Key Takeaways
- Cyber risk is expanding across all sectors, with healthcare, manufacturing, retail education, and public utilities at heighten risk. The average cost of a U.S. data breach reached $10.2 million in 2025, a 9% increase from 2024.
- Baseline cybersecurity controls are now prerequisites for insurability.
- Carrier-provided pre-breach services are a key differentiator.
- Cyber claims involve multiple parallel processes and comprehensive business continuity plans are essential.
- Underinsurance remains a systemic issue. Insureds often underestimate their true short-term exposure resulting from business interruptions and the costs to reestablish operations, as well as the longer exposure from third-party and class-action claims.
- Policy design must reflect real-world recovery timelines. Reputational Harm coverage is increasingly important.
- Threat actors are leveraging AI to scale phishing and social engineering attacks, increasing the pace of change, and honing the “quality” of these attacks.
Market Conditions & Underwriting Focus
The Cyber Insurance market is becoming increasingly complex, driven by escalating threats, evolving regulations, and rising expectations for proactive risk management.
- Carriers are tightening underwriting standards and now require evidence of strong security controls such as multi-factor authentication (MFA), endpoint detection and response (EDR) and privileged-access management. However, increased capacity and competition create opportunities to negotiate broader terms and higher limits for insureds with robust cyber hygiene.
- Pre-breach services are now a critical differentiator. Carriers increasingly bundle offerings such managed detection and response (MDR), phishing simulations, tabletop exercises, and pre-binding IT consultations, which can help reduce loss frequency and severity. Brokers and agents who position these services as part of a comprehensive risk management strategy can deliver measurable value.
- AI is no longer theoretical in cyber risk. IBM estimates one in six breaches now involves AI-driven tactics. While deepfakes are not yet a primary loss driver, the long-term risk of data harvesting and future decryption remains significant, reinforcing the need for continuous monitoring and adaptive security measures.
Cyber exposures affect every industry differently, requiring brokers and agents to align underwriting strategies with sector-specific vulnerabilities and operational realities. Industries at heightened risk include:
- Healthcare: High-value data and regulatory exposure make this sector a prime target. Downtime can lead to patient safety risks and severe reputational harm.
- Manufacturing: IT/OT connectivity creates significant operational risk. Extended downtime can halt production and disrupt supply chains. Non‑IT‑Dependent Business Interruption coverage can be critical when third‑party failures—not the insured’s IT—cause the outage.
- Retail: Customer trust is critical. Breaches often result in reputational damage that persists long after systems are restored.
- Education and Public Utilities: Budget constraints, legacy systems, and misconceptions about exposure increase vulnerability, while regulatory and public safety implications heighten risk.
Business Interruption: How to Improve Outcomes
Business Interruption remains one of the most misunderstood aspects of Cyber coverage. Many insureds assume it functions like an immediate reimbursement for operating expenses. In reality, it is a measured loss of income coverage that requires a covered trigger and a waiting period before loss calculation begins. Other common misunderstandings include:
- Valuation: The focus is on lost net income and necessary extra expenses, not a list of operating costs.
- Payments: Payouts are not immediate; carriers validate and review calculations thoroughly, which can take time.
- Coverage gaps: Many programs lack important extensions such as Non‑IT‑Dependent Business Interruption, which responds when a critical third-party dependency suffers a qualifying event.
- Reputational harm: Revenue loss often continues long after systems are restored because customer trust and brand perception take time to recover.
Brokers and agents can help improve outcomes for their clients by:
- Negotiating short waiting periods and extended indemnity periods (up to 180 days).
- Ensuring full-limit coverage for System Failure, Dependent Business Interruption, and Non‑IT‑Dependent Business Interruption.
- Including Reputational Harm coverage to address post-event revenue loss.
- Setting expectations early about documentation, forensic accounting, and claim timelines.
Claims Lifecycle: What to Expect
Cyberattacks are more expensive than ever. The average cost of a data breach in the United States reached a record $10.2 million in 2025, a 9 percent increase from 2024, according to IBM.
When a cyberattack occurs, the response is complex and involves multiple processes happening at once. A comprehensive business continuity plan is essential to maintain operations, protect people and assets, and accelerate recovery during and after disruption.
While no two cyber events are identical, the stages below outline a typical claims lifecycle to help brokers and agents prepare insureds for the steps they will likely need to take if their data is breached:
Day 0–3: Stabilize and Assess
- Engage breach counsel and negotiators immediately (especially for ransomware).
- Initiate forensics to isolate affected systems and determine data exfiltration.
- Begin regulatory assessment and coordinate with IT to manage downtime.
Week 1–4: Notify and Recover
- Issue notifications and offer credit monitoring to impacted parties.
- Coordinate with banks for funds-transfer recovery efforts.
- Launch public relations (PR) efforts to control the narrative.
Month 1–12+: Litigate and Resolve
- Evaluate class-action filings and regulatory fines.
- Quantify Business Interruption and Reputational Harm.
- Transition to post-breach training and infrastructure hardening.
Tips for Brokers and Agents
In a market where underwriting discipline and proactive risk management are critical, brokers and agents play a critical role in guiding insureds. The following actions can help strengthen resilience, improve insurability, and deliver measurable value.
- Educate insureds on baseline controls. Reinforce MFA, EDR, encryption, and privileged-access management as non-negotiable for coverage and risk reduction.
- Leverage carrier pre-breach services. Promote MDR, phishing simulations, and tabletop exercises to strengthen resilience and reduce claim severity.
- Right-size limits. Model realistic loss scenarios for Business Interruption, regulatory fines, and class action defense to avoid underinsurance and address aggregate exposure concerns.
- Clarify policy language. Review exclusions, sublimits, and indemnity periods to ensure alignment with the insured’s risk profile and retention appetite.
- Plan for claims complexity. Breach coaching, forensic IT, regulatory notifications, PR, and potential class action lawsuits require a comprehensive business continuity plan. Encourage insureds to maintain an incident response plan, vendor contact list, and communication strategy for rapid execution.
- Address emerging risks. Discuss sector-specific and AI-driven threats and the importance of continuous monitoring and adaptive security measures.
By focusing on these priorities, brokers and agents can position themselves as trusted advisors—helping insureds navigate a complex Cyber landscape, secure comprehensive coverage, and recover quickly when incidents occur.
Contributors: Ken LaBelle, Senior Broker, Professional Liability, Burns & Wilcox, Brokerage Division, Chicago, IL; Joey Franiak, Broker, Professional Liability, Burns & Wilcox, San Diego, CA; Kyle Bell-Colfer, Broker, Professional Liability, Burns & Wilcox, Brokerage Division, Chicago, IL; Benjamin Buchanan, Vice President, Specialty Liability Claims, HSB
