After years of growth fueled by escalating cyber threats and rising premiums, the U.S. cyber insurance market hit a surprising milestone in 2024: a decline. For the first time since tracking began, direct premiums written dropped, down 2.3% to just under $7.1 billion.
It wasn’t a mass exodus from coverage or a sudden drop in cyber risk. In fact, quite the opposite.
The threats have just changed shape. The market is entering a new phase, marked by tighter underwriting, more disciplined pricing, and a much sharper focus on resilience.
Cyber insurance is recalibrating, not shrinking.
Premiums Are Down, but Risk Isn’t
While premium volume declined, the shift was driven primarily by a pullback in pricing after several years of aggressive rate increases. Demand for cyber insurance remains strong, particularly among companies navigating everything from AI-driven phishing to sophisticated ransomware campaigns.
Some large organizations are also shifting risk internally, using their own captive insurers to manage cyber exposure.
That move keeps some premium off the books and out of national data tallies, but it doesn’t reflect a drop in interest. If anything, it shows how seriously these organizations are taking control of their own risk posture.
At the same time, surplus lines carriers, those handling more complex or excess cyber risks, are still holding onto their share of the market.
But with thinner margins and increasing loss ratios, even these players are feeling the pressure.
The Threats Keep Coming
Let’s be honest: no one’s sleeping easier. If anything, the last year has confirmed how unpredictable and far-reaching cyber events can be.
Ransomware is more automated and accessible than ever.
Business email compromise continues to quietly drain billions. And data breaches come with legal exposure, operational disruption, and reputational fallout.
But what really drove the point home for a lot of companies was the CrowdStrike update outage.
Though not technically a cyberattack, the July 2024 incident disabled millions of Windows systems worldwide. Airports, banks, hospitals, and entire sectors were affected. It was a wake-up call that even well-intentioned, routine software updates can cause chaos at scale.
It also reframed the resilience conversation to be about being able to recover from digital failure, no matter the cause.
In response, Microsoft accelerated its Windows Resiliency Initiative (WRI), focusing on self-healing systems like Quick Machine Recovery and update methods like hotpatching to reduce disruption. By pulling security vendors like CrowdStrike and SentinelOne into stricter deployment practices, Microsoft aims to build resilience into the OS itself, something every enterprise CIO should be thinking about, whether or not it’s covered by insurance.
The Coverage Gap Is Still a Problem
Despite all this, most cyber risk still isn’t insured. Globally, cyber premiums account for less than 1% of property and casualty insurance volume. That means there’s a huge protection gap, especially among small and midsize businesses that often don’t believe they’re targets until it’s too late.
There’s also a growing need for smarter policies.
As AI becomes both a tool and a threat, insurers are wrestling with questions like:
- What’s covered when a model fails?
- When does a hallucination become a liability?
Traditional policy language isn’t always ready for this.
Insurers and reinsurers are responding with more specialized products and better modeling tools, but the gap between what’s available and what’s needed remains wide.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
The Wrap
Cyber insurance is not in hyper-growth mode anymore, but that doesn’t mean it’s losing relevance.
If anything, 2025 is shaping up to be a proving ground for smarter underwriting, more resilient infrastructure, and stronger public-private collaboration.
The premium drop is just a symptom of a maturing market. The real story is unfolding behind the scenes, where risk managers are learning that it’s about building systems that can withstand, adapt, and recover.
Resilience used to be a nice-to-have. Now, it’s how you stay in the game.
