NEW YORK, NY – Cyber insurance rates declined 6% globally in the third quarter of 2025, marking continued softening after years of dramatic rate increases that saw premiums surge 50-100% in 2021-2022 following the ransomware epidemic. According to Marsh's Global Insurance Market Index, this represents the 13th consecutive quarter of rate declines or stabilization in most regions, creating the best buyer's market for cyber coverage since 2020.
The softening comes as insurers have gained confidence in their ability to model cyber risk, mandate security controls as prerequisites for coverage, and exclude or sublimit losses they view as uninsurable (nation-state attacks, systemic events). Simultaneously, businesses have implemented stronger cybersecurity measures—multi-factor authentication (MFA), endpoint detection and response (EDR), employee training, and incident response planning—reducing frequency and severity of losses insurers must pay.
For businesses, this creates a strategic window to secure or upgrade cyber coverage at favorable rates while meeting increasingly standardized security requirements. However, the soft market comes with strings attached: insurers are mandating baseline security controls (MFA, EDR, backups, training) and excluding coverage for businesses that fail to meet them. The message is clear—implement basic cybersecurity hygiene and receive competitive coverage; ignore fundamentals and face declinations, restrictions, or astronomical premiums.
Understanding the Cyber Insurance Market Evolution
The 2021-2022 Rate Surge: What Drove It
Ransomware explosion: Ransomware attacks surged 300%+ in 2020-2021, with average ransom demands climbing from $80,000 to $250,000+. High-profile attacks (Colonial Pipeline, JBS Foods, Kaseya) demonstrated devastating business impact.
Underpricing exposed: Insurers had priced cyber insurance aggressively 2017-2020 to build market share, resulting in loss ratios (claims / premiums) exceeding 100%—they paid out more than they collected.
Social engineering fraud: Business email compromise (BEC) and social engineering attacks caused billions in losses, with fraudsters posing as vendors, executives, or trusted partners to trick employees into wiring funds or sharing credentials.
Systemic risk concerns: NotPetya (2017) and similar attacks demonstrated how single incidents could generate billions in insured losses across hundreds of companies simultaneously.
Insurer response: Rates surged 50-100%+ in 2021-2022, coverage terms tightened dramatically (higher retentions, lower limits, more exclusions), and underwriting requirements became stringent (MFA mandatory, cybersecurity controls questionnaires required).
Why Rates Are Now Declining
Insurers achieved profitability: After aggressive rate increases and tighter underwriting, cyber insurance loss ratios improved to 50-70% by 2024-2025—sustainably profitable.
Better risk modeling: Three years of data under stricter underwriting allows insurers to price cyber risk more accurately, reducing need for broad rate increases.
Client security improvements: Businesses implemented MFA, EDR, training, and incident response planning at much higher rates (MFA adoption increased from 40% in 2020 to 85%+ in 2025), reducing claim frequency.
Market competition: With profitability restored, insurers are competing for growth, driving rates down for well-secured businesses.
Increased capacity: New carriers entered cyber insurance (Coalition, At-Bay, Resilience, Corvus) and traditional carriers increased capacity, expanding available limits and creating competitive pressure.
Regional Rate Variations: Where Cyber Insurance Is Softening Most
Global Overview (-6% Q3 2025)
Property insurance leads overall declines at -8%, but cyber insurance shows one of the most consistent softening trends across all regions and risk profiles.
United States (-6% to -8%)
Why rates are declining:
- Highest market maturity with sophisticated underwriting
- Strong client cybersecurity improvements driven by regulatory pressure (SEC cybersecurity disclosure rules, FTC safeguards, state data breach laws)
- Most competitive market with 20+ carriers offering standalone cyber coverage
Who benefits most:
- Small and mid-sized businesses with strong cybersecurity posture (MFA, EDR, training)
- Healthcare and financial services implementing HIPAA/GLBA cybersecurity requirements
- Businesses with no claims history over past 3-5 years
Regional variation:
- California, New York, Texas seeing steepest declines (-10% to -12%) due to high market competition
- Smaller markets seeing more modest declines (-4% to -6%)
Europe (-5% to -7%)
GDPR driving security improvements: European businesses have invested heavily in data protection and cybersecurity since GDPR implementation (2018), resulting in lower claim frequency and attracting competitive rates.
UK leading decline (-8%): Highly competitive market with strong broker relationships and sophisticated buyers negotiating aggressively.
Continental Europe (-5% to -6%): Germany, France, Netherlands seeing steady declines as cyber insurance adoption increases and competition intensifies.
