Cyber risk is proliferating and diversifying. Can insurers stay nimble and grow their capacity in the face of rising corporate demand?
What was once a marginal area of corporate risk, cyber insurance has become a concern as the interplay between claims inflation, litigation, M&A, and geopolitics accelerates the demand for cyber insurance: especially in the US.
Cyber incident severity has surged to a historic high in the US, with the average cost of a data breach exceeding $10.2 million in 2025, more than twice the global average of $4.4 million, according to the latest IBM Cost of a Data Breach Report. Aggregation risk, litigation risk, and capital allocation are all in the spotlight; while Zurich Insurance Group’s acquisition of rival Beazley plc in March raises further questions about capacity, competition, and consolidation.
A closer look at cyber insurance claims reveals a divergence in activity between the US and Europe. Both major markets lurched upward last year, but the severity of attacks at large US corporates reached a scale that dwarfs European figures entirely and shows little sign of plateauing. Drawing on its own data, Chubb’s 2026 Cyber Claims Report shows large corporate claim severity in the US shooting from an average of $700,000 in 2020 to $4.4 million last year: a more than sixfold increase. European and UK figures, while elevated, remain modest in comparison; starting at just under $1 million in 2020, then almost doubling to over $2.2 million in 2025.
The primary cyber insurance market has evolved materially in recent years, producing a pricing anomaly. Pricing peaked multiple times between 2021 and 2023 amid heavy loss activity before declining steadily—down roughly 30% from a mid-2022 peak—despite persistent attacks. High-profile breaches create a cascade effect as incidents at one firm prompt competitors to reassess coverage, driving demand at large corporates. Yet pricing has not followed severity upward.
The disconnect is striking, says Michael Christodoulou, senior insurance equity research analyst at Berenberg Bank. Higher severity usually implies higher loss estimates and, ultimately, higher pricing. But the inflection point remains elusive.
“We’re not really sure when that could happen,” he says.
Gallagher Re offers a different read of current conditions. Writing in its First View report in April, James Dominguez, senior vice president and cyber reinsurance broker, North America, notes a relative lack of significant incidents thus far in 2026, although geopolitical developments in the Middle East may yet shift that picture.
Among small to midsized enterprises, market share rates are increasing, and aggregate deployed limits are up year-on-year, but rate reductions have broadly offset premium growth. Some stabilization, Dominguez argues, should eventually translate into an expansion in gross written premiums.
Reinsurance appetite, meanwhile, remains robust.
January and April renewals demonstrated a “continued surplus of capacity,” according to Gallagher Re, with average market cessions holding broadly stable at around 39% through the first quarter. Excess reinsurance capacity drove softer non-proportional pricing down approximately 32%, risk-adjusted: a trend Dominguez expects to persist through 2026, driving bespoke solutions for cyber portfolios.
Whether or not this abundance of capital is making its way to corporates is another question. Anecdotal evidence points to challenges in securing the limits required while companies without demonstrable security measures pay significantly higher premiums—if they receive coverage at all.
Consolidation Sparks Concern
Against this backdrop, Zurich’s $11 billion acquisition of Beazley is drawing attention.
With just 10% of the global market, Beazley may not be the largest insurer, but it has long been considered an innovator. The combined entity will still serve a modest share of the world market, and Christodoulou is confident that it will not create a capacity bottleneck. While M&A synergies are never guaranteed, he sees a credible exception here. Zurich’s client base offers a cross-selling opportunity for Beazley’s cyber expertise; those who once treated cyber as an add-on may now opt for a more sophisticated product.
“Customers may see better expertise and more responsive coverage, but the deal is unlikely to shift the broader cyber insurance landscape,” says Anthony Hess, CEO and co-founder of Asceris, a London-based cyber incident investigation and response firm.
Rather, he sees the move as a matter of opportunistic timing: “By buying in a soft market, Zurich is securing Beazley at a discount,” Hess says. “The firm’s value is likely to be significantly larger in three to five years.”
Might competitors follow suit? Christodoulou doubts a broad wave of consolidation is coming.
“This acquisition was really about acquiring people and their expertise,” he argues.
Further, while Beazley is profitable, many of the other market players are loss-making.Rather than an M&A surge, Christodoulou anticipates weaker players will retrench: “My expectation is that those others will conclude that this is not as straightforward a product as they thought.” While this could tighten capacity, stronger carriers could absorb demand.
Aggregation Risk Worries
Aggregation risk remains a persistent concern in cyber insurance. S&P Global Ratings recently raised alarms over systemic cyber accumulation, warning that rising geopolitical tensions make widespread, simultaneous attacks more likely.
But this remains a hypothesis. The closest the market has come to a real test was the 2024 CrowdStrike outage, which, crucially, was not malicious. A truly pervasive attack would most likely be state-sponsored and therefore classified as an act of war, placing it outside standard policy terms. The most threatening aggregation event, in other words, may also be the one for which insurers are least obliged to foot the bill.
That tension sits unresolved at the heart of the product.
It is a tension the Stryker wiperware incident brought into focus in March 2026.
The episode has sharpened all parties’ focus on war-exclusion language in cyber coverage as carriers and reinsurers closely monitor the US-Iran conflict and its implications for nation-state activity clauses. That in turn serves as a reminder that the boundary between cybercrime and cyber war is becoming harder to draw, with material consequences for policyholders and insurers alike.
Waiting for the Regulators
The proliferation and diversification of cyber risks represents a challenge for policy providers. Insurance is an industry that “deals in decades and centuries,” observes Charlie Shute, counsel, Litigation, Arbitration, and Employment at Hogan Lovells in London, and is less comfortable in a threat landscape that can shift week to week.
“It has taken a decade or more for a freestanding cyber insurance market to grow in response to insurer concerns about ‘silent cyber’ coverage,” Shute notes. “More recently, we have seen development of cyber war and cyber non-war markets. Insurers still treat cyber-war coverage for state-sponsored events as a niche product. Insurers are wary for obvious reasons, but demand will only increase.”
As to what extent the rise in mass arbitration and third-party litigation is fundamentally reshaping cyber liability exposure for insurers and the insured, Shute says both sides now view this kind of third-party liability risk as a global problem, not just a US-driven issue.
“We have now seen non-US jurisdictions adopt more generous approaches to group litigation,” he notes. “In the UK, mass litigation based on personal data breaches has seen mixed results, but it is only a matter of time before enterprising litigators and funders can make a particular claim stick and create a template for others to follow.”
Regulation may ultimately prove the most significant market driver. Hess points to the stark gulf between US cyber insurance penetration—around 40%—and the UK’s, which sits at roughly 10% despite being one of Europe’s more mature markets.
Closing that gap, he argues, will require governments to act. Ongoing UK legislative work around ransomware reporting and payment restrictions is a step in the right direction but limited in scope. “Government regulation in Europe will be what really shifts the market,” he predicts.
For the global cyber insurance market, as for so many others, artificial intelligence is the next frontier. Shute anticipates an eventual push to separate AI-related coverage into standalone products but expects uneven progress; technology-led entrants will innovate quickly while established carriers wait for sufficient loss data to price the risk confidently. It is, in miniature, the same dynamic that has defined cyber insurance from the beginning: a market perpetually running to catch up with the risk it is designed to cover.
As the cyber insurance market matures, however, the forces bearing down on it are no longer moving independently. For a market that deals in decades, the convergence may be arriving faster than the industry is prepared to acknowledge.
