Insurance Curator Reinsurers warn of aggregation risk as single‑event cyber severity drives higher attachment points and exclusions
Who: Global reinsurers and cyber insurers; What: are warning about growing aggregation risk and reshaping treaty terms — raising attachment points and tightening exclusions; When: amid the 2025–2026 renewal cycles and following a string of high‑severity single‑event cyber losses in 2023–2025; Where: markets in the United States, United Kingdom and other developed economies; Why: because a narrowing set of single‑event failures — large vendor outages, cloud provider incidents and sophisticated ransomware/data‑exfiltration attacks — can create correlated, high‑severity losses that threaten reinsurance capital and require different risk transfer structures. (swissre.com)
Reinsurers and analytics firms say the cyber market now faces a paradox: the frequency of routine claims has fallen in some portfolios, but the financial severity of major, single‑event breaches has climbed — exposing hidden accumulation across cedants and forcing reinsurers to push treaty attachment points higher, add exclusions or demand clearer event definitions. The shift is prompting product innovation, constrained capacity for some structures and renewed debate about how to price and place systemic cyber risk. (riskandinsurance.com)
What changed: fewer, costlier events
Industry claims data and insurer reports from 2024–2025 show mixed but consistent signals: some firms report declines in small‑to‑medium claim frequency while large single events have become the main cost driver. Allianz’s Cyber Security Resilience 2025 report documented a more than 50% decline in claims severity in some segments but also warned that the share of large‑loss (>€1 million) claims has evolved, with data exfiltration increasingly prominent among the costliest incidents. At the same time, Coalition and other cyber carriers reported lower claim frequencies in 2024, even as certain sectors and countries saw rising severities. (commercial.allianz.com)
Other market trackers paint a sharper divergence. Resilience’s mid‑2025 analyses and subsequent industry commentaries showed that while incident notification volumes fell in parts of 2025, the average cost of major ransomware and vendor‑related losses increased, concentrating insured losses into fewer, very expensive events. Cyber analytics firms also point to vendor‑outage incidents such as the June 2024 CDK Global ransomware attack and the February 2024 Change Healthcare disruption — events that cascaded across thousands of businesses and healthcare providers — as examples of how a single failure can spawn large, correlated claims. (theclm.org)
“This industry has matured in terms of engineering and response, which is driving down many small claims. But the exposure from single points of failure — large vendors, cloud platforms and supply chain dependencies — has risen both in scale and in price,” said Michael Daum, Global Head of Cyber Claims at Allianz, in the insurer’s 2025 report. (commercial.allianz.com)
Reinsurance reaction: attachment points, exclusions and new structures
Reinsurers, who must manage portfolio accumulation across multiple cedants, are responding in several ways. Brokers and market commentary show reinsurers have generally maintained higher attachment points on excess‑of‑loss treaties and have been more exacting on wordings and exclusions intended to limit correlated exposures. Moody’s and reinsurer statements have noted that higher retentions and tighter terms are now an accepted part of reinsurance placements after the market reset initiated in 2023 and continuing through renewals into 2026. (reinsurancene.ws)
“Keeping attachment points high is key,” James Vickers, chairman of Gallagher Re’s international business, told industry reporters during 2025 commentary, arguing that higher retentions helped reinsurers avoid the pileup of secondary, non‑peak losses that had eroded returns in prior cycles. Brokers and reinsurers reported that attachment points and treaty wordings were a focal negotiation point during the January 1, 2026 renewal cycle. (reinsurancene.ws)
At the same time, the market has not rejected capacity — it has reshaped it. Gallagher Re’s cyber index reported a sharp fall (32%) in risk‑adjusted pricing for aggregate excess‑of‑loss (XoL) at the Jan. 1, 2026 renewals as abundant capacity met buyer demand, but brokers cautioned that lower headline pricing often coincided with structural changes — higher attachment points, shorter time‑windows, tighter definitions of what constitutes a “single event” and more explicit exclusions or sublimits for vendor‑related and cloud provider failures. (globalreinsurance.com)
Some reinsurers are also shifting the mix of treaty types. While quota‑share proportional reinsurance remains central to many cyber placements, the non‑proportional market — aggregate stop‑loss, event/XoL and cat structures — has seen product innovation aimed at reducing basis risk and clarifying triggers. Aon, for example, placed a novel “surge stop‑loss” product in mid‑2025 that attaches to abnormal surges in notified losses in a specified time window rather than requiring an agreed single‑event definition, thereby removing one major cause of recovery disputes. Rory Egan, head of cyber and analytics at Aon ReSpecialty, said the product addresses the “event definition” problem by focusing on the timing and quantum of losses. (theinsurer.com)
Why reinsurers feel urgency: aggregation and systemic drivers
