Cyber Insurance News: 2026 Rates, Record Claims, New Rules

The cyber insurance news of 2026 tells one clear story: the easy market is ending. After eight straight quarters of falling prices in the United States, S&P Global Ratings now forecasts premium increases of 15 to 20 percent for 2026. At the same time, average claim severity has hit an all-time high of $221,000, ransomware losses keep climbing, and three separate regulatory regimes now dictate how fast a breached company must speak up. This guide walks through the numbers behind each headline, separates legal obligations from market forecasts, and translates the developments into concrete steps for anyone buying or renewing a cyber policy this year.

Why another piece on this topic: most coverage is either a raw statistics list or a dense broker PDF. Neither connects the claims data to the three 2026 rule changes, and neither tells a buyer what to do at renewal. That connection, each figure tied to its source and to a decision, is the whole point of this report.

The headline numbers: a market growing toward $22 billion

Start with the size of the market, because it explains everything else. Global cyber premiums reached about $15.3 billion in 2024, and industry projections put 2026 gross written premium near $16.6 billion. Munich Re, one of the largest reinsurers backing this line of coverage, forecasts the market will reach roughly $22 billion by 2028, a compound growth rate of about 15 percent per year from 2024 levels.

That growth is not driven by carriers raising prices on a captive audience. It is driven by new buyers. An estimated 72 percent of small businesses still carry no cyber coverage at all, which makes this one of the few property and casualty lines where the untapped market is larger than the insured one. Reinsurers and carriers see that gap as their next decade of growth, and much of the current news flow, from simplified underwriting to bundled coverage, is an attempt to reach those uninsured firms.

Close-up illustrating the headline numbers: a market growing toward $22 billion
The headline numbers: a market growing toward $22 billion

The most consequential development for buyers is the direction of pricing. The first quarter of 2026 marked the eighth consecutive quarter of price decreases in the US cyber market, according to reporting from Insurance Journal on carrier filings. Buyers who renewed between 2024 and early 2026 generally saw flat or falling premiums, broader terms, and carriers competing hard for well-defended accounts.

That soft stretch now looks finished. S&P Global Ratings forecasts premium increases of 15 to 20 percent in 2026, following two years of declining rates. The rating agency points to rising claim severity, with successful attacks costing about 17 percent more per incident than in 2024, and to a sharp jump in ransomware activity in recent quarters. A forecast is an opinion about the market, not a law, but when the analysts who grade carrier balance sheets expect a correction, underwriters tend to follow.

For a buyer, the practical takeaway is timing. A policy bound or renewed before the hardening fully arrives locks today’s terms for a full policy period. Waiting until after a market turn usually means paying the new rate and answering a longer security questionnaire to get it.

Claims news: severity hits an all-time high

Behind the pricing turn sits the claims data. The 2026 InsurSec Report from At-Bay, a carrier that publishes some of the most detailed claim statistics in the industry, documents a 7 percent year-over-year rise in overall claim frequency and an average claim severity of $221,000, the highest figure the insurer has ever recorded.

Severity is the number that matters most. Frequency tells you how often policyholders get hit; severity tells you what each hit costs. When the average loss on a claim grows faster than premiums, carriers lose money on the line, and the correction shows up in everyone’s renewal. That is precisely the dynamic S&P Global Ratings cites in its 2026 outlook.

The composition of claims is shifting too. First-party losses, meaning the policyholder’s own response costs, data restoration, and business interruption, still dominate at roughly 62 percent of claims. But third-party claims, where customers or partners sue the breached company, are rising and dragging loss ratios with them. A company that once bought cyber coverage mainly to pay for forensics now increasingly needs the liability side of the policy as well.

Ransomware still drives the biggest losses

Ransomware remains the single most expensive event type in the cyber claims world. At-Bay’s 2026 report puts average ransomware claim severity at $508,000, up 16 percent from the prior year and more than double the all-cause average. Allianz Commercial’s cyber risk update reaches a similar conclusion from the large-account side: ransomware drives about 60 percent of large cyber claims by value.

