A more competitive cyber insurance market has emerged in the past two years - but only for companies that can prove they’re worth the risk.
“Where companies are able to demonstrate favorable security controls, there are insurance carriers out there that are competing to write that business,” said Dan Cahlander (pictured), cyber risk practice leader at Holmes Murphy & Associates.
After a hard market cycle, increased carrier capacity has helped flatten premiums. But while rates are improving, standards have not. “Companies that aren't able to demonstrate a strong security posture are still struggling to obtain competitive coverage,” Cahlander said. “Where they don't, they may see higher premiums, they may see restrictive policy language or sub-limited coverage, or denials.”
Brokers are finding themselves at the center of a bifurcated market. Companies with mature controls and response capabilities are benefiting from reduced rates. The rest are either underinsured - or excluded altogether. “From an underwriting perspective, they're continuing to look at organizations' resilience from being able to thwart off bad actors and rebound from cyberattacks,” he said.
As cyber threats evolve, so do regulatory pressures. A fragmented patchwork of US state data privacy laws has created significant challenges for clients and carriers alike. “There are somewhere around 20 states now… that have actually filed their own data privacy breach laws,” Cahlander said. “And they can be different from state to state.”
The absence of a federal privacy framework means insurers must navigate a landscape where compliance risks vary widely. This has opened the door for lawsuits targeting technical noncompliance, particularly in sectors such as healthcare, retail, and hospitality.
“There are some law firms out there… using publicly available tools to target companies for use of pixel tracking technology, and if they get a feeling that they’re out of compliance with, for example CCPA, they are sending a demand letter or filing a class action lawsuit for lack of consent,” Cahlander said, referring to the California Consumer Privacy Act.
Lawsuits related to pixel tracking - where websites collect and share user data with third parties for advertising without their consent - have led to multimillion-dollar settlements, particularly when protected health information was involved. “We've seen some bigger settlements in that… where companies aren't properly informing those individuals that are visiting their website of the information they're tracking,” he said.
Cyber criminals are also stepping up their tactics by weaponizing artificial intelligence. “One in six breaches is now utilizing AI,” Cahlander said, referencing IBM’s Cost of a Data Breach report.
He pointed to a recent case where a company received a $25 million wire transfer request. The employee did a standard callback, believed they were speaking to the CFO, and even joined a Zoom meeting - where a deep-fake video impersonated the executive. “They thought they were talking to this individual… and it's all just a deep fake,” Cahlander said.
As attacks evolve, some insurers are updating policy language to reflect the shift. “We've seen some carriers specifically define in the policies that their intent under the social engineering coverage extension is to pick up artificial intelligence-related attacks,” he said.
Still, many carriers build in conditions that may prevent claims from being paid - especially when employees fail to follow authentication protocols. “There are some carriers that'll work in authentication requirements or callback requirements… if they didn't do like an out-of-band authentication… then they are not going to cover it,” Cahlander said.
Those conditions, he added, can be difficult to meet in practice. “It’s not that companies don't have protocols in place… it's more because employees just aren't following the set protocol.”
While social engineering policies evolve, coverage around data privacy claims remains inconsistent. Cahlander warned that the market is “all over the place” when it comes to lawsuits stemming from the collection of personal data.
The coverage - known broadly as “wrongful collection” - is intended to respond to claims where companies gather information without properly informing users or obtaining consent. But many carriers are pulling back. “Some carriers are starting to exclude that because these claims are really starting to pick up… and some carriers have really paid a lot of money out on these claims,” Cahlander said.
Even among carriers that haven’t fully excluded the coverage, limits often apply. “There are some carriers that will not cover any settlement, but they'll just pick up defense costs related to those claims,” he said.
The stakes are especially high for clients in industries heavily reliant on data collection. Brokers need to evaluate exclusions closely during placement and make clients aware of gaps. “We try to negotiate our coverage on the front end wherever possible so we can be confident in the coverage we're placing for our clients,” Cahlander said.