Asia-Pacific (-4% to -6%)
Market maturity varying widely:
- Australia (-8%): Mature market similar to US/UK, with strong security posture and competitive dynamics
- Singapore, Hong Kong (-6%): Regional financial centers with sophisticated cyber insurance markets
- Japan, South Korea (-4%): Growing cyber insurance adoption with moderate competition
- Emerging Asia (0% to +5%): India, Southeast Asia, China still seeing rate increases as markets develop
Latin America (-3% to -5%)
Nascent but growing markets: Cyber insurance adoption accelerating in Brazil, Mexico, and regional financial centers, with rates declining as competition enters markets previously dominated by few carriers.
What's Driving the Softening: Beyond Rate Increases
Factor 1: Mandatory Security Controls
Insurers shifted from pricing risk to preventing it by mandating baseline cybersecurity controls:
Universal requirements (99% of carriers require for coverage):
- Multi-factor authentication (MFA): Required for all remote access, privileged accounts, and ideally all user accounts
- Endpoint detection and response (EDR): Advanced antivirus/anti-malware solutions that detect and respond to threats in real-time
- Regular backups: Automated, tested backups stored offline or in immutable cloud storage
- Security awareness training: Annual (or more frequent) employee training on phishing, social engineering, password hygiene
Common additional requirements:
- Patch management: Regular software updates and vulnerability patching
- Incident response plan: Written plan defining roles, procedures, and communication protocols for cyber incidents
- Email filtering: Anti-phishing and anti-spam filters on email systems
- Network segmentation: Separating critical systems from general networks
Result: Businesses meeting these requirements experience 60-70% fewer ransomware incidents and 50-60% lower business email compromise losses, allowing insurers to offer coverage at lower rates with confidence.
Factor 2: Coverage Exclusions and Sublimits
Insurers carved out risks they view as uninsurable or uncertain:
War and terrorism exclusions: Many policies exclude or limit coverage for nation-state cyber attacks or acts of cyber terrorism—response to NotPetya (2017) and concerns about attribution and systemic losses.
Ransomware sublimits: Some carriers impose sublimits ($100K-$500K) on ransomware payments while maintaining full limits for business interruption and forensic costs.
Social engineering fraud: Separate sublimits or exclusions for business email compromise (BEC) and social engineering fraud, with some carriers offering coverage via crime policies instead.
Infrastructure failures: Exclusions or limitations for losses arising from failures of internet infrastructure, cloud providers, or telecommunication systems.
Unencrypted data: Many policies exclude or limit coverage for data breaches involving unencrypted data.
Result: By excluding or limiting high-uncertainty risks, insurers reduced potential loss exposure and gained confidence to offer broader coverage for more predictable cyber risks at lower rates.
Factor 3: Improved Underwriting and Pricing Models
Three years of data under stricter underwriting (2022-2025) gave insurers ability to:
Identify effective controls: Quantify how specific controls (MFA, EDR, training) reduce claim frequency and severity, allowing precise pricing differentiation.
Understand industry risks: Develop industry-specific pricing models reflecting varying cyber risk by sector (healthcare high-risk, professional services lower-risk).
Detect fraud and exaggeration: Better identify suspicious claims and fraudulent loss reporting, reducing paid losses.
Optimize limit structures: Understand appropriate limits for different business sizes and industries, avoiding over-insurance or under-insurance.
Result: More accurate pricing allows insurers to compete on risk-adjusted rates rather than broad-brush rate increases.
How to Capitalize on the Softening Cyber Market
Strategy 1: Implement Mandatory Security Controls
If you haven't already, implementing baseline controls is non-negotiable for cyber coverage:
Priority 1: Multi-Factor Authentication (MFA)
What it is: Requiring two or more authentication factors (password + code from phone, password + biometric, etc.) to access systems.
Why it matters: Prevents 99% of account compromise attacks. MFA is the single most effective control and universally required by insurers.
How to implement:
- Enable MFA for all remote access (VPN, RDP, cloud applications)
- Enable MFA for all privileged/admin accounts
- Ideally enable MFA for all user accounts
- Use app-based MFA (Google Authenticator, Microsoft Authenticator) or hardware tokens rather than SMS when possible
Cost: $3-10 per user per month for enterprise MFA solutions; free options available for small businesses
ROI: Prevents >99% of account compromises; qualifies for 15-30% cyber insurance discounts
Priority 2: Endpoint Detection and Response (EDR)
What it is: Advanced antivirus/anti-malware that detects and responds to threats in real-time using behavioral analysis, machine learning, and threat intelligence.
