The Market That Cannot Find Its Floor
Cybersecurity insurance was supposed to be straightforward: organizations pay premiums, and if they suffer a cyberattack, the insurer covers the costs — incident response, legal fees, regulatory fines, business interruption, and data breach notification. The model worked when cyberattacks were infrequent and losses were manageable.
Then ransomware happened.
Between 2019 and 2023, ransomware losses exploded. Insurers paid out catastrophic claims — $40 million for CNA Financial (2021), $11 million for JBS Foods (2021), and an estimated $2.457 billion in total costs for UnitedHealth Group following the Change Healthcare breach (2024). During the worst years of 2020 and 2021, some individual insurers saw loss ratios exceed 100%, meaning they paid more in claims than they collected in premiums. Industry-wide, loss ratios hit 72% in 2020 and 65% in 2021 before tightening measures brought them down to 43% by 2022.
The market responded with three simultaneous adjustments: premiums skyrocketed (annual price increases averaging around 70% from 2020 to 2022, according to Howden), coverage narrowed (new exclusions for specific attack types), and underwriting requirements tightened (insurers demanded evidence of specific security controls before issuing policies). After peaking in mid-2022, rates softened — falling 27% by 2025 as profitability improved and competition increased. But the landscape remains fundamentally different from five years ago.
The global cyber insurance market reached an estimated $15.3 billion in premiums in 2024, according to Munich Re, with 2025 estimates ranging from $16.3 billion (Munich Re) to $16.6 billion (Swiss Re). S&P Global Ratings projects premiums could reach $23 billion by 2026, driven by a combination of rate increases and new buyers entering the market. North America accounts for 69% of global premiums, while Europe represents 21% with the fastest growth rate. Munich Re expects the global market to more than double by 2030, growing at an average annual rate above 10%.
But growth is driven by premium increases and expanding purchase requirements, not by satisfied customers. The relationship between insurers and policyholders is strained, with both sides uncertain about whether the current model is sustainable.
How Cyber Insurance Underwriting Works in 2026
The days of answering a simple questionnaire and receiving a policy are over. Modern cyber insurance underwriting is a rigorous technical assessment.
The Application Process
Insurers now require detailed technical documentation: network architecture diagrams, security tool inventory, vulnerability management processes, incident response plans, backup and recovery procedures, and evidence of security controls. Some insurers conduct active external scanning of the applicant’s internet-facing infrastructure to independently verify claims.
Mandatory Security Controls
Most insurers in 2026 require the following as conditions of coverage:
- Multi-factor authentication (MFA) on all remote access, email, and privileged accounts — this is non-negotiable; applications without MFA are automatically declined
- Endpoint Detection and Response (EDR) deployed on all endpoints — traditional antivirus is no longer sufficient
- Regular patching with evidence of a formal vulnerability management program
- Email security including anti-phishing controls, DMARC enforcement, and security awareness training
- Backup and recovery including offline/immutable backups tested regularly — this is the most important control for ransomware resilience
- Network segmentation preventing lateral movement between systems
- Privileged access management for administrator accounts
- Incident response plan that has been tested (tabletop exercises) within the last 12 months
Failure to maintain these controls during the policy period can void coverage — similar to how a homeowner’s insurance policy requires functioning smoke detectors.
Premium Calculation
Premiums are calculated based on:
- Company size (revenue, employee count, data volume)
- Industry (healthcare and financial services pay the highest premiums due to regulatory exposure and target attractiveness)
- Security posture (organizations with strong controls receive lower premiums; those with gaps pay more or are declined)
- Claims history (previous incidents result in higher premiums or coverage restrictions)
- Limits and deductibles (higher coverage limits and lower deductibles increase premiums)
A mid-sized company ($100M-$500M revenue) typically pays $100,000-$500,000 annually for $5M-$10M in cyber insurance coverage. Large enterprises pay $1M-$5M+ for higher limits. According to IBM’s 2025 Cost of a Data Breach report, the average global breach cost fell to $4.44 million, while the average cost for US companies rose to a record $10.22 million — figures that inform how organizations choose their coverage limits.
