Threat actors are evolving faster than the market can adapt
Cyber insurance is racing to catch up with an evolving risk landscape – and it’s still falling short. The market has matured rapidly, but not fast enough to match the rising sophistication of cybercriminals and the surge in client-specific demands.
“The threat actors consistently are getting more sophisticated, more advanced in their approaches,” said Barrett Wills (pictured), senior vice president, cyber, at CAC Specialty. “Historically, we saw threat actors being involved from the beginning of the process all the way to the end. We now see some threat actors that are specialized in parts of the process.”
These targeted roles – some focused solely on data exfiltration, others on selling stolen information – have made cyberattacks more efficient and harder to predict. Meanwhile, exposure points continue to expand. “It’s via double extortion, supply chain vulnerabilities, which were really big in 2024, then also emerging technologies like AI,” Wills said.
Growing risk, fragmented response
Wills said the market has responded by tightening underwriting standards and shifting how it evaluates sector-specific risk. He pointed to high-profile attacks on retail companies in the UK and the increasing burden placed on healthcare providers as regulatory scrutiny grows. “You look at 2024 and in prior years where healthcare companies have become a large part of the conversations… if you look at the UK in 2025, there’s a handful of retail companies that all got hit within the same couple weeks,” he said.
However, there’s no one-size-fits-all approach for clients navigating these challenges. Wills emphasized that client needs vary widely – from first-time SME buyers focused on basic coverage clarity to large enterprise accounts seeking customized, manuscripted wordings.
“A client may make an acquisition and, based on that acquisition, their exposure is now changed and we need to address that exposure,” he said. “Or they’ve changed their business model of sorts and we need to address that exposure going forward.”
Even clients with mature programs are pushing for updates to cover past pain points. “Clients [want] to make sure that a claim is covered going forward – whether it was one that was previously declined or there’s parts of the process that could have gone smoother,” he said.
Infrastructure shifts driving new exposures
One of the most significant developments, according to Wills, is how network connectivity is expanding risk in ways many clients didn’t anticipate. “We are seeing clients’ networks being really integrated or connected with their vendors,” he said. “For those clients… that have an operational or an OT network, this was a part of their network that used to be very isolated… but now it is [connected].”
That shift exposes clients to new threat vectors. “It now offers a larger landscape for the threat actors to target. It gives them more endpoints, it gives them more vulnerabilities to go after.”
In response, CAC Specialty launched its cyber peril pro form to close specific gaps for clients in the utility and energy sectors. “Making sure that we’re offering a solution that wasn’t necessarily readily available for clients previously,” Wills said.
Market maturity – and its limits
The insurance industry has made progress in separating cyber coverage from traditional property and casualty policies, but challenges persist. “Cyber insurance was previously contemplated within PNC policies… now we have the ability to offer affirmative coverage to our clients via a cyber policy,” Wills said.
Still, he acknowledged that the market often lags. “Prior to the cyber hard market, carriers were looking for the minimum amount of security controls in place to write business,” he said. “Now that’s shifted.” Minimum controls are now required, and expectations vary based on sector, company size, and the limits requested.
Education remains essential. “Making sure our clients and others in the industry are informed of both the benefits and the potential negative impacts that these emerging technologies have will really have a large impact of staying ahead,” Wills said.
Pressure to deliver year-round value
Brokers, he stressed, can’t afford to operate on a 12-month cycle. “It’s an annual cyber policy for a reason,” Wills said. “It shouldn’t be only focused on your client and the threat landscape for the three to four months leading up to placing the annual policy.”
Frequent touchpoints and proactive planning are essential, particularly when assessing both first-party and third-party exposures. The latter are particularly difficult to measure. “Sometimes it takes years to really see the financial impact that these have,” he said.
Inconsistent pricing also remains an obstacle. “The hope would be having kind of less dramatic swings in pricing,” Wills said, pointing out that while first-party claims may be decreasing in frequency or severity, third-party claims are still coming in and remain unresolved.
Related Stories
