Signs of firming emerging in cyber market
Expected range for rate changes next quarter1,4
1Note: Rate ranges presented here reflect expected renewal outcomes — as of the Lockton Market Update publication date — over the next quarter for most insurance buyers. These should not be taken as a guarantee of any specific results during renewal negotiations. Depending on risk profiles, loss histories, account specifics, and other factors, individual buyers may renew their programs outside these ranges.
4For total programs.
The cyber insurance market remains generally favorable to buyers, although signs of some firming are emerging. In the fourth quarter, median pricing for total cyber insurance programs fell 4.5% (see Figure 13).
While rates continued to decline in the fourth quarter, cyber insurers are pushing for flat renewals amid rising claims frequency and severity. Ransomware attacks are growing more sophisticated, technology disruptions are on the rise, and evolving privacy regulations are expanding litigation risks.
While reinsurers are examining their appetite and closely monitoring their deployed capacity, cyber is perhaps the only long-tail line for which reinsurance market conditions are favorable. This is largely due to primary cyber insurers' work to rebalance their own portfolios. This includes avoiding overexposure to healthcare risks and large companies, and exercising caution around offering certain terms and conditions – notably, policy language related to the wrongful collection of data. Some primary cyber insurers continue to offer favorable terms, but only for additional premium.
Privacy risks are a notable concern for cyber insurers, as the plaintiffs’ bar aggressively pursues class-action litigation around website tracking technology. As litigation becomes more difficult and costly to resolve, insurers are beginning to take a harder line with companies that have significant privacy exposure.
The evolution of ransomware threats compounds this danger. With attackers focusing more on data exfiltration than encryption, businesses can now face costly privacy litigation even if they pay a ransom. And plaintiffs no longer see ransom payments as a demonstration of defendants’ good faith efforts to mitigate privacy risks.
Although the Trump administration is generally focused on reducing the government’s regulatory footprint — and has pursued budget and staff cuts at the Cybersecurity & Infrastructure Security Administration, among other agencies — its broader stance on cybersecurity remains unclear. In January, the Biden administration’s Department of Health and Human Services (HHS) proposed a new rule that would require HIPAA-regulated entities to conduct annual risk analyses and implement risk management plans. It remains uncertain whether HHS under President Trump will advance or modify the proposed rule.
States, meanwhile, continue to enact their own, often strict, privacy laws. According to the International Association of Privacy Professionals, new privacy laws or portions of laws took effect in January in 10 states (see Figure 14). Additional laws or portions of laws will take effect in eight states in the second half of 2025.
