While cyber threats are coming at business from every angle, cyber insurance policies have been able to hold their ground, and they look like they will continue to do so into 2026.
As a whole, cyber policies are generally available and relatively still affordable for most businesses. Most companies can obtain cyber insurance unless they have a severe open claim or extremely poor controls, said Katie Pope, Esq., senior vice president, executive lines for The Liberty Company Insurance Brokers.
"Even insureds with significant loss history are often able to find competitive options because capacity is plentiful and many new entrants are competing for market share," Pope said.
And that is good news for businesses because according to a 2025 study, there were over 3,000 reported cyber incidents with small businesses in the last year, and 75% involved ransomware.
In that environment, even businesses on the smaller side are recognizing they need cyber coverage.
"On the claims side, the cyber insurance landscape continues to evolve quickly," said Mitch Miles CISSP, CISA, with Shoreline Public Adjusters.
Ransomware and tracking claims continue to be the primary loss drivers. The shift from cyber risk as a hypothetical concern to a real one is a reality many businesses are grappling with.
Typical risks include
- Ransomware
- Data breach
- Network attacks
- Phishing
- Social engineering
- Cyber intrusion
The healthcare space seems to have a uniquely high risk profile, with more exposure than nearly any other sector. That is because it is not only high stakes, but the consequences of a health care breach are rife with the risk of fines and class action suits from the affected patients.
Regardless of sector, one of the biggest questions following a cyber incident seems to be clarity on who is on the hook for which type of claim. Depending on policy language, this could result in coverage disputes that could be prolonged and may even find their way into mediation or court.
"Once a claim is filed, coverage interpretation is often where the most significant disputes arise," Miles said. "From a claims perspective, the core challenge is rarely whether an incident occurred. Instead, the dispute usually centers on whether the loss fits within narrowly drafted coverage triggers."
Beyond sorting out who is at fault, many insurers are leaning in and working directly with policyholders before an incident to prevent the losses in the first place. Many are demanding best practices and security protocols, and others are providing their policyholders with tools they can use to fight back against the cyber criminals.
"Underwriting remains highly selective," Miles said. "Insurers are placing far greater emphasis on the actual enforcement of security controls, such as multifactor authentication, backup integrity, and incident response readiness, rather than relying solely on completed questionnaires."
As cyber risks evolve, policies are needing to adapt to respond; take cloud outages, AI agents, and deep fakes.
With cloud outages, businesses and insurers are now scrambling to clarify the details of their coverage to see who, if anyone, might be on the hook to reimburse for any losses.
When the high-profile Hong Kong deepfake incident went down, where a finance worker was duped into making a multimillion-dollar transfer based on a video call with two of his colleagues who turned out to actually be deepfakes, insurers the world over wondered how their policies would hold up under a similar attack.
And with AI agents operating autonomously, businesses now face a new layer of risk. Previously the question was what happens if a human clicks the wrong link, but now with autonomous agents, entire suites of tools might now be at risk where they might not have been in the past.
That said, some of these risks are still largely theoretical.
"Everyone is fearful of AI-related cyber claims, but we haven't actually seen many cyber losses directly tied to AI yet," Pope said.
Moving forward, many in the industry are expecting more aggressive carrier subrogation efforts to try to spread the risks throughout the value chain.
And as cyber claims mature, the industry conversation has shifted from simply asking, "Do you have cyber insurance?" to the far more critical question: "Do you understand how your policy will actually respond when it's under stress?" Miles said.
