AM Best, a global credit rating agency and information provider specializing in the insurance industry, has confirmed the stable outlook for the global cyber insurance sector in its latest market segmentation report, Segment Outlook: Global Cyber Insurance.
The rating agency’s assessment reflects continued demand for cyber insurance despite a soft pricing environment, as well as good medium-term profitability and the growing role of artificial intelligence in the market.
AM Best points to several supporting factors behind its view. Even as competition puts pressure on rates, the use of cyber insurance is expected to remain strong, driven by the pace of digitization, tightening regulatory obligations and wider awareness among businesses of the risks they face.
The agency also expects underwriting margins to remain favorable over the medium term, but expects them to narrow as more insurers compete for business. AM Best notes that investments in prevention, resilience and incident response continue to strengthen cybersecurity practices across the market, while capacity continues to grow as traditional reinsurers and alternative capital providers alike commit additional resources. The rating agency also believes artificial intelligence and analytics tools can help improve underwriting, risk modeling and claims processing capabilities, and expects tighter regulation to continue to drive more organizations to purchase insurance.
Commenting on the findings, Cristian Sieira, senior financial analyst at AM Best, added: “Our stable outlook for this segment reflects strong demand for insurance even as market pricing softens, in addition to good medium-term profitability and increasing use of artificial intelligence.”
In response to these positives, AM Best has identified a range of countervailing pressures. Ransomware, business email compromises and money transfer fraud are still around and becoming increasingly sophisticated, increasing the likelihood of large claims. Stronger digital interconnections also increase the risk of systemic incidents that can impact multiple businesses or entire industries simultaneously, AM Best warns, and attackers can similarly use the same AI tools that improve defenses, allowing for more scalable and convincing campaigns.
The agency noted that insurers themselves are not immune given the large amounts of sensitive policyholder data they hold, while broader geopolitical instability is putting further pressure on the threat landscape. AM Best also noted that underwriting wording may need to evolve as the lines between AI-related risks and traditional cyber risks become less clear.
Todor Kitin, associate director at AM Best, said: “Insurers remain an important target for cyberattacks due to the concentration of sensitive policyholder and risk data, which increases insurers’ own operational and aggregate risks.” He further added: “Ongoing geopolitical uncertainty has also led to a heightened cyber threat environment.”
On the regulatory front, AM Best observes that data protection obligations have been a significant driver of cyber insurance purchases. Industries that handle particularly sensitive information, such as healthcare and finance, face the most stringent requirements, and the agency describes cyber coverage as a core part of organizations managing risk and compliance, including the costs that may arise following a breach or regulatory action.
AM Best expects that upcoming data privacy and IT security legislation, including the EU’s Cybersecurity Bill, will enhance demand in certain markets. The report also draws attention to pressures within U.S. federal cyber agencies: Funding pressures at the National Institute of Standards and Technology have led to a backlog in the National Vulnerability Database in 2024, and AM Best noted that the ensuing government shutdown furloughed a large number of employees at the Cybersecurity and Infrastructure Security Agency, affecting its vulnerability tracking efforts. AM Best warned that the reduced capabilities of these agencies could impede the flow of threat intelligence to industry and government, potentially leaving some vulnerabilities unaddressed for longer.
Turning to competitive conditions, AM Best said the online market has been favorable for buyers, with rates continuing to fall since 2023 as insurers compete for share while still deploying capital to meet demand. The agency attributes the potential market growth to rising awareness of cyber exposure and the corresponding need for risk transfer.
The agency also recorded a slight increase in loss rates over the past three years, while stressing that the unit has remained consistently profitable. AM Best further observed that policyholders’ cyber hygiene has improved, driven by increased threat awareness, helping to contain losses, and insurers are increasingly working with clients on risk management rather than viewing the relationship as purely transactional.
In terms of performance, AM Best cited estimates from Munich Re that global cyber insurance premiums will exceed $16 billion by 2025, although the growth rate has slowed down from previous years, mainly due to declining direct written premiums in the United States due to increased competition and sufficient capacity.
AM Best believes this apparent flattening may reflect larger organizations transferring cyber risk to their own single-parent captives, particularly those with strong cyber hygiene and good claims histories, as this arrangement allows them to retain the benefits of their own good experience; the agency notes that this activity is not always visible in NAIC data because captives typically do not file cyber supplements. AM Best also highlighted the ongoing protection gap among small and medium-sized players, whose market penetration remains at around 10% to 20% according to Swiss Re, representing a significant growth opportunity that AM Best believes can be closed through closer collaboration between insurers, brokers and agents.
AM Best pointed out that in terms of geographical distribution, the United States remains the largest cyber insurance market and is far ahead. NAIC data shows that U.S. premiums account for more than half of global premiums. The agency believes that this proportion may be closer to 60% if U.S.-related risk exposures underwritten through Lloyd’s are taken into account. AM Best expects other regions to gradually increase their share of the global market, noting that rapid digitalization is driving growing awareness among small and medium-sized enterprises, supported by evolving regulatory regimes and larger enterprise customers in Europe, as well as rising penetration in parts of Asia.
The agency also expects geopolitical instability to bolster demand following the outbreak of conflict between Iran and the United States in February 2026, noting that cybercriminal activity increased in the early months, although the resulting losses and damage are difficult to quantify. AM Best added that insurers’ exposure in this conflict should be limited in part by war exclusions in cyber policy standards from 2023, although applying these exclusions in practice still requires insurers to prove links between attacks and state-sponsored actors.
AM Best also discusses the role of reinsurance and insurance-related securities in supporting this segment. It described capacity as ample, with both reinsurers and alternative capital providers expanding participation and helping to maintain buyer-friendly terms, and noted a gradual shift away from proportional reinsurance structures toward non-proportional reinsurance structures designed to provide greater tail protection.
The cyber catastrophe bond market, while still a small part of the broader catastrophe bond sector, continues to grow in 2025, with AM Best estimating more than $1.3 billion in issuance of 144A cyber catastrophe bonds, including large transactions from Beazley and Chubb. Even so, given that traditional channels already provide sufficient capacity, AM Best expects growth in cyber securities to remain fairly modest in the near term, citing Swiss Re and Axis Capital’s decision not to renew their respective cyber retrocession deals in 2026 as examples, as well as ongoing constraints posed by limited historical loss data and model uncertainty.
AM Best quoted Comparitech data showing that 2025 was the third consecutive year of record-breaking ransomware, with the number of attacks worldwide increasing by more than 30% to 7,419. The United States remains the most targeted country, accounting for approximately half of all recorded attacks worldwide.
The agency noted the growing adoption of “zero trust” security approaches as a response, pointing to high-profile UK incidents, including attacks on Marks & Spencer and Jaguar Land Rover, as examples of how ransomware can cause significant operational disruption and strengthen the case for cover.
AM Best further warned that systemic risk remains a significant concern, citing outages affecting Amazon Web Services, CrowdStrike and CDK Global in 2024 and 2025 as examples of how a single point of failure can disrupt many organizations simultaneously.
On the AI front, AM Best reiterated that while it strengthens cyber defenses, criminals can equally use it to conduct automated attacks and craft more persuasive, personalized social engineering attempts, underscoring the continued need for employee awareness and AI-powered defense tools.
Finally, AM Best emphasized that given the sensitivity of policyholder, loss control and customer data, insurance companies themselves face increasing risks of attacks, so strong internal controls are critical to guard against fraud, breaches and operational disruptions.