In 2025, high-profile cyber-attacks against retail brands, airlines and car manufacturers have thrown the risks associated with devastating cyber incidents into sharp relief. They have also put the spotlight on how organizations protect themselves, including through cyber insurance.
The attack against car manufacturer Jaguar Land Rover (JLR) was the UK’s most expensive cyber-attack to date, costing the economy some £1.9bn ($2.5bn).
At the time of the incident in late August 2025, JLR had no active cyber insurance policy in place, according to industry magazine The Insurer; the vehicle manufacturer had tried, but failed, to finalize a policy.
Meanwhile, UK retailer Marks & Spencer (UK), which suffered a cyber-attack in April 2025, did have cover. The company told the financial markets its claim amounted to around £100m ($133m).
The experience of these two cyber-attack victims illustrates the fragmented, and sometimes contradictory, market for cyber insurance. High-profile cyber-attacks continue to make the headlines and attract regulatory and government attention. However, experts describe the cyber insurance market as “soft”, with premiums under pressure.
Insurance broker Howden tracks the cyber insurance market and found that growth in total premiums (how many organizations take cover and how much they pay) slowed from 2022 to 2024. In the same period, rates fell and continued to fall in the first half of this year, although less sharply in the US compared to elsewhere.
Cybersecurity firm Deepstrike reported similar figures and in 2025 identified a 12% decline in premiums in Europe. This is in sharp contrast to 2021 and 2022, when premiums rose by between 50 and 100%. This is despite the volume, and severity, of cyber-attacks continuing to increase.
All this should mean buying cyber insurance is easy an easy choice for CISOs, but that is not the whole picture.
How to Approach Cyber Insurance in 2026
Organizations might still be able to drive a harder bargain for cyber insurance in 2026. However, 2025’s softer premiums came hand in hand with a more complex market.
Cyber insurance buyers face a wider range of exclusions, possible higher excesses, and the need to provide more evidence that their security measures are sufficient. In addition, some observers of the cyber insurance market expect premiums to start to rise again.
“Cyber insurance has become a core part of enterprise risk management. In 2024 alone UK insurers paid out £197m ($262m), a more than 200% year-on-year increase,” Marie Wilcox, VP at Binalyze and a board director at the Chartered Institute of Information Security (CIISec), told Infosecurity.
“The forecast for 2026 looks far more challenging for CISOs, with insurers tightening underwriting criteria, increasing premiums, and stricter compliance expectations driven by DORA and NIS2. This shift is reflected in research highlighting that over the last year, 56% of CISOs have reported denied cyber-insurance payouts,” she said.
Rising Liability, Regulatory Demands and the Race to Prove Resilience
A common reason for rejected payouts, according to Wilcox, is that firms lacked the evidence to prove that they had mitigated risks and were able to produce a full timeline of a breach that stood up to insurers’ or regulators’ investigations.
This need for IT security teams to put their houses in order will only increase over the coming year, not least because of new laws and regulations. The EU’s DORA and NIS2 will be joined by the UK’s Cyber Security and Resilience Bill, as well as new US rules.
"The biggest shift heading into 2026 is that cyber insurance is becoming a much larger share of corporate spending because liability is increasing,” said George Manuelian, chief strategist at RapidFort.
“Changes to US data breach notification laws are increasing personal exposure for board members, and requirements like FedRAMP and CMMC are cascading through the supply chain. If a vulnerability in your system triggers a partner's breach, they can sue, making insurance the safety net.”
However, he warns, CISOs and insurers alike are struggling with the increasing speed of cyber exploits.
“Underwriting is becoming tied to how fast you can identify and reduce exposure, which means the bar for coverage is only going up,” he said.
The growth of AI threats, with criminal groups able to use LLMs for targeted reconnaissance and to reverse engineer security patches, looks set to make matters worse. CISOs might well find that certain risks, especially those around AI technology, are excluded from cover altogether.
Ryan Rubin, EMEA cyber practice lead at advisory firm Ankura, said the market is still “soft” new insurance entrants coming in and trying to buy the business, potentially with lower coverage offerings.
“However, given continued large claims relating to ransomware and business interruption costs, insurers are more hesitant to offer wide coverage. Companies will find themselves having to increasingly demonstrate higher levels of cyber controls maturity before being offered insurance, and obtaining lower coverage than their true business risk profile dictates,” he said.
This favors organizations with higher levels of cybersecurity maturity, and especially well-documented risk mitigation and compliance measures.
Cyber Insurance Offers More Than a Payout
Enterprises are increasingly opting to “self-insure” or accepting much higher excesses or retentions. Potentially this can run to hundreds of thousands, or even millions, of dollars.
In part, this reflects organizations turning to cyber insurance less for the financial compensation and more for the services that come with policies. A payout is a backstop, reducing what could be catastrophic losses, but insurers provide incident response, legal, communications and forensic investigation capabilities that even very large enterprises do not always have in house.
“Most large corporates need cyber insurance, and they need cyber insurance because they simply can't handle a modern cross border breach,” explained cyber insurance expert and former CISO, Michael Colao. “What they do is they have a humongous deductible, self-insured retention. They go with $400m or $500m, but they buy insurance on top of that, purely to get the services, because most firms just can’t do it.”
Even a deductible in the $200m range will drastically reduce premiums but still give CISOs access to services that are essential to source during a cyber-attack.
None the less, Colao urged caution. All insurance policies are not equal, and chasing after savings, even in a soft market, could prove a false economy in 2026.
“Firstly, figure out what coverage you need before you meet with the broker. Be willing to pay a small amount extra, to avoid unpleasant exclusions,” he said. “Match the insurer and their profile to your actual risk. Pick your primary insurer very carefully, as they will be handling your claim,” he concluded.
Conclusion
Falling premiums might suggest cyber insurance is an easy win, but the reality is more complex. Despite lower costs, organizations face stricter underwriting, broader exclusions, and rising compliance demands, making coverage harder to secure.
For CISOs, the challenge is balancing affordability with adequacy. In a market where attacks are increasing but policies are tightening, the priority must be finding insurance that truly aligns with risk, not just chasing the lowest price.