1.8 million.

The report identified several threat actors of concern, including North Korean remote IT workers infiltrating US companies, criminal organization Scattered Spider, and China-linked Salt Typhoon. Supply chain attacks targeting software-as-a-service companies and cloud providers also continued throughout 2025.

Gallagher highlighted AI-driven cyber losses as an emerging concern. Supply chain compromise accounted for 30% of reported AI-related security incidents, followed by model inversion at 24% and model evasion at 21%.

On the regulatory front, the Cyber Incident Reporting for Critical Infrastructure Act takes effect in May 2026, requiring 72-hour incident reporting. States introduced 200 cybersecurity bills in 2025 focused on breach notification and ransomware defense.

Carriers are tightening policy language around contingent business interruption coverage and non-breach privacy claims. At least one insurer has introduced a standalone AI policy, while others are offering endorsements covering costs to retrain large learning models.