Cyber risk moves into core insurance

Cyber insurance used to sit off to the side — a specialist product for companies that knew they had a tech problem. That is changing. The market is starting to treat cyber as a core operating exposure, more like property catastrophe or casualty accumulation than an optional add-on. You can see that in the numbers, but also in the way insurers are changing the plumbing underneath underwriting. ### What changed in the market? The clearest signal came from the NAIC’s 2025 market report. U.S. cyber direct written premium fell 7% in 2024 to about $9.14 billion, the first decline on record, while the number of reported claims rose almost 40% to nearly 50,000. The number of policies barely moved. That is a weird combination if you still think of cyber as a fast-growth specialty line. It looks much more like a maturing market under pressure to price risk better, not just write more of it. (content.naic.org) ### Why does that matter beyond cyber policies? Because cyber losses do not stay inside the cyber box. A cloud outage, a bad software update, or a supply-chain compromise can hit business interruption, professional liability, crime, and operational resilience all at once. Munich Re used the July 2024 CrowdStrike outage as the obvious example — no(content.naic.org)changes, tech, and healthcare. That is exactly the kind of event that forces carriers to think across portfolios, not just within one product silo. (munichre.com) ### What are insurers doing differently? They are asking for more granular visibility. The NAIC report notes that the cyber supplement changed for 2024 filings from a simple stand-alone versus packaged split to a three-way primary, excess, and endorsement split. That sounds technical, but basically it means regulators and carriers want a clearer picture of where c(munichre.com), insurers need better data to see the real exposure. (content.naic.org) ### Why is “silent cyber” still the headache? Because the hardest risk is the one you did not explicitly price. If a policy was not sold as cyber insurance but still responds to a cyber-triggered loss, the insurer can end up carrying accumulation it never meant to write. The market has spent the last few years trying to tighten wording and re-und(content.naic.org)ration, with competition pushing concessions on premium, limits, coverage, and security controls even while systemic-risk concerns remain. (swissre.com) ### What kind of risk worries carriers most? Systemic events. Not the one-company breach, but the event that hits thousands of insureds at once. Munich Re and CyberCube surveyed 93 cybersecurity professionals in 2025 and found that severe malware and major cloud outages are both plausible accumulation scenarios. A single-day outage of (swissre.com)practical than people assume. That is why insurers care so much about vendor concentration and cloud dependency now. (munichre.com) ### So why are vendors suddenly relevant to underwriting? Because carriers need evidence, not vibes. If underwriters are trying to price cloud concentration, patching discipline, backup quality, or business interruption dependency, they need tools that surface those exposures in a usable way. The same data (munichre.com)ncy are now part of the market’s stable outlook. Better visibility is becoming part of the product itself. (news.ambest.com) ### Is this still a growth story? Yes, but not the old one. Global premium is still rising — Munich Re pegged the 2025 market at $16.3 billion, while Swiss Re projected about $15.6 billion — yet both also point to slower growth and a need for sustainable pricing. So the story is no longer “cyber gets bigger.” It is “cyber gets embedded.” (munichre.com)risk is moving into core insurance because digital dependency is now core business infrastructure. Once outages and attacks can cascade across multiple lines, underwriting has to see the whole digital footprint — not just the stand-alone cyber policy.