Competitive forces remain dominant in cyber market
Buyers continue to benefit from competitive conditions in the cyber insurance marketplace. In the second quarter, median total program rates for cyber insurance fell 4.5%, according to Lockton data. (See Figure 21.)
With few new buyers entering the cyber insurance marketplace, opportunities for insurers to grow are limited. Most insureds continue to renew with incumbent carriers, motivated by factors such as coverage continuity and competitive pricing.
In light of this trend, some insurers that previously concentrated on excess placements are now seeking growth in primary cyber, where they have more control over pricing and risk management. At the same time, insurers are also highly protective of their existing books, resulting in most insureds — including those with less-than-ideal risk profiles — renewing flat to slightly down.
Some underwriters have asked targeted questions about exposure to recent attacks, such as those linked to the cybercriminal group Scattered Spider. But scrutiny has eased in many cases amid concerns about losing potential business. Insurers are increasingly willing to entertain manuscript policy terms to defend existing books or win new business, even as the threat environment remains concerning.
In August, QBE launched a new media liability form tied to social media influencers, signaling how insurers are now approaching media and E&O coverage. To mitigate claims and reduce exposures, carriers are also increasingly pushing vendor services, such as breach response, forensics, and threat intelligence.
Among buyers, interest is growing in parametric insurance solutions, particularly for business interruption losses stemming from cyber events. These products offer predefined triggers and faster payouts, appealing to organizations seeking more predictable recovery in the face of increasingly complex threats. Triggers may include system downtime for a specific period of time, the detection of ransomware attacks, data breach notifications, third-party outages, or network disruption.
Ransomware and data breach claims remain top concerns for insurers, while privacy violations and data exposures are driving up claims costs, often resulting in large class-action settlements. In addition, incidents involving third-party vendors — especially those tied to software as a service platforms — are increasing in both frequency and severity across sectors. These trends have prompted carriers to scrutinize policy language more closely during the claim process, with a growing focus on exclusions, sublimits, and definitions.
In July, President Trump signed into law a sweeping spending and tax policy bill that included a $1.2 billion cut to federal cybersecurity funding across multiple government agencies. Since early 2025, more than 1,000 employees have left the Cybersecurity Infrastructure and Security Administration Agency (CISA) through layoffs and attrition.
CISA programs related to election security, online misinformation and disinformation, and stakeholder engagement have been terminated or drastically scaled back as the agency’s mission increasingly shifts to the security of critical infrastructure and federal systems, such as the Department of Defense, and away from support for state and local governments. Meanwhile, U.S law enforcement agencies have shifted agents and resources to immigration enforcement and away from cybersecurity during the first half of 2025.
Also in July, the Trump administration published America’s AI Action Plan, outlining 90 federal policy actions. The plan focuses on three main administration objectives: to accelerate innovation in AI, build American AI infrastructure, and position the U.S. as the leader in international AI diplomacy and security.
At the state level:
- Twenty-six states had passed specific AI legislation, according to law firm Bryan Cave Leighton Paisner LLP, with several others considering proposed bills. Notably, in June, Texas Governor Greg Abbott signed the Responsible AI Governance Act, which prohibits the use of AI to capture biometric data without consent, infringe on constitutional rights, engage in discrimination, or manipulate human behavior.
- Massachusetts has several pending bills that would introduce mandatory cyberattack response protocols for businesses, require annual cybersecurity training, mandate zero trust architecture, and prohibit the use of AI-powered employee monitoring tools.
- Several states — including Alabama, Nebraska, Rhode Island, South Carolina, Virginia, and Washington — are enacting protections to regulate youth access to social media platforms.
- By the end of 2026, comprehensive privacy protection laws will be in effect in 20 states.
The shifting federal and state policy landscape is creating new challenges for risk managers and insurers. The reduction in federal cybersecurity coordination — particularly the scaling back of CISA’s programs — has increased exposure for state and local entities that previously relied on federal support. This decentralization comes at a time when cyber threats are growing more sophisticated, leaving public systems and infrastructure more vulnerable. Some observers also believe that the shift of federal law enforcement resources away from cybersecurity leaves American companies more exposed to threat actors aligned with governments targeting the U.S., such as China and Russia.
At the same time, the lack of federal law and the rapid expansion of foreign and state-level legislation — especially around AI and data privacy — is contributing to a fragmented regulatory environment. For national and multinational organizations, this patchwork of laws introduces compliance complexity.
As states enact new rules governing biometric data, algorithmic accountability, and digital surveillance, insurers are beginning to reassess third-party liability exposures. While it is still early, carriers are reviewing policy language and exclusions more closely, especially in sectors where AI is deeply embedded in operations.
Absent a significant uptick in claims activity, current market conditions should continue for the foreseeable future. For cyber insurance buyers, now is the time to explore using annual premium savings to potentially increase limits, round out policies with E&O coverage, and take other steps to optimize policies.
1Note: Rate ranges presented here reflect expected renewal outcomes — as of the Lockton Market Update publication date — over the next quarter for most insurance buyers. These should not be taken as a guarantee of any specific results during renewal negotiations. Depending on risk profiles, loss histories, and other factors, individual buyers may renew their programs outside these ranges.
