Companies strengthening their security investments in response to increased cyber insurance requirements, according to a recent report
In the ever-evolving landscape of digital security, a significant shift has been observed in the realm of cyber insurance. A recent report by Sophos and Vanson Bourne reveals that 75% of companies have invested in cyber defense, a testament to the growing awareness and concern surrounding digital threats.
The report, released on Wednesday, highlights several key trends that are shaping the cyber insurance market. One of the most prominent trends is the rise in premiums and stricter underwriting requirements. Cyber insurance premiums have tripled over the past three years, reaching an estimated $30 billion globally in 2025. This increase is due in part to the escalating frequency and cost of ransomware attacks, with the average ransom demand now standing at around $2.3 million.
In response, insurers are tightening underwriting rules and demanding better cybersecurity practices before offering coverage. This has led to a surge in investments in cybersecurity, as businesses strive to meet these requirements and lower their premiums. Improved practices such as multi-factor authentication and reliable backups are helping organizations reduce vulnerabilities and enhance resiliency.
Another trend highlighted in the report is the increasing use of AI technologies by attackers. These technologies are used to generate highly convincing phishing attacks and sophisticated malware, pushing insurers to adjust pricing and risk assessment processes using AI tools for better accuracy and efficiency.
Despite the increased investments in cyber defense, significant gaps remain between recovery costs and the coverage provided by insurance providers. According to Sophos, recovery costs for ransomware rose more than 50% over the past year to an average of $2.73 million per incident. The survey found that recovery costs for ransomware exceeded the coverage provided by insurance providers.
A notable trend is victims increasingly opting to restore systems from backups rather than paying ransom demands. This reduces extortion payments (which dropped 35% in 2024), helps contain recovery costs, and encourages investment in robust backup and recovery technologies.
Insurers are also incentivizing companies to improve their cyber defenses by linking premium costs and depth of coverage to maintaining those standards. Chester Wisniewski, director and global field CTO at Sophos, stated that incremental improvements in minimum security standards like PCI-DSS can have positive effects over time.
Meredith Schnur, regional cyber practice leader at Marsh, stated that combined claim recovery at Marsh was about 80% during 2022 and 2023, with the percentage gap growing higher when retentions are taken out. However, it's important to note that cyber insurance policies are effective in paying claims, but are not intended to be unlimited.
The report also touches upon regulatory and systemic risk considerations. More stringent regulatory and compliance requirements—especially in data-sensitive sectors—are driving greater cyber insurance adoption, further impacting underwriting standards and premiums. The interconnectedness of digital systems raises systemic risk concerns where a cyber incident in one part of the ecosystem can cause widespread disruption, influencing insurers’ risk appetite and pricing models.
In summary, rising cyber insurance demands are incentivizing greater organizational investment in cyber defenses and resiliency while also driving up insurance premiums and altering recovery strategies to minimize ransom payments. AI is playing a critical role both in the threat landscape and in optimizing insurance underwriting and claims handling processes.
- Despite the increasing cybersecurity investments and the growing use of AI technologies in the insurance industry, the report reveals that recovery costs for ransomware continue to rise, outpacing the coverage provided by insurance providers.
- Insurers are linking premium costs to the maintenance of minimum cybersecurity standards, such as PCI-DSS, which encourages companies to invest in strengthening their cyber defenses.
- The interconnectedness of digital systems raises systemic risk concerns, where a cyber incident in one part of the ecosystem can cause widespread disruption, influencing insurers’ risk appetite and pricing models in the technology sector.