The mechanics explain the cost. A ransomware event stacks losses that other incidents trigger one at a time: forensic investigation, system restoration, business interruption while operations are down, potential extortion payment, legal notification duties, and follow-on liability. Even organizations that refuse to pay the ransom still absorb most of those layers.

Ransomware activity also rebounded sharply after a quiet stretch, with incident counts in early 2025 more than doubling year over year in some quarterly tallies before settling at an elevated plateau. Underwriters responded by tightening the security controls they require, which leads directly to the next piece of news every applicant feels.

Why more than 40 percent of claims get denied

The least reported but most painful statistic in recent cyber insurance news: more than 40 percent of cyber claims end in denial. Industry claim reviews attribute the denials to three recurring causes, and all three are preventable.

  • Missing controls. The application said multi-factor authentication covered all remote access, and the forensic report found an exception. Misrepresentation on a cyber application is grounds for denial or even policy rescission.
  • Late notice. Cyber policies carry strict notification windows. Companies that spend weeks investigating before telling their carrier can void coverage for the event.
  • Exclusion clauses. War exclusions, prior-known-incident exclusions, and unencrypted-data carve-outs remove coverage for events buyers assumed were included.

Warning: a cyber application is a warranty, not a marketing form. If the forensic report contradicts what the application claimed, the carrier can deny the claim or rescind the policy entirely.

The defense against all three is documentation. Keep evidence of every control listed on the application, screenshot configurations at binding time, calendar the notice deadline the day the policy starts, and have a broker or licensed advisor walk through the exclusions before signing. A policy that pays is worth far more than a policy that is merely cheap.

Regulatory news: the SEC four-day disclosure clock

Three regulatory developments now shape both breach response and underwriting, and the first is a legal obligation, not a suggestion. The US Securities and Exchange Commission requires public companies to disclose a material cybersecurity incident within 4 business days of determining that the incident is material. The rule, adopted in 2023 and enforced through Form 8-K filings, also requires annual disclosure of cyber risk management practices and board oversight.

For insurers, the SEC rule created a new claims category: regulatory response costs and securities litigation that follows a disclosed incident. For buyers, it means the response clock is now public. A company that fumbles its four-day assessment faces enforcement exposure on top of the breach itself, and directors and officers coverage gets pulled into events that used to stay inside the cyber policy.

CIRCIA: 72-hour reporting arrives for critical infrastructure

The second regime is broader. Under the Cyber Incident Reporting for Critical Infrastructure Act, known as CIRCIA, the Cybersecurity and Infrastructure Security Agency is finalizing rules that will require covered entities to report significant cyber incidents within 72 hours and any ransomware payment within 24 hours. CISA pushed the final rule deadline to May 2026 after a heavy public comment volume, so the obligation is landing on companies right now.

CIRCIA reaches far beyond utilities. The proposed scope covers wide swaths of healthcare, financial services, food and agriculture, transportation, and information technology, including many mid-market firms that never considered themselves critical infrastructure. Companies in scope need incident response plans that name who files the CISA report and who notifies the carrier, because both clocks start at discovery.

State level: the NAIC model law spreads to 28 jurisdictions

The third layer is state insurance regulation. The National Association of Insurance Commissioners maintains the Insurance Data Security Model Law, which requires licensed insurance entities to run a written information security program, oversee third-party service providers, maintain an incident response plan, and notify regulators of cybersecurity events. As of early 2026, at least 28 US jurisdictions have enacted a version of the model law.

The NAIC framework matters even to businesses outside the insurance industry, because it shows where state regulation is heading: mandated controls, vendor oversight, and event notification duties written into law rather than left to contract. Several states now pair these duties with safe-harbor statutes that reward documented security frameworks, which feeds directly into how underwriters price risk.