Reinsurance executives and analytics firms point to several drivers of aggregation risk that make cyber distinct from traditional perils such as wind or flood. First, concentration of critical services — a few cloud providers, common enterprise software platforms, and dominant managed service vendors — creates single points of failure. CyberCube and other modelers have repeatedly warned that dependencies on a small set of third‑party providers can convert localized breaches into industry‑wide incidents. (reinsurancene.ws)
Second, attackers’ tactics have evolved. Double‑extortion ransomware (combining encryption with data theft) and more systematic, targeted compromises of service providers or widely used code have raised the cost of remediation and regulatory penalties. Allianz’s reporting highlighted that 40% of large claims in its 2025 dataset included data exfiltration — a factor that materially increases loss severity. (commercial.allianz.com)
Third, technological change and rapid adoption of AI and SaaS amplify shared exposures. Guy Carpenter’s industry brief and other market commentaries point to AI’s potential to enlarge attack surfaces, embed vulnerable models across many customers, or accelerate the spread of automated exploitation — all of which increase correlation risk across insureds. “AI use heightens the risk of aggregation,” Guy Carpenter analysts wrote in 2024, noting software‑supply chain risk and broader attack surfaces as central concerns. (reinsurancene.ws)
Fourth, regulatory and litigation trends have lifted the cost of individual breaches in many developed economies. Data‑protection enforcement, class actions and higher reputational costs have all increased the insured value of a single incident in the United States, Europe and elsewhere. Allianz and others flagged privacy litigation and contingent business interruption as growing loss drivers. (commercial.allianz.com)
Claims picture: frequency falls, severity concentrates
That combination of factors explains why some carriers report fewer claims but higher severity in their portfolios. Coalition and other firms documented a decline in overall claim frequency in 2024, attributing that to better security posture, stronger detection and incident response, and lower ransom payments in some sectors; yet the distribution of losses has become more skewed, with a small number of incidents creating outsized losses for insurers and reinsurers. (riskandinsurance.com)
Resilience’s mid‑2025 data summarized a clinical example of the trend: ransomware notifications dropped markedly in parts of 2025, but the average incurred cost for major ransomware incidents rose, and vendor or supply‑chain related incidents accounted for an outsized share of total incurred losses in that period. That pattern — fewer incidents, but more expensive ones — places a premium on underwriting discipline and aggregation transparency for reinsurers. (theclm.org)
Market consequences: pricing, capacity and capital solutions
The immediate, visible consequences in the market have been mixed. On one hand, abundant capital and investor interest in specialty risk have pushed pricing down in some pockets and expanded capacity for cyber reinsurance, especially for well‑underwritten cedents with strong data and loss control practices. Brokers reported risk‑adjusted rate reductions on some XoL placements at the Jan. 1, 2026 renewals. (globalreinsurance.com)
On the other hand, reinsurers have preserved their economic limits by pushing attachment points, lowering proportional cessions on quota‑share deals, and tightening or clarifying coverage definitions and exclusions — changes that reduce reinsurers’ exposure to sudden, correlated losses. Moody’s and S&P have observed that reinsurers’ insistence on higher retentions and clearer treaty language will likely hold through 2026 renewals, even if headline prices moderate. (artemis.bm)
“This is not a race to the bottom on price: it’s a reallocation of where losses sit,” said an industry adviser summarizing market behaviour. Reinsurers want to be paid for taking real peak risk and to avoid being left covering what are effectively ceded operational or concentration risks. (reinsurancene.ws)
Product innovation and alternative capital
To bridge the gap between seller needs and reinsurer caution, brokers and capital markets players are promoting new structures. In addition to Aon’s surge stop‑loss, market participants are advancing event‑triggered ILS (insurance‑linked securities) and industry loss warranties designed to provide capital for very large, well‑defined losses. S&P and Aon have both observed increased market conversations about cyber ILS, though operationalizing such instruments remains challenging because of model uncertainty and basis risk. (theinsurer.com)
Gallagher Re and other brokers described a growing appetite for bespoke, client‑specific solutions in which reinsurers demand improved data sharing, scenario stress‑testing and portfolio transparency before deploying capacity. Cyber analytics vendors such as CyberCube have expanded portfolio aggregation tools and incident response services to support both primary insurers and reinsurers in quantifying common exposures. (globalreinsurance.com)
Legal and contractual complexity
The reinsurance industry’s insistence on clearer event definitions and exclusions has created new legal and operational friction. Disputes over whether a set of losses constitute a single event or multiple occurrences can decide whether a treaty triggers and how much recovery is available. Surveyed industry litigators point to wording issues — “series,” “event,” “period of loss,” and “aggregation” clauses — as persistent sources of ambiguity. Courts and arbitrators are starting to see test cases where aggregation clauses in primary and reinsurance policies intersect. (iclr.co.uk)
