CYBER

Carriers showing more discipline even as competition continues

KEY TAKEAWAYS


The cyber insurance market remains buyer-friendly, though pricing discipline is increasing as rates approach floor levels.


Carriers are adopting more granular underwriting focused on controls, privacy exposure, and emerging risks like AI.


Risk differentiation is becoming more crucial, with outcomes tied more closely to resilience, governance, and third-party dependencies.

Expected rate changes next quarter*

Flat to 5% increase


Cyber

The cyber insurance market continues to recalibrate, yet conditions remain favorable for buyers. In the first quarter of 2026, median rates for cyber insurance fell 0.5%, according to Lockton data.

The prolonged soft market of the last three years and rising loss ratios are weighing on carriers. Underwriters are more actively differentiating risks based on privacy exposures and the robustness of cyber controls rather than prioritizing client retention.

As a result, certain buyers — particularly those with rapid growth, unfavorable loss experience, or weaker controls — may see upward pricing pressure. Cyber insurance buyers in high-risk sectors such as healthcare, financial services, critical infrastructure, and education are facing the sharpest scrutiny.

At the same time, carriers are repositioning to compete in a more complex cyber threat landscape, with an eye toward new product development, tighter sublimit structures for specific perils, and more restrictive coverage terms.

Despite this activity, overall capacity remains strong, supported by new entrants eager to deploy capital. Competition is expected to persist, though insurers are showing greater discipline as pricing nears its floor.

Underwriting is also evolving. Carriers are shifting away from a checklist approach to controls and instead taking a more exposure-driven, qualitative view of risk, reflecting growing concern about claims trends. Evidence of specific controls and incident response plans are increasingly being treated as baseline requirements for coverage.

The cyber reinsurance market remains robust, with ample capacity available across both proportional and nonproportional structures. Although the pace of new entrants has slowed, competition remains strong, as newer reinsurers continue to gain placements on established programs. Pricing is stable for established buyers, with some risk-adjusted decreases on aggregate excess-of-loss programs, while newer or growing writers benefit from continued investment in cyber as reinsurers diversify away from casualty risks.

Despite strong capacity, reinsurers are monitoring rising attritional cyber losses and softening primary rates, applying greater scrutiny to underperforming portfolios and sector concentrations such as healthcare. Concerns around aggregation and emerging AI-driven threats also persist. Still, cyber is viewed as a profitable, high-growth line, supported by favorable long-term trends. Reinsurers continue to deploy capital selectively, expand nonproportional offerings, and show confidence through increased retrocession27 activity and ongoing capital inflows.

As privacy concerns persist, insurers are placing greater scrutiny on consent mechanisms, such as website cookie banners and opt-in/opt-out frameworks, along with session replay technology and biometric data collection practices that are fueling litigation. Carriers are also examining third-party vendor contracts to confirm that appropriate safeguards, audit rights, and breach notification processes are in place to protect collected and stored data.

Broadly, the Trump administration has pulled back on privacy enforcement but is still taking action under the Children’s Online Privacy Protection Act. The House Committee on Energy and Commerce is currently considering the SECURE Data Act, which proposes to create a single consumer data privacy standard nationwide.

Meanwhile, regulatory actions at the state level related to non-data breach privacy are ticking up, particularly in California. Notably, the California Privacy Protection Agency is expanding activity beyond traditional data breach scenarios to address non-breach privacy violations, algorithmic decision-making, and sensitive data practices. Similar momentum is building in Colorado, Texas, and Virginia.

The federal government has focused less on AI regulation of late, although this may change given high-profile concerns related to generative AI. Enforcement of a significant portion of the EU AI Act requirements was set to begin in August 2026 but has been delayed until December 2027.

For their part, insurers are increasingly paying attention to AI risks, although we are not aware of AI being excluded on any cyber or technology insurance products. Interest in coverage for AI-related regulatory risk is expanding. A variety of new products to directly address AI risks are being introduced by existing insurers and a wave of AI-specific insurance MGAs, although a widespread need for these products is not yet clear.

Amid the U.S. and Israeli conflict with Iran and continued Russian cyber operations linked to the war with Ukraine, insurers are refocusing their attention on state-linked cyber threats and potential aggregation risks. Carriers are concerned that systemic events could threaten the viability of cyber insurance coverage.

This is renewing focus on war exclusions present in virtually all cyber policies. It remains unclear whether these exclusions can be invoked amid uncertainty about whether a specific attack can be attributed to a government or government-backed group and whether a direct connection can be established between a cyber event and an ongoing kinetic conflict.

*Note: Rate ranges presented here reflect expected renewal outcomes — as of the Lockton Market Update publication date — over the next quarter for most insurance buyers. These should not be taken as a guarantee of any specific results during renewal negotiations. Depending on risk profiles, loss histories, account specifics, and other factors, individual buyers may renew their programs outside these ranges.


27Retrocession: A reinsurance transaction in which a reinsurer transfers a portion of its own assumed risk to another reinsurer (a retrocessionaire). Retrocession is used to manage capital, reduce volatility, and limit accumulation risk.

© 2026 Lockton Companies. All rights reserved.