US cyber insurance market update: Rates decrease, threats evolve

Further enhancing cyber controls and proactively addressing emerging risks

Cyber insurance rates in the US declined 5%, on average, in the fourth quarter of 2024. That continued a long stretch of cyber pricing stability, with conditions expected to remain favorable in 2025, barring unforeseen changes in conditions (see Figure 1). As companies continued to invest in their cybersecurity controls — efforts looked upon favorably by underwriters — many also sought to increase limits, reduce retentions, and make other program improvements.

This webcast was held on March 12, 2025, and it was based on data from 2024. Since then, the Q1 2025 Global Insurance Market Index has been released, showing global commercial insurance overall rates fell 3%, on average, following a 2% decline in Q4 2024, marking the third consecutive quarterly decrease following seven years of rising rates. The insights discussed in the cyber market update webcast remain relevant for organizations.

^{Figure 1 | Source: Marsh}

Cyber insurance rates decline 5% in Q4 2024

Cyber risk remains a top concern for organizations. Ransomware continues to evolve as a threat, and the regulatory and legal landscape around privacy breaches is increasingly complex. Mitigating third-party-driven cyber incidents with widespread consequences — even non-malicious events such as the July 2024 CrowdStrike incident — may only increase in importance, as companies continue to integrate more third-party solutions.

The competitive insurance market provides clients with the opportunity to explore enhanced coverage options and to differentiate between insurer offerings, while continuing to implement controls to better prevent and mitigate the impact of cyberattacks.

Key coverage, service, and program considerations for organizations may include:

Wrongful collection: The rise of state-specific privacy regulations has led to increased scrutiny on how organizations collect, use, and protect personal data, making it essential for companies to ensure compliance to avoid wrongful collection claims.
Claims handling: The increasing complexity and frequency of incidents can complicate cyber claims management, calling for increased accuracy in terms of cyber control posture, documentation, and compliance.
Cyber insurance program stabilization and sustainability: The current cyber market is favorable for insureds, and organizations should assess how to best align their coverage with their operations while establishing a long-term, stable program. It is important to set clear expectations regarding coverage, pricing, and claims handling. Coverage is not a one-size-fits all. But there are cyber coverage standards that should be met by all cyber policies in an effort to avoid confusing insurance buyers and creating uncertainty around the product itself.

Cyber insurance market through Q4 2024

Rates: 5% decrease, on average
Program structure: 20% increased limits; 18% reduced self-insured retentions
Underwriting: 12 cyber hygiene controls are viewed as essential by carriers

Source: Marsh US clients

Market drivers

Underwriters remain committed to diligence in continuously improving cybersecurity controls, focusing on evaluating the controls that organizations have in place. Additionally, insurers closely scrutinize coverage related to privacy and catastrophic losses.

As organizations prioritize cyber risk management, implement more effective controls, and insurer capacity increases, cyber insurance take-up rates have risen across industries (see Figure 2).

^{Figure 2 | Source: Marsh}

US cyber insurance take-up rates across all industries from 2018 – 2024 (all Marsh clients)

A changing regulatory environment around privacy

As states implement their own privacy laws, businesses should proactively assess how they collect, use, and protect data, rather than merely reacting to breaches. The shift towards a more active regulatory environment underscores the importance of robust risk management strategies (see Figure 3).

^{Figure 3 | Source: IAPP, 2025}

More states enacting privacy legislation

Cybersecurity, IT, and risk leaders should consider the following actions to better mitigate privacy risks:

Follow data backup, encryption, and remote access best practices: Implement strict access controls with the goal of allowing only authorized personnel to access sensitive data. This includes role-based access controls (RBAC), privileged access management (PAM) and multi-factor authentication (MFA). Additionally, encrypt sensitive data to help mitigate data exposure risk, and back up and test data recovery plans to try to obviate the threat of malicious encryption.
Develop comprehensive incident response plans: Establish a dedicated incident response team with clearly defined roles, responsibilities, and procedures to help respond to data breaches and other privacy concerns.
Conduct regular, varied tabletop exercises: Organizations can prepare more effectively for the impacts of privacy risks if they have practiced their response to a range of scenarios. Perform these exercises regularly to keep teams more informed.