Why it matters: Traditional antivirus misses 30-40% of modern malware. EDR detects and blocks sophisticated attacks including ransomware and fileless malware.
Solutions: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black, Sophos Intercept X
Cost: $5-15 per device per month
ROI: Reduces ransomware incidents by 70-80%; qualifies for 10-20% cyber insurance discounts
Priority 3: Offline Backups
What it is: Automated, regular backups of critical data and systems stored offline (air-gapped) or in immutable cloud storage that ransomware can't encrypt.
Why it matters: Enables recovery from ransomware without paying ransom—the single most effective ransomware defense.
How to implement:
- Implement 3-2-1 backup strategy: 3 copies of data, 2 different media types, 1 offsite
- Ensure at least one copy is offline or immutable (write-once-read-many)
- Test restoration regularly (quarterly minimum)
- Document backup procedures and test results
Cost: $50-500+ per month depending on data volume
ROI: Eliminates need to pay ransoms (average $250K+); qualifies for 15-25% cyber insurance discounts
Priority 4: Security Awareness Training
What it is: Regular employee training on cybersecurity threats (phishing, social engineering, password security, mobile device security).
Why it matters: Human error causes 80-90% of cyber incidents. Training reduces phishing click rates from 30%+ to under 5%.
How to implement:
- Conduct annual training minimum (quarterly preferred)
- Include phishing simulations
- Document training attendance and results
- Cover topics: phishing/social engineering, password security, mobile device security, data handling, incident reporting
Solutions: KnowBe4, Proofpoint, Cofense, SANS Security Awareness
Cost: $15-40 per user per year
ROI: Reduces phishing-related incidents 70-80%; qualifies for 10-15% cyber insurance discounts
Strategy 2: Shop Coverage Aggressively
Cyber insurance is highly competitive—obtain quotes from 5-7 carriers to maximize savings:
Traditional carriers: Chubb, AIG, Beazley, Hiscox, Travelers, Hartford Insurtech specialists: Coalition, At-Bay, Corvus, Resilience, Cowbell Emerging players: Axis, Coalition, Resilience entering market with aggressive pricing
What to compare:
- Premium: Obviously, but don't focus solely on price
- Limits: Ensure adequate limits—$1M minimum for most businesses, $5M+ for large or high-risk businesses
- Retentions/deductibles: Lower is better, but higher retentions reduce premiums
- Coverage breadth: First-party (business interruption, forensics, restoration, ransomware) and third-party (liability, regulatory, PCI fines)
- Sublimits: Watch for ransomware, social engineering, and other sublimits that restrict coverage
- Services: Some carriers offer cybersecurity tools, training, and incident response hotlines as policy benefits
Example: A mid-sized professional services firm obtained 6 cyber insurance quotes:
- Range: $18,500 to $29,000 for $3M limits
- Lowest quote: Coalition at $18,500 with bundled cybersecurity tools valued at $5,000
- Second lowest: Beazley at $21,000 with strong claims reputation
- Selected Beazley despite higher premium based on coverage breadth and service quality
Strategy 3: Increase Limits While Rates Are Low
Cyber losses are escalating—business interruption from ransomware can exceed $5-10M for mid-sized businesses:
Average costs by incident type (2024-2025 data):
- Ransomware: $200K-500K (ransom) + $500K-2M (business interruption, restoration)
- Data breach: $150-250 per compromised record (notification, credit monitoring, regulatory fines, litigation)
- Business email compromise: $50K-500K per incident
- Total incident cost: $1-5M average for mid-sized businesses
Limits to consider:
- Small businesses (<$10M revenue): $1-2M minimum
- Mid-sized businesses ($10M-$100M revenue): $3-5M recommended
- Large businesses (>$100M revenue): $10-25M+ depending on risk profile
Why increase limits now: With rates declining 6% annually, increasing limits from $1M to $3M may cost only 10-15% more than $1M limits last year—you're getting triple coverage for minimal cost increase.
Strategy 4: Reduce Retentions/Deductibles
Cyber insurance retentions (deductibles) typically range from $10K (small businesses) to $250K+ (large enterprises).
In soft markets, reducing retentions becomes more affordable:
Example: A business with $2M cyber limits:
- $25K retention: $22,000 annual premium
- $10K retention: $25,500 annual premium (+16%)
- Savings per claim: $15K
ROI: If business files a claim within 3 years, the $10K retention pays for itself ($15K savings vs. $10,500 extra premium over 3 years).
