Insurance Curator Underwriters tighten exposure measurement and capacity as social‑engineering payouts reshape cyber pricing
Who: Major cyber underwriters, reinsurers and brokers across the United States, United Kingdom and other advanced economies.
What: They are tightening how they measure and aggregate exposure, imposing stricter underwriting conditions and reallocating capacity as social‑engineering payouts and targeted ransomware incidents push claim severity higher even while overall claim frequency eases.
When: Changes accelerated through 2024–2025 and crystallized around the Jan. 1, 2026 reinsurance renewals.
Where: Primary and reinsurance markets centered in London, New York and other first‑world financial centers are leading the shift.
Why: Insurers say concentrated cloud dependencies, more sophisticated social‑engineering campaigns (including AI‑assisted phishing) and larger ransom and extortion outcomes have increased tail risk and made traditional exposure metrics inadequate for pricing and accumulation control. (prnewswire.com)
As cyber insurers enter a new phase of the market cycle, the industry is confronting a paradox: fewer claims, but costlier ones. Portfolio data compiled by cyber risk firms show reported cyber claim notifications fell sharply in the first half of 2025 even as the average cost of successful ransomware incidents climbed. Resilience, a cyber risk solutions company, reported a 53% drop in claim volumes across its portfolio in H1 2025 while the average ransomware loss rose 17% and ransomware‑related incidents constituted the overwhelming share of incurred losses. The firm also flagged AI‑assisted social engineering as a key driver of those higher costs. (prnewswire.com)
Those patterns mirror law‑enforcement and broader fraud statistics. The FBI’s Internet Crime Complaint Center (IC3) reported record total losses to cybercrime in 2024—$16.6 billion—with business‑email‑compromise and social‑engineering schemes among the most costly fraud categories, accounting for roughly $2.7 billion in reported losses in 2024 alone. Industry sources and regulators warn that many incidents go unreported, so official totals almost certainly understate the true economic scale. (hipaajournal.com)
Why severity is rising while frequency falls
Underwriters and risk modelers attribute the divergence to two linked dynamics: (1) attackers are concentrating on high‑value, high‑leverage tactics that yield larger payouts per event; and (2) technological and structural exposures — notably cloud and third‑party vendor dependencies — are amplifying the economic impact when a hostile actor succeeds. Resilience’s midyear study said financially motivated social engineering, particularly targeted campaigns strengthened by AI content generation, accounted for an outsized share of incurred losses in its book. (prnewswire.com)
“The dollars‑and‑cents of successful attacks—that’s what we must understand,” Resilience’s leadership told reporters in September 2025, reflecting a portfolio that saw fewer but more destructive incidents. The firm said some sectors, including healthcare and manufacturing, faced extortion demands running into the millions of dollars. (prnewswire.com)
Industry leaders and model providers say the economics of the attacks have changed. Ransomware operations have become more surgical and intelligence‑driven, and threat actors increasingly combine social engineering and extortion tactics (for example, pairing business‑email‑compromise or account takeover with data theft and double extortion) to extract larger payments. At the same time, attackers have begun to price demands against public or leaked information about a victim’s insurance coverage and capacity to pay. That, industry participants say, has had the unintended effect of pushing average payout sizes higher. (prnewswire.com)
Tighter exposure measurement: what underwriters are changing
The industry’s response has been twofold: sharpen underwriting at the account level and modernize how portfolios are aggregated and stress‑tested. Reinsurers and analytic vendors have accelerated the rollout of scenario‑based accumulation models, single‑point‑of‑failure (SPoF) assessments and continuous portfolio monitoring tools. Munich Re and analytics firm CyberCube published joint findings in mid‑2025 that stress the importance of scenario‑based modelling for cloud‑outage and systemic malware events and urged firms to incorporate technical mitigations — patching, segmentation, resilient backups — into both pricing and accumulation analysis. “Our ambition is to improve the understanding of possible extreme malware and cloud events,” Munich Re’s Stephan Brunner said in July 2025. (munichre.com)
