What CIOs Need to Know About Cyber Risk Insurance Issues
Cyber insurance remains vital but is shifting to lower premiums, stricter evidence-based underwriting, growing exclusions, AI risks and greater enterprise and board liability.
Cyberattacks and data breaches are all too common in today's enterprise and prevention alone isn't enough for modern cybersecurity.
Because of thiscyber insurance has emerged in recent years to become a core element of risk mitigation and CIO cyber strategy for manyorganizations.
The need to manage cybersecurity risk is critical as the frequency of data breaches continues to grow. Verizon's 2025 Data Breach Investigations Report documented 12,195 confirmed breaches, the largest amount in the report's history. While data breach incidents have grown, IBM's 2025 Cost of a Data Breach Report found that the global average cost was $4.44 million in 2025, down 9% from the prior year, due in part to faster detection.
In 2025, cyber insurance trends showed declining premiums after multiple years of increases. Marsh Global Insurance Market Index reported cyber insurance rates decreased 6% globally in Q1, 7% in Q2 and 6% in Q3 as insurance industry capacity and competition increased.
At the same time, insurers are changing how they evaluate risk. For example, insurers are changing the way policies are designed and evaluated, moving away from self-attestation to more strict evidence-based requirements. Insurance no longer covers all cyber threats. New risks such as AI-driven incidents, supply chain compromises and nation-state attacks are pushing carriers to add exclusions that transfer more financial exposure back to enterprises.
How the 2026 cyber-insurance landscape changes cost and liability
Multiple factors are shaping cyber insurance 2026 market dynamics and changing how organizations approach coverage.
Current market dynamics. The market currently favors buyers with abundant capacity and competitive pricing. "Today, we are currently in a soft market where coverage is relatively inexpensive, capacity is abundant and insurers compete aggressively for business," said Rich Seiersen,chief risk technology officer at Qualys.
Pockets of premium volatility emerge. While overall rates declined, specific sectors face sharper increases driven by concentrated losses and large payouts. Healthcare, retail and finance face particular pressure. Healthcare organizations deal with both ransomware exposure and regulatory complexity.
Cost drivers reshaping the market. The frequency and scale of ransomware and supply-chain incidents continue as primary cost drivers, but the nature of these threats is evolving.While ransomware claims decreased in frequency, "the claims were more expensive as ransomware incidents became more severe," said Bob Wilson, a cybersecurity advisor at Info-Tech Research Group The severity stems from threat actors using generative AI to improve attacks. This technological arms race is forcing underwriters to look more closely at AI practices and dependencies related to third parties and vendors. Manufacturing faces particularly tough conditions due to increased targeting of operational technology systems, adding to concentrated risk in critical sectors.
The systemic risk wildcard. A widespread cloud outage, major supply-chain compromise or coordinated ransomware wave could trigger sharp market correction. "An event like this could push the market into a sharper hardening cycle," said Seiersen.
Liability shifts to enterprises and boards. Insurers are tightening underwriting and enforcing higher deductibles. Exclusions now commonly cover nation-state attacks and systemic supply-chain events, pushing residual risk back to firms and their boards. "Cyber and AI insurance are increasingly conditional products, and without proof, the policy may not respond or pay out as expected when it matters most," said Diana Kelley, chief information security officer at Noma Security. This shifts financial liability directly to corporate balance sheets and board-level risk oversight.
Insurers are increasingly concerned about AI as a source of systemic, aggregated loss.
Diana KelleyChief Information Security Officer, Noma Security.
The rise of “security-verification” clauses and proof-of-resilience
Insurers have shifted from accepting self-reported security practices to requiring documented evidence. Organizations must prove their controls work as described, with underwriters setting increasingly higher standards for what constitutes acceptable proof.
From attestation to evidence. Organizations can no longer simply claim they have controls in place. "Insurers have moved from self-attestation toward evidence-based underwriting," said Kelley. Underwriters now require documented proof that controls exist, function correctly and are consistently enforced.
