Insurers are aggressively competing for both existing and new business, and broad terms and conditions remain readily available. Similarly, reinsurers are competing heavily for this business, and cyber represents the softest part of the liability reinsurance marketplace, owing in large part to primary insurers’ efforts to rebalance their portfolios, including taking steps to avoid overexposure to large company and healthcare industry risks.

Carriers have also been reducing their reliance on pro rata and aggregate excess of loss cover as they increasingly explore occurrence covers. In response, reinsurers have been incentivizing carriers to maintain these covers by increasing proportional ceding commissions and/or reducing rates on aggregate covers.

Although rates continue to fall, some buyers are renewing with modest rate increases. With claims frequency and severity on the rise, insurers continue to push for flat renewals, with mixed success.

Ransomware claims are on the rise. Attackers are moving through company networks with greater speed, which is increasing businesses’ vulnerability, and increasingly engaging in triple extortion — encryption and theft of data from businesses, coupled with harassment of individuals whose data has been exfiltrated.

President Trump’s fiscal year 2026 budget proposal includes a roughly $500 million cut in funding for the Cybersecurity and Infrastructure Security Agency. The proposal also includes substantial cuts to the Department of Health and Human Services budget, which could limit the department’s Office for Civil Rights’ ability to enforce violations of the Health Insurance Portability and Accountability Act of 1996.

In the absence of a strong federal enforcement stance, states — especially those where Democrats are in power — may look to fill the regulatory void. Even before the 2024 election, state-level efforts to introduce comprehensive privacy laws were already well underway.

Privacy risks are also growing more complex as other countries enact their own privacy laws and EU member countries step up their enforcement of the General Data Protection Regulation. The plaintiffs’ bar, meanwhile, continues to focus on website tracking technologies.

Meanwhile, business email compromise and social engineering threats are growing more complex as attackers increasingly use artificial intelligence to better impersonate vendors and company executives and to carry out more complex phishing and vishing attacks. This has highlighted the importance that businesses coordinate their approach to purchasing both cyber and crime insurance, under which these risks may be covered.