Underwriting news: the controls that are now mandatory

Five years ago a cyber application was a short questionnaire. In 2026 it is a security audit. Carriers now treat a baseline set of controls as conditions of coverage rather than nice-to-haves, and the recent news is how uniform that baseline has become across the market.

  • Multi-factor authentication on email, remote access, and privileged accounts. Firms that deploy MFA across critical systems report premium discounts averaging 18 to 22 percent from major carriers.
  • Endpoint detection and response tooling on servers and workstations, increasingly with a managed monitoring requirement.
  • Offline or immutable backups tested for restoration, the single control that most changes a ransomware outcome.
  • A written incident response plan with named roles, carrier contact information, and notification deadlines.

Applicants missing these controls face three outcomes, in descending order of frequency: higher premiums, coinsurance or sublimits on ransomware coverage, or outright declination. The good news inside the tighter underwriting is that the same controls reduce both the odds of an incident and the odds of a denied claim, since the carrier verified them at binding.

First-party versus third-party coverage, and why the mix is news

To follow the claims headlines you need the vocabulary underwriters use. Cyber policies split into two halves. First-party coverage pays the policyholder’s own losses: forensic investigators, data restoration, business interruption income, extortion response, and customer notification costs. Third-party coverage pays what the policyholder legally owes others after an incident: defense costs, settlements, regulatory fines where insurable, and payment card assessments.

First-party losses still make up roughly 62 percent of claim volume, which is why most buyers think of the policy as breach cleanup funding. The 2026 development is on the other half. Carriers report third-party claims rising as class actions follow disclosed incidents, a trend the SEC’s public disclosure requirement accelerates because every material breach now produces a public filing that plaintiff firms read the same day.

The buying implication: check both halves of the quote, not just the headline limit. A policy with a strong first-party tower but a thin liability sublimit matches the claims environment of 2020, not the one the current data describes. Ask specifically how the policy responds to regulatory proceedings under the SEC rule, CIRCIA, and state privacy statutes, because those response costs sit in different insuring agreements depending on the carrier.

Detail view of premium trends: eight quarters of cuts, then the turn
Premium trends: eight quarters of cuts, then the turn

What a quote costs and what moves the price

Budget expectations, since news about rate percentages means little without a base price. Marketplace data across carriers puts small business cyber coverage near $145 per month on average for standalone policies, with well-controlled, low-revenue firms quoting below $100 per month and firms in data-heavy industries quoting several times that. Mid-market pricing scales with revenue, record counts, and industry class.

Five variables move the number more than anything else. Revenue sets the exposure base. Industry sets the threat model, with healthcare, finance, and professional services priced highest. Record counts drive notification and liability costs. Claims history follows the account for three to five years. And the four baseline controls, MFA, EDR, tested backups, and a response plan, act as the multiplier, with MFA alone worth the documented 18 to 22 percent discount at major carriers.

Tip: ask your broker for the carrier’s control checklist before the application, not after. Closing MFA and backup gaps first routinely earns the documented 18 to 22 percent discount and avoids mid-term exclusions.

Deductibles give buyers a lever. Moving from a $2,500 retention to $10,000 typically cuts premium meaningfully for a small firm, and a firm with tested backups can carry the higher retention with confidence because its worst-case downtime is shorter. As with every line, the cheapest quote is rarely the best contract; wording on ransomware coinsurance and system-failure coverage varies more between carriers than price does.

The small business gap: 72 percent still uninsured

The most stubborn number in the industry data: roughly 72 percent of small businesses carry no cyber coverage. Surveys consistently find owners assume they are too small to target, yet claim data shows attackers concentrate on exactly the firms with weak defenses and no incident budget. An average claim of $221,000 is survivable for an enterprise and existential for a 20-person company.