Strategy 5: Bundle Cyber with Other Coverage
Package policies combining cyber with E&O, D&O, or technology E&O often save 10-20% vs. standalone policies:
Technology company package:
- Tech E&O (professional liability for software/services)
- Cyber and privacy liability
- Media liability
- Crime/social engineering coverage
Professional services package:
- Professional liability (E&O)
- Cyber and privacy liability
- Employment practices liability (EPLI)
- Crime
Savings: 10-20% vs. purchasing coverage separately, plus simplified policy management.
Strategy 6: Leverage Insurer Cybersecurity Tools
Many cyber insurers offer cybersecurity tools as policy benefits:
Coalition: Provides free cybersecurity monitoring, vulnerability scanning, and risk assessment tools to policyholders.
At-Bay: Offers free cybersecurity tools including external attack surface monitoring and risk scoring.
Corvus: Provides continuous security monitoring and risk assessment platform to policyholders.
Value: These tools typically cost $5,000-$20,000 annually if purchased separately, essentially making the cyber insurance free or even profitable when accounting for tool value.
What Could Reverse the Soft Market
Factor 1: Major Systemic Cyber Event
Risk: Large-scale cyber attack affecting hundreds or thousands of businesses simultaneously (similar to NotPetya 2017) could generate $10-50B in insured losses, depleting insurer capital and triggering immediate rate increases of 50-100%+.
Likelihood: Moderate—nation-state cyber capabilities continue advancing, and systemic vulnerabilities in widely-used software, cloud providers, or infrastructure remain.
Factor 2: AI-Powered Cyber Attacks
Risk: Artificial intelligence enabling more sophisticated, targeted, and effective cyber attacks that bypass current defenses.
Early indicators: AI-generated phishing (more convincing, personalized), AI-assisted vulnerability discovery, AI-powered automated attacks.
Impact: If AI dramatically increases cyber attack effectiveness, claim frequency and severity could spike, forcing rate increases.
Factor 3: Regulatory Expansion
Risk: New cybersecurity regulations (SEC cyber disclosure rules, FTC safeguards, state privacy laws, industry-specific requirements) increasing compliance costs and expanding liability exposure.
Impact: Broader liability definitions and regulatory penalties could expand insurer exposure, requiring rate increases to maintain profitability.
Factor 4: Litigation Surge
Risk: Cyber-related class action litigation and third-party liability claims increasing in frequency and severity, similar to social inflation in traditional casualty lines.
Early indicators: Growing data breach class actions, shareholder derivative suits following cyber incidents, regulatory investigations leading to large settlements.
Impact: Higher liability costs would require rate increases to maintain profitability.
Key Takeaways
Cyber insurance rates declined 6% globally in Q3 2025, marking the 13th consecutive quarter of softening and creating the best buyer's market since 2020.
Baseline security controls are mandatory—MFA, EDR, offline backups, and security training are prerequisites for coverage, not optional.
Businesses implementing required controls can secure coverage at 30-40% below 2022 peak rates while obtaining better coverage terms.
Now is the time to increase limits and reduce retentions—rates are declining while cyber losses are escalating, making higher limits and lower deductibles more affordable than in years.
Shopping coverage extensively delivers 20-30% savings—highly competitive market with 20+ carriers results in wide rate variation.
Bundling cyber with other coverage saves 10-20% vs. standalone policies while simplifying policy management.
The soft market could be short-lived—major systemic event, AI-powered attacks, or regulatory expansion could trigger renewed hardening within 12-24 months.
The cyber insurance soft market represents a strategic opportunity to secure comprehensive coverage at favorable rates while strengthening your organization's cybersecurity posture. By implementing mandatory security controls (MFA, EDR, backups, training), shopping coverage aggressively across multiple carriers, increasing limits while rates are low, and leveraging insurer cybersecurity tools and services, businesses can achieve 30-50% cost savings vs. 2022-2023 peak rates while obtaining better protection. However, the window may close quickly—major cyber incidents or regulatory changes could reignite rate increases within 12-24 months. Act now to capitalize on favorable conditions while they last.
Ready to secure cyber insurance in the soft market? With rates declining 6% globally and strong competition among carriers, businesses implementing baseline security controls can achieve significant savings. Working with brokers who specialize in cyber insurance ensures you access the most competitive markets and structure optimal coverage.
Sources: Marsh Global Insurance Market Index, Insurance Business Magazine, Cyber Insurance Market Reports