At the London market and in Lloyd’s‑aligned forums, underwriters and exposure managers have pushed operational guidance that emphasizes data governance, standardization and an engineering view of dependencies. The Lloyd’s Market Association and other trade bodies have circulated practical guidance on cyber exposure management that calls for multidisciplinary teams and better collection of technical evidence during underwriting. The tenor: corporate attributes such as revenue or industry class are insufficient proxies for aggregation exposure in a world of shared cloud services and concentrated vendors. (lmalloyds.com)
Coalition, an insurer and cyber risk firm, told clients and markets late in 2025 that cyber risk in 2026 would be “less like a string of isolated breaches and more like a web of hidden interdependencies,” and urged insurers to demand deeper technical clarity. “After a year marked by high‑profile outages, insurers are paying closer attention to scenarios where thousands of sites and servers fail at once,” Tiago Henriques, Coalition’s chief underwriting officer, told an industry outlet. (beinsure.com)
Reinsurers and capacity: a supply‑side twist
Those tighter underwriting standards have unfolded as an unusual supply‑side story in reinsurance: fresh capital flooded the market at the Jan. 1, 2026 renewals, pushing reinsurance pricing down in many specialty lines even as primary underwriters recalibrated exposure measurement. Brokers and reinsurance firms reported abundant cyber reinsurance capacity and material rate softening at the January renewals, a dynamic that produced a complex outcome: more capital overall, but with reinsurers pressing for cleaner portfolios and greater transparency before deploying capacity. Gallagher Re’s 1st View renewal commentary and other broker reports described a market where quota share deals and excess‑of‑loss capacity were available but often priced and structured to reward disciplined underwriting. (beinsure.com)
The upshot: buyers could access more capital, but the best terms went to cedants able to demonstrate disciplined selection, rigorous technical controls and lower accumulation exposure. Where portfolios remained opaque or showed concentration, reinsurers drove harder bargains or restricted cover. “Risk‑adjusted reinsurance pricing reduced materially at the renewals, but structure and accumulation diligence determined who gained most from the softness,” industry renewal analysis said. (beinsure.com)
Policy terms, sublimits and verifications: social engineering reshapes coverage
On the primary side, carriers moved to limit social‑engineering exposure through product design and endorsements. Crime policies and cyber forms increasingly attach specific social‑engineering endorsements with explicit sublimits and often require documented verification practices to trigger payment. Industry guidance and insurance‑practice notes show sublimits for social engineering and business‑email‑compromise commonly sitting in the $100,000–$500,000 range, with some carriers placing average sublimits near $250,000 unless customers buy higher limits or add endorsements and corroborating controls. In many cases, insurers condition social‑engineering coverage on procedures such as callback verification or dual authorization for wire transfers. (ajg.com)
Brokers and risk advisers report that underwriting is now demanding concrete evidence of controls rather than attestation alone. That includes proof of multi‑factor authentication (MFA) on critical accounts, enforced DMARC/SPF/DKIM domain authentication for corporate email, endpoint detection and response (EDR) deployment, and regular, documented phishing‑simulation training for staff who authorize financial transfers. Policyholders who cannot demonstrate those controls face higher premiums, larger retentions, or narrower social‑engineering limits. (securityboulevard.com)
“Insurers seek to provide coverage to companies that have established internal policies to authorize and verify financial transfer requests,” the risk advisory arm of AJG wrote in a practice note describing how social‑engineering endorsements are being structured and underwritten. The note said some carriers explicitly tie full sublimit access to verification requirements that mandate verification by a separate communication channel, not email. (ajg.com)
What this means for pricing and capacity allocation
The combined forces of larger per‑event losses, demand for better technical evidence, and abundant reinsurance capital have pushed pricing and capacity decisions into a more granular, evidence‑driven phase. For well‑prepared insureds — those who can demonstrate layered defenses, vendor diversity, tested backups and strong incident response capabilities — competition among carriers and available reinsurance capacity translated in 2026 to improved terms and price relief in certain segments. For others, particularly small and mid‑sized firms with thin controls and little documentation, insurers have responded with higher rates, lower limits, and explicit exclusions or sublimits for social‑engineering losses. (insurancebusinessmag.com)