Advertisement
What Cyber Insurance Covers (and What It Does Not)
Typical Coverage
First-party coverage (losses suffered by the policyholder):
- Incident response costs: Forensic investigation, legal counsel, crisis communications, notification costs
- Business interruption: Lost revenue and extra expenses during system downtime
- Data recovery: Costs to restore systems and data from backups
- Ransomware payments: Covered by some policies (see below for caveats)
- Regulatory fines and penalties: Covered in jurisdictions where insuring fines is legal
Third-party coverage (claims from others):
- Data breach liability: Claims from individuals whose data was compromised
- Regulatory defense: Legal costs of defending against regulatory actions
- Media liability: Claims related to content published by the organization (defamation, copyright)
The Exclusions That Matter
War and state-sponsored attacks: The most contentious exclusion in cyber insurance. In August 2022, the Lloyd’s Market Association issued Market Bulletin Y5381, requiring all standalone cyber insurance policies in the Lloyd’s market to include exclusions for state-sponsored cyberattacks, effective March 31, 2023. The challenge: attribution of cyberattacks to nation-states is difficult, contested, and often takes months or years. When NotPetya (attributed to Russia’s Sandworm group, a unit of the GRU) caused over $10 billion in global damage in 2017, insurers attempted to invoke war exclusions to deny claims. Merck won a landmark $1.4 billion ruling when the New Jersey Superior Court ruled in January 2022 — affirmed by the appeals court in May 2023 — that the war exclusion, written for conventional military conflicts, did not apply to a cyberattack. The case settled in January 2024 just before the New Jersey Supreme Court was set to hear oral arguments.
Since then, insurers have rewritten war exclusions with specific cyber-focused language. Lloyd’s four model clauses exclude attacks that are “directly or indirectly caused by a war” or “retaliatory cyber operations between specified states,” and require a robust attribution basis agreed upon by both parties. The practical problem remains: if your organization is hit by an attack attributed to a Russian or Chinese threat group, will the insurer pay? The answer depends on the specific policy language, the attribution confidence, and potentially years of litigation.
Ransomware payment restrictions: Some insurers have stopped covering ransomware payments entirely. Others cover payments but require the policyholder to obtain legal clearance to ensure the payment does not violate sanctions — paying a ransomware group linked to a sanctioned entity like North Korea’s Lazarus Group violates US OFAC regulations and can result in criminal penalties. France enacted the LOPMI law in January 2023 (effective April 2023), which permits insurers to cover ransomware payments only if the victim files a complaint with competent authorities within 72 hours of becoming aware of the attack. Meanwhile, IBM’s 2025 data shows that 63% of organizations are now refusing to pay ransom demands, up from 59% the year before.
Infrastructure failure: Most policies exclude losses from the failure of third-party infrastructure (cloud providers, internet backbone, power grid) unless the failure was caused by a cyberattack. The July 2024 CrowdStrike global outage — a faulty update to the Falcon Sensor that crashed 8.5 million Windows devices worldwide — tested this boundary. Total economic losses were estimated at over $10 billion, with Fortune 500 companies alone losing an estimated $5.4 billion. However, insured losses were far lower — between $300 million and $1.5 billion according to estimates from Guy Carpenter, CyberCube, and Parametrix — because only 10-20% of losses were covered by insurance policies. Many insurers argued the outage was a software defect, not a cyberattack, and therefore excluded.
Known vulnerabilities: If an organization is breached through a vulnerability that was known and unpatched for an extended period, insurers may deny the claim on grounds of negligence.
The Systemic Risk Problem
Cyber insurance faces a challenge unique among insurance lines: systemic risk — the possibility that a single event causes correlated losses across many policyholders simultaneously.
In property insurance, a hurricane in Florida does not cause fires in California. Losses are geographically uncorrelated, allowing insurers to diversify risk across regions. In cyber insurance, a single vulnerability in a widely-used software product (Log4j, MOVEit, Microsoft Exchange) can cause simultaneous breaches at thousands of organizations worldwide. A successful attack on a major cloud provider could affect millions of organizations simultaneously.
This systemic risk makes traditional actuarial modeling (based on independent, uncorrelated events) unreliable. Insurers cannot accurately predict the frequency and severity of losses when a single event can trigger claims across their entire portfolio.
The CrowdStrike outage in July 2024 was a preview: a single faulty update caused global business interruption affecting airlines, hospitals, banks, and government agencies simultaneously. A deliberate attack of similar scope could be far more expensive and would raise attribution questions that trigger war exclusion disputes.
Responses to systemic risk:
- Catastrophe bonds (cat bonds): The catastrophe bond market reached $25.6 billion in total issuance in 2025, up 45% from 2024. Cyber-specific cat bonds are growing rapidly — in Q4 2025 alone, $450 million of new cyber reinsurance was placed through cat bonds, including Beazley’s $300 million PoleStar Re Ltd. (Series 2026-1), the largest cyber cat bond to date. The market is maturing, with the early “innovation premium” for cyber cat bonds largely eroded.
