Despite a soft market, carriers are staying aggressive. Here’s what brokers need to watch
Cyber insurance pricing may be trending downward, but the market hasn’t lost its edge. In fact, despite favorable conditions for buyers, insurers aren’t showing signs of retreat.
“We saw a competitive market dynamic where incumbents, don’t want to give up their books of business,” said Matt Chmel (pictured), head of cyber solutions – North America, at Aon. “But we also saw a lot of new entrants and there is a lot of capacity out there.”
That dynamic led to an average pricing decrease of 4% in Q2 2025 – marking the 11th straight quarter of rate reductions. While that trend is expected to continue through the end of the year, the soft market isn’t universal.
“We are being a little cautious in certain segments,” Chmel said. “We know certain segments are running a little bit hotter in terms of loss history, mainly from 2023 and prior loss years.” Some carriers are seeing loss and expense ratios creeping toward break-even or worse, but none have meaningfully exited the market.
“Coverage is still relatively healthy,” he said. “We are still continuing to see programs expand.” Retentions remain stable, and capacity is plentiful. Clients still have flexibility to raise retentions in exchange for lower premiums, but overall structures haven’t shifted drastically.
Buyers get smarter – and more surgical
Where change has occurred is in how clients are using analytics to fine-tune their purchasing.
“Clients do have the ability to take up their retentions if they’re looking for some premium relief,” Chmel said. “We’re starting to see our clients really look to optimize their purchasing structures, mainly due to the introduction of more sophisticated data and analytics tools.”
Whether that means restructuring towers, adjusting retention layers, or buying excess limits, more buyers are modeling coverage against actual exposure. That’s a noticeable shift from prior years.
This shift in sophistication is timely, with ransomware still leading the charge in claims volume. But other risks are rising too. “You’re also starting to see privacy claims start to trick back up,” said Chmel, pointing to increased litigation tied to tracking pixels and data collection under tightening regulations.
Uninsured segments begin to circle back
There’s also movement among previously uninterested buyers. “Cyber is still very much a discretionary buy,” Chmel said. Many SMEs and mid-market companies still don’t purchase coverage. Even in the large-account space, some firms have historically opted out.
But that may be changing. “Some of those clients are starting to reach back out to have more detailed conversations,” he said. Chmel pointed to recent high-profile incidents in the UK and US – including attacks on the retail, airline, and healthcare sectors – as motivators. Events like the CrowdStrike outage, the CDK breach, the Change Healthcare disruption and most recently the Scattered Spyder attacks have sparked new questions about exposure and transfer strategies.
Clients with existing programs are also reassessing. “They’re making sure they’re purchasing the right amount of coverage or the right structure to meet their needs,” Chmel said.
Security controls aren’t enough on their own
Not all organizations are opting for insurance. Some, like UK-based supermarket Co-op, have publicly chosen to invest solely in IT security. Chmel warned against a binary approach.
“You still need to continue to invest in the IT securities and controls to make sure your security remains best in class,” he said. “But then also having that financial backstop… to protect that balance sheet in case those protections don’t work.”
He advised firms to work with brokers and IT teams to assess both exposure and balance sheet tolerance. Coverage decisions should flow from that broader understanding of total cost of risk.
AI and privacy litigation remain key exposures
Artificial intelligence has introduced new exposures – and reshaped existing ones. According to Chmel, the impact of AI splits into four main categories:
- Companies using AI to defend their own systems
- Bad actors using AI to enhance attack methods
- Businesses integrating third-party AI tools
- AI developers facing risk related to the tools they build
Each of these presents a different set of risks – and each requires careful evaluation.
At the same time, privacy remains a persistent threat, especially with regulatory developments driving new litigation. “Privacy litigation still remains out there,” said Chmel, citing state-level regulations such as CIPA, BIPA, and VPPA.
The insurance response remains uneven. “Some of the insurers are doing a better job of underwriting that risk than others,” he said. “Some of them have just completely avoided the coverage at all in general.”
The SME gap isn’t closing fast enough
Looking ahead, Chmel identified under-penetration in the SME and middle-market space as one of the sector’s biggest vulnerabilities.
“I think those… are still relatively underpenetrated in terms of the number of purchasers,” he said. Brokers are exploring options like group purchasing, association partnerships, and embedded coverage solutions to expand access.
“For the middle market companies, it’s definitely about penetration and the opportunity to get in front of them to explain how cyber insurance works,” he said. “The education process, and really the distribution – how do you get and penetrate into those SME and middle market clients – is really a big area that we’re focusing on.”
Larger clients, by contrast, need advanced analytics and deeper modeling tools. “It’s making sure they can purchase to the appropriate amount of exposure they have,” said Chmel. “And continue to evolve [coverage] to their ever-changing needs and demands.”
Related Stories