Baseline requirements.Multi-factor authentication on privileged accounts, administrative access and remote access has become non-negotiable, according to Wilson. Core requirements now include:
Vulnerability management with clear patching cadences.
Regularly exercised incident response plans.
Email security with SPF, DKIM and DMARCimplementations.
Security awareness training with phishing simulations.
New verification standards. Underwriters now require screenshots of policies and settings, dashboard reports or actual logs as proof. Some carriers request documented test results, continuous monitoring feeds and third-party attestation. A subset is moving toward continuous underwriting tied to security posture scans.
AI risk enters the equation. AI represents a new category of systemic risk for insurers. "Insurers are increasingly concerned about AI as a source of systemic, aggregated loss," said Kelley. The worry extends beyond individual failures to correlated losses from shared models and platforms. Underwriters now ask detailed questions about AI practices and governance. Some carriers are exploring AI-related exclusions while others underwrite AI risk by evaluating security and governance controls.
Third-party scrutiny intensifies. Vendor and supply chain risk now receive the same level of attention as internal controls. "Organizations must ensure that their supply chain partners follow basic cybersecurity best practices, such as multi-factor authentication, password management systems and incident response strategies," said Matthieu Chan Tsin, senior vice president of resiliency services at Cowbell.
Consequences of failing verification. At underwriting time, organizations may face higher premiums, increased retentions, sublimits on ransomware coverage or exclusions tied to AI incidents. Post-incident, claims can be reduced or denied if an organization cannot prove that controls were enforced as described.
New tools for quantifying and communicating cyber risk to boards
Boards and CFOs no longer accept technical jargon as risk reporting. They want cyber risk expressed in the same financial terms used for market risk, credit risk and operational risk. This shift requires new tools and methodologies.
Why boards demand financial translation.CVSS scores and vulnerability counts no longer work. Executives want to understand financial exposures, probable loss ranges and heat maps aligned with business impact.
The FAIR methodology. Both Kelley and Wilson recommend FAIR (Factor Analysis of Information Risk) for quantitative risk analysis. The approach shifts from subjective risk ratings to probability-based financial modeling. "Instead of labeling something 'high risk,' model a realistic scenario by estimating how often it could occur and the range of financial impact if it does," Kelley explained. This produces a dollar-based loss range that boards can compare to other enterprise risks.
Commercial platforms. Tools like RiskLens and Balbix translate technical issues into financial exposure and probable loss scenarios. These platforms help CIOs speak the language of the C-suite and board.
How to justify security investments when insurance no longer covers it all
As coverage gaps widen, CIOs must justify security investments when insurance won't cover the full exposure. The answer lies in reframing security as enterprise risk reduction with measurable financial benefits.
Reframe the business case. Security spending needs a new justification model that moves beyond compliance.
"Increasingly, CISOs are partnering with CFOs to treat cyber insurance not as a compliance checkbox, but as one component of a broader risk-financing portfolio," said Seiersen. "With many organizations undergoing rapid digital and AI-driven transformation, this may be a perfect time to reassess the balance between risk transfer (insurance) and risk reduction (controls)."
Short-term vs long-term priorities. Focus immediate investments on controls that materially affect underwriting exposure. Identity and access management, endpoint detection and response, immutable backups and vendor risk controls directly influence premium pricing and coverage availability. Long-term investments should build toward comprehensive security programs that reduce retained risk regardless of insurance availability.
"Firms with strong security postures can often secure more favorable coverage and larger limits without dramatically increasing cost," said Seiersen.
Finance and legal framing.Present security investments as protecting multiple financial exposures simultaneously. Kelley's AI risk quantification approach demonstrates this blended model in practice. When evaluating an AI-driven customer service agent, her team modeled "revenue loss, incident response, regulatory exposure and customer churn" to show the probable loss exposure in the multi-million-dollar range. A sub-one-million-dollar investment in controls could materially reduce this risk.
"That reframed the conversation into a straightforward financial decision -- spend under a million dollars to significantly reduce a credible multi-million-dollar business risk," she said.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