- Government backstop programs: The US is exploring a federal cyber insurance backstop similar to TRIA (Terrorism Risk Insurance Act). In January 2026, the House Committee on Financial Services advanced H.R. 7128, which would extend TRIA until 2034. A separate report recommends tying a cyber backstop to TRIA renewal. However, the Treasury Department’s assessment of appropriate federal response mechanisms remains ongoing — as of April 2025, Treasury had not provided Congress with a timeline for its conclusions.
- Risk pooling: Industry-specific pools (financial services, healthcare) that spread risk across participants
- Aggregate limits: Insurers cap total payouts per event across all policyholders
The Compliance Feedback Loop
An unintended but significant benefit of cyber insurance is its effect on security posture. Because insurers require specific security controls as conditions of coverage, cyber insurance has become a de facto security compliance framework.
Organizations that might resist spending on MFA, EDR, or backup infrastructure for abstract security reasons will implement these controls when their insurance application is denied without them. The insurance market is driving security improvement faster than regulation in many sectors.
This creates a positive feedback loop: better security controls lead to fewer incidents, which produce lower claims, which enable lower premiums, which allow more organizations to afford coverage, which lets insurers require more controls, which improves security posture across the market.
Some CISOs report that obtaining cyber insurance approval has been more effective at securing budget for security investments than any internal business case. When the CFO hears “we cannot get cyber insurance without this,” the budget materializes.
The EU regulatory environment reinforces this dynamic. While NIS2 (compliance deadline October 2026) and DORA (in force since January 2025) do not explicitly mandate cyber insurance, their comprehensive security requirements overlap substantially with insurer underwriting demands. Organizations preparing for EU regulatory compliance find themselves simultaneously meeting insurance prerequisites.
Advertisement
Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | Medium-High — Cyber insurance is nascent in Algeria, but organizations with international operations, EU contracts, or banking relationships may face growing pressure to carry coverage; the domestic market is in early development |
| Infrastructure Ready? | Limited — Few Algerian insurers offer dedicated cyber insurance products (CAAT’s “e-pack startup” is a notable exception); international insurers (AXA, Allianz, AIG) may cover Algerian subsidiaries of multinationals |
| Skills Available? | Very Limited — Cyber insurance underwriting and brokerage expertise is scarce in Algeria; most insurance professionals lack cybersecurity technical knowledge needed for risk assessment |
| Action Timeline | 12-24 months — Algerian organizations should begin by meeting common underwriting requirements (MFA, EDR, immutable backups) even before purchasing insurance |
| Key Stakeholders | Algerian insurance companies (SAA, CAAT, CAAR, Alliance Assurances), international insurers operating in Algeria, Sonatrach and Sonelgaz risk management, Algerian banking sector, Ministry of Finance, Insurance Supervisory Commission |
| Decision Type | Strategic-Financial — Cyber insurance is a risk transfer mechanism that requires both financial and technical decision-making |
Quick Take: Algerian organizations should approach cyber insurance from two angles. First, regardless of whether they purchase a policy, they should implement the security controls that international insurers require (MFA, EDR, immutable backups, tested incident response plans) — these represent sound security practice irrespective of insurance status. Second, organizations with international exposure — Sonatrach, banks with correspondent banking relationships, companies contracting with European firms subject to NIS2 or DORA — should evaluate cyber insurance through international brokers, as EU regulatory pressure is making coverage effectively mandatory for companies in scope. For the Algerian insurance industry itself, developing domestic cyber insurance expertise represents a significant market opportunity as Algeria’s digital economy expands and attack frequency increases.
Sources
- Munich Re — Cyber Insurance Risks and Trends 2025
- Swiss Re — Reality Check on Cyber Insurance Market
- S&P Global Ratings — Cyber Insurance Market Outlook 2026
- Howden — 2025 Cyber Insurance Report
- Lloyd’s of London — Market Bulletin Y5381: Cyber War Exclusions
- Marsh — Global Insurance Market Index
- IBM — Cost of a Data Breach Report 2025
- WTW — Insurance Marketplace Realities 2026: Cyber Risk
- Coalition — Cyber Claims Report 2025
- Merck v. Ace American Insurance — NotPetya Ruling and Settlement
- OFAC — Ransomware Payment Advisory
- GAO — TRIA Considerations for Reauthorization
- Artemis — Cyber Catastrophe Bond Market
- France LOPMI Law — Cyber Insurance Reporting Requirements
Advertisement