Cyber Insurance in 2025: What to Expect

In our annual Cyber Looking Ahead Guide, we share key insurance market themes that emerged in 2024 and offer our predictions for 2025.

Here are the trends we examine in the Guide:

• Data Collection: Cyber insurance coverage for wrongfully collected information—collecting personal information without the individual giving proper consent—is unsettled at best. Data collection is the most consistent coverage aspect that needed negotiation throughout 2024, and the trend is likely to continue this year.
• Security Tools: In 2024, multiple carriers started offering some cybersecurity tools directly, positioning their cyber insurance product as a backstop to protecting businesses. This trend will continue in 2025.
• CISO Coverage: Coverage for chief information security officer (CISO) liability can be found in both cyber policies and well-brokered directors and officers (D&O) policies. Some carriers are now offering a stand-alone policy to cover CISO personal liability.
• Third-Party Risks: Cyber insurance carriers are looking for clients to have a robust third-party risk management program that includes strong contractual language, cybersecurity certifications from vendors, and requirements for vendors to purchase cyber or technology errors & omissions (E&O) insurance.

Hot Topics in Cyber Insurance

We also explore some pressing topics we expect to drive cyber risk throughout 2025.

Technology Supply Chain Attacks. When you consider how long it takes some companies to patch known vulnerabilities, attackers can exploit the vulnerability for months, if not years, and continue to drive losses for cyber insurance carriers. We expect a lot of underwriting scrutiny around third-party risk management controls in 2025.

SEC Enforcement: Recent court decisions and a Republican-controlled SEC give hope for a less risky regulatory environment around cybersecurity for public companies and their CISOs. But less risky does not mean there is no risk.

Artificial Intelligence Risk: AI adoption is happening quickly, and many associated risks are yet to be discovered. When such uncertainty exists, a well-brokered insurance policy can help your organization leverage the power of AI without taking on too much risk alone.

Non-Breach Privacy Claims: Recent litigation trends under US privacy laws, particularly the Video Privacy Protection Act (VPPA), underscore the need for companies to review their data practices and ensure they obtain explicit consent from users before sharing any personal information.

Underwriters Assess Cyber Risk and Rank the Top Threats

In Woodruff Sawyer’s annual survey of cyber insurance carriers, we asked underwriters about the current risk environment, their risk appetite, and future pricing expectations.

Although ransomware remains the most significant threat for underwriters, our survey reveals privacy violations and data breaches have gained prominence compared to last year. Here are a few other takeaways from the survey:

• 37% of underwriters believe cyber risk will increase greatly in 2025, fewer than last year.
• 48% of underwriters predict an increase in premiums.
• 53% of underwriters expect cyber coverage to expand slightly.
• 26% (versus 12% last year) of underwriters expect scrutiny to decrease this year.

Over the next 12 months, how will cyber risk change?