Market participants say that underwriting discipline, not headline pricing, will determine profitability going forward. CyberCube and Munich Re’s joint study and model updates were designed to give insurers the tools to price for systemic scenarios and to make portfolio‑level allocation decisions that reflect technical dependencies rather than simple demographic proxies. “By sharing the findings of our study on systemic cyber risks, we aim to provide a more nuanced view of how systemic cyber events might unfold,” CyberCube’s Jon Laux said in July 2025. (munichre.com)
Claims practice and operational frictions
The move toward more stringent underwriting is also creating operational friction for brokers and claims teams. Insurers and reinsurers increasingly require detailed pre‑bind questionnaires, logs of configuration and access controls, third‑party assessment reports, and in some cases ongoing monitoring feeds. That can lengthen bind cycles and increase costs for insureds, particularly for smaller firms that lack internal security teams or budgets to procure external assessments. Brokers say the result is a bifurcated market: companies with budget and governance to document and maintain controls obtain more favorable coverage at lower marginal cost, while underinsured firms face compressed options. (morrell-insurance.com)
Claims handlers also report new points of contention. Some carriers reserve the right to deny or recover advances when insureds fail to meet control commitments or when forensic investigations find prior knowledge of a vulnerability. Legal disputes over scope, timing and policy language continue to shape the market; notable incidents — including attribution questions, “act of war” clauses and vendor‑related outages — have produced high‑stakes coverage litigation in recent years and heightened caution among underwriters. (thecoylegroup.com)
The insured view: affordability versus adequacy
CFOs and risk managers confront hard choices: reduce coverage scope, accept higher retentions and sublimits, or invest in controls that may lower premium but require capital and operating expense. Insurance advisers say many organizations misprice their own risk by buying limits without parallel investments in prevention and response capabilities; the effect is that underwriter scrutiny now advantages organizations that make visible, auditable security investments. “Strong security controls can reduce premiums 15–30%,” a leading brokerage’s advisory guide said, while cautioning that many small businesses remain underinsured for social‑engineering exposure. (thecoylegroup.com)
Regulatory and public‑policy pressure
Regulators and industry groups are also pressuring tighter behavior. In the United Kingdom the Association of British Insurers reported a marked rise in total cyber payouts in 2024 and urged firms to embed cyber insurance within broader risk‑management frameworks. Supervisory interest in insurers’ aggregation models, scenario stress testing and capital adequacy has grown; regulators scrutinize whether carriers have adequately quantified potential systemic events and whether pricing reflects those tail exposures. At the same time, law‑enforcement actions and international disruption of criminal infrastructure have reduced some ransomware flows, but industry executives caution the risk picture remains volatile. (linkedin.com)
Looking ahead: what underwriters say
Industry executives say the next 12–24 months will be a test of whether the market can translate better data and modeling into sustainable underwriting profit while preserving capacity for commercial buyers.
“Profitability will increasingly depend on understanding how technology interconnections translate into correlated loss,” Coalition’s Tiago Henriques warned, noting insurers must ask “hard questions” about cloud concentration and vendor dependencies. Munich Re and CyberCube urged similar discipline: scenario‑driven accumulation modelling, stress testing and meaningful evidence of mitigation are now material inputs to underwriting and pricing. (beinsure.com)
For policyholders the message is plain: cyber insurance remains an important risk‑transfer tool, but its value — and affordability — will increasingly reflect how well an organization can document and demonstrate the controls that actually reduce loss. In this environment, executives who treat insurance as a backstop rather than part of an integrated resilience strategy will likely find coverage more expensive and limits more constrained. (thecoylegroup.com)
— End of story —