Last spring, Diane, a controller at a mid-sized accounting firm in Cleveland, sent $312,000 to a long-standing vendor. The email thread appeared to be typical. The vendor’s CFO sounded exactly like him on the follow-up call, right down to his constant little cough. When the actual vendor called three days later to inquire about the status of the payment, she discovered that the voice had been cloned from a thirty-second podcast clip. Reluctantly, her company’s cyber insurer paid for the majority of the loss before discreetly refusing to extend the coverage. That tale is no longer uncommon. The new baseline is this.
The market for cyber insurance was estimated to be worth $16.3 billion in 2025, which may seem huge, but it actually makes up less than 1% of all property and liability premiums worldwide. That number might provide all the information you need to understand how unprepared the world truly is. In the early 2020s, carriers increased rates by fifty to one hundred percent, imposed ransomware sub-limits, and withdrew from whole industries. After that, there was a brief period of calm. Rates decreased. Late in 2024, Marsh reported a six percent global decline. The declines in Europe were as sharp as twelve percent. For a brief moment, it seemed as though the worst was behind us. It wasn’t.
The emergence of generative AI as a useful tool for criminals was what changed, practically overnight. Attempts to commit deepfake fraud increased by about 3,000%. Phishing emails ceased to read as though they had been translated into three languages and began to sound, in a sense, like they were from your supervisor. I’ve spoken to underwriters who have described an odd split-screen experience: while the severity of individual claims continued to rise, their loss ratios appeared healthier than ever, averaging between 75 and 88 percent. Cost increases, frequency decreases. It’s not stable. The market is holding its breath.
In the past, ransomware was used to lock files. It’s about leaking them now. Data theft accounted for 40% of large cyber claims (those exceeding a million euros) in the first half of 2025. That represents an increase from 25% the previous year. Attackers discovered that encryption had become nearly useless due to improved backups. They turned around as a result. They first steal the data, threaten to publish it, and then let class action lawyers and regulatory fines do the rest of the damage. Exfiltration-related losses are more than twice as high as non-exfiltration losses. In some industries, the math has subtly become unfeasible for insurers.
Education and healthcare continue to suffer the most. Almost every small hospital’s IT department has an overworked administrator using antivirus software that is older than some of the patients. Underwriters are informing these companies that their coverage is decreasing and their premiums are increasing. Discounts are being given to Fortune 500 companies that have complete security operations centers. There is no clear link between the two tiers that make up the market.
What should really concern people is the protection gap. Over a four-year period, the economic harm caused by cybercrime in Germany increased by about 250%. The growth in insured losses was only 70%. This ratio is more than three to one, which means that for every dollar that an insurer pays out, three dollars are eventually absorbed by the victim, suppliers, or customers. Of the eligible organizations, 47% have standalone cyber coverage. In essence, the remaining 53% are wagering their survival on going unnoticed.
One well-known quote from the early days of aviation insurance states that no one knew how to price a risk they had never seen. Right now, cyberspace feels similar. The high premiums have attracted a large number of reinsurers, but few of them are truly confident in their catastrophe models. A single widely exploited vulnerability or outage by a cloud provider could result in losses that erase ten years of industry profits. Munich Re continues to project 10% annual growth through 2030, which may seem promising, but keep in mind that growth and solvency are two different things.
It’s difficult to avoid wondering if the industry is addressing the wrong issue as this develops. The hygienic regulations were effective. Loss ratios were pushed into healthier territory by MFA, EDR, and backups. However, hygiene presupposes that the attacker is human, operating at human speed and making human errors. It’s not the next wave. And most policies being drafted today still make the assumption that it is.