Ransomware risks evolving

The ransomware landscape is evolving as ransom payment rates decline, with some attackers increasing the frequency of attacks, others looking to increase the severity, and some doing both. The decline in payments is potentially in part due to companies implementing stronger controls with the goal of reducing attackers’ leverage, leading more companies to not pay ransoms (see Figure 4).

Additionally, companies are also learning that in many cases, the ransom payment does not lead to effective data decryption or deletion and may have little or no material reduction in overall impact.

^{Figure 4 | Source: Chainalysis, 2025}

Ransomware payments decreasing

Governments worldwide continue to discuss the possibility of banning ransom payments. In the meantime, organizations should focus on planning for ransom scenarios. By creating a cross-enterprise approach — involving legal teams, risk managers, employees, and others — organizations may be able to enhance their resilience against potential attacks.

A collaborative strategy should include regular training and awareness programs to educate employees about the risks and signs of ransomware and the importance of reporting suspicious activities. Additionally, investing in advanced cybersecurity technologies, such as endpoint detection and response (EDR) systems, may help identify and mitigate threats before they escalate.

Analyzing the relationship between cyber controls and risk

As organizations develop their cyber controls, some may have a limited understanding of which controls are most likely to decrease the likelihood of an incident.

Using proprietary claims data and incident datasets, Marsh McLennan’s Cyber Risk Intelligence Center examined the effectiveness of various cybersecurity measures. The center found correlations between specific cybersecurity practices and the likelihood of a breach, enabling organizations to focus on the controls that potentially offer the greatest return on investment.

This innovative analysis can help organizations:

Identify the most effective controls, such as automated hardening techniques, which showed the greatest ability of any control studied to decrease the likelihood of a successful cyberattack.
Gain a comprehensive understanding of why it’s critical to implement cybersecurity controls broadly, and how some controls, notably MFA, are most successful when implemented fully.
Measure the impact of key cyber risk controls to better inform cybersecurity resilience strategy and investments.

Organizations should engage in continuous evaluations of and investments in cyber controls, as maintaining best practices could have a positive effect on discussions with insurers. Cybersecurity is not a one-size-fits-all approach — every organization has a unique risk profile and operational environment.

Live Q&A:

Does the amount of cyber coverage you buy increase your susceptibility to cyberattacks?

Although it may seem plausible that attackers would want to proactively target organizations with higher limits, this assumes the attackers already have, or seek to obtain, that information prior to launching attacks. While there have been some historical reports of insurance policy information being used post-breach to inform negotiations, there is little to no evidence to support that insurance policies materially affect initial targeting. The primary drivers of cyber incident likelihood are usually related to an organization’s specific vulnerabilities, infrastructure, industry, and region — not how much insurance they buy.

Are you seeing a push from insurers to get insured parties to adopt security controls frameworks like the Center for Internet Security’s Critical Security Controls Version 8 or the National Institute of Standards and Technology’s 800-171 publication?

Underwriters have noted that they recognize the importance of these frameworks in assessing and managing cybersecurity risks and typically encourage insureds to adopt them. Such frameworks provide a common taxonomy that facilitates discussions around cybersecurity issues, making it easier for all parties to engage in meaningful conversations.

Preparing for the future

Current cyber insurance market conditions reflect organizations’ ongoing commitment to improving their controls. The reward for these efforts is a healthier marketplace with sufficient capacity and competition among insurers. However, challenges persist, and new risks can be expected to emerge. Continued vigilance and investment in cybersecurity are required to better maintain and develop a stronger cyber control posture, and secure more effective coverage to build long-term cyber resilience.

Digital security technology concept lock on circuit board

Article

US cyber insurance market update: Rates decrease, threats evolve