Primary insurers, meanwhile, face their own choices: accept higher retentions and narrower reinsurance protection, or pay more for broader coverage. Many are also responding by tightening their own primary‑policy wordings, adding sublimits for contingent business interruption and vendor failures, or excluding cyber origin losses from otherwise non‑cyber lines (so‑called “silent cyber” clarifications). The trend has particular prominence in Europe and the U.S., where regulatory scrutiny of policy wording and claims settlement practices has intensified. (sec.gov)
Case studies: what single events revealed
The market’s rethink was accelerated by high‑profile, vendor‑centric incidents. The Feb. 21, 2024 attack on Change Healthcare — a major clearinghouse for medical claims — disrupted claims processing and highlighted how concentration in critical services can halt revenue streams across many healthcare providers. Similarly, the June 2024 ransomware attack on CDK Global interrupted thousands of car dealerships’ operations and generated complex, cross‑policy loss patterns for insurers. Those incidents crystallized the danger of concentrated dependence on a small number of vendors and fueled reinsurers’ push for clearer treatment of vendor‑related losses. (beckershospitalreview.com)
Industry voices and near‑term outlook
Industry leaders offer a mix of caution and technical optimism. Diana Liu, head of underwriting at Coalition Re, said late in 2025 that “systemic exposure is growing” and called for more technically grounded aggregation models that reflect shared software and cloud dependencies. (reinsurancene.ws)
At the same time, reinsurers such as Swiss Re and analytics firms argue that improved data, standardized wordings and better modelling can make cyber more insurable over time — though both caution that cyber does not yet conform to all traditional insurability characteristics, notably with respect to accumulation and model consensus. Swiss Re has emphasized the need for standardized data and coordinated risk‑sharing approaches to tackle the problem. (reinsurancene.ws)
What it means for buyers and policyholders
For corporate buyers in developed markets, the immediate effect is practical: expect higher retentions, narrower cover for vendor or cloud contagion unless explicitly negotiated, and more demanding underwriting requirements (multi‑factor authentication, endpoint detection, vendor risk management, third‑party security controls). Insureds that can demonstrate strong controls, granular telemetry and mature incident response capability will find it easier to secure reinsurance‑backed limits and favourable pricing. (commercial.allianz.com)
Brokers say policyholders should also expect higher operational friction in placements: reinsurers will seek portfolio‑level data, stress scenarios and more transparency on shared dependencies. Organizations that rely heavily on single providers should reassess concentration risk and consider contract renegotiation, segmented fallbacks or expanded business‑continuity investments. (insights.cybcube.com)
Longer horizon: public‑private solutions and capital markets
Several market observers and reinsurers have reiterated the potential role of public‑private risk sharing for the most systemic cyber failures. Swiss Re and others have suggested exploring government backstops for events that could threaten systemic financial stability. Separately, conversion of cyber risk to capital‑market instruments (ILS, industry loss indices) remains an active but unfinished project: model uncertainty and basis‑risk concerns have slowed large‑scale adoption, even as investor interest persists. (reinsurancene.ws)
Conclusion: a market in transition
The cyber insurance market in developed economies is in a transitionary phase. Improved baseline defenses and incident response have reduced many small claims, but a rising concentration of insured values in single points of failure — cloud providers, software vendors and critical service platforms — has changed the loss profile. Reinsurers, whose mandate is portfolio protection and capital preservation, are responding by raising attachment points, tightening exclusions and demanding greater aggregation transparency. The result is a more nuanced market: more capacity for well‑underwritten risk, but higher costs and friction for unclear or concentrated exposures. (commercial.allianz.com)
For insurers, brokers and corporate buyers, the immediate priorities are clear: clarify contractual language, improve vendor and cloud governance, invest in loss‑mitigation and incident response, and be prepared to negotiate new forms of risk transfer that explicitly address correlated, single‑event cyber risk. Reinsurers, for their part, will continue to test new treaty structures and capital solutions — but they will do so with an eye toward limiting the second‑order effects of aggregation on their balance sheets. (theinsurer.com)
— Reporting by [Staff writer]; interviews and industry reports reviewed include Allianz’s Cyber Security Resilience 2025, Gallagher Re cyber index (Jan. 1, 2026 renewals), Aon ReSpecialty’s surge stop‑loss placement (June 2025), Swiss Re Institute analyses, Coalition commentary on 2026 systemic risk, CyberCube modelling and Resilience mid‑year claims reports. (commercial.allianz.com)