Pricing is not the real barrier. Small business cyber policies frequently start around $145 per month, and package policies bundle cyber with the general liability coverage most firms already buy. The barrier is awareness, which is why carriers, agents, and even the Insurance Information Institute keep publishing plain-language explainers aimed at first-time buyers. For a small firm comparing quotes, the same fundamentals covered in our guide to business insurance cost apply to the cyber line: price follows revenue, industry, and controls.

What the 2026 news means for your renewal

Put the developments together and a clear playbook emerges for anyone renewing or buying coverage this year. None of this is exotic; all of it is the direct consequence of the numbers above.

  • Renew early rather than late. With S&P Global Ratings projecting 15 to 20 percent increases in 2026, a renewal bound before the hardening spreads locks current pricing for a full term.
  • Close the four baseline controls first. MFA, EDR, tested offline backups, and a written response plan move premiums down and denial risk with them.
  • Verify the application line by line. Over 40 percent of denied claims trace to control gaps, late notice, or exclusions. Never let an application overstate your security posture.
  • Map your reporting duties. Public company: the SEC 4 business day disclosure. Critical infrastructure: CIRCIA’s 72-hour incident and 24-hour ransom payment reports. Insurance licensee: your state’s NAIC-based notification law.
  • Check limits against real severity. A $1 million limit looked generous when average claims ran $100,000. Against a $508,000 average ransomware loss, it is the practical minimum for a mid-size firm.

The 2026 cyber market at a glance

IndicatorLatest figureSource and year
Global premium, 2024$15.3 billionIndustry aggregate, 2024
Global premium, 2026 projection~$16.6 billionMunich Re, 2026
Market forecast, 2028~$22 billionMunich Re, 2026
US rate forecast, 2026+15 to 20%S&P Global Ratings, 2026
Average claim severity$221,000At-Bay InsurSec Report, 2026
Average ransomware claim$508,000 (+16%)At-Bay InsurSec Report, 2026
Ransomware share of large claims~60% by valueAllianz Commercial, 2025
Claims denied40%+Industry claim reviews, 2025
Small businesses uninsured~72%Industry surveys, 2025
MFA premium discount18 to 22%Carrier underwriting data, 2026

Treat the forecasts in this table as informed opinion and the disclosure rules as binding law. The distinction matters when you plan budgets: a rate forecast can miss, but a 72-hour reporting duty will not wait.

How to read cyber insurance news without getting misled

One caution before the questions and answers. Cyber statistics circulate widely and lose their context along the way. A number like “40 percent of claims denied” comes from specific claim reviews with their own definitions; a market forecast belongs to the analyst who published it, which is why every figure above carries its source and year. When a headline number appears without an organization behind it, treat it as marketing until proven otherwise.

Second caution: national averages hide enormous spread. A dental practice with patient records and a manufacturer with operational technology face different threat models, different policy wordings, and different prices. Averages set expectations; only a quote against your own risk profile sets a budget. Our breakdown of the best small business insurance shows the same principle across every coverage line.

Frequently asked questions

Are cyber insurance rates going up in 2026?

That is the consensus forecast. S&P Global Ratings projects increases of 15 to 20 percent in 2026 after two years of falling prices, driven by record claim severity and resurgent ransomware. Individual results vary: firms with strong, documented controls still command competitive terms, and some well-defended accounts will renew flat even in a hardening market.

What is the average cyber insurance claim in 2026?

At-Bay’s 2026 InsurSec Report puts average claim severity at $221,000 across all incident types, an all-time high. Ransomware claims average $508,000, up 16 percent year over year. Both figures are averages across a carrier’s book; a single severe event at a larger firm can run into the millions.

What new cyber reporting rules apply in 2026?

Three regimes dominate. The SEC requires public companies to disclose material incidents within 4 business days of a materiality determination. CIRCIA, administered by CISA with the final rule due in May 2026, requires covered critical infrastructure entities to report significant incidents within 72 hours and ransom payments within 24 hours. And at least 28 jurisdictions have enacted the NAIC Insurance Data Security Model Law for insurance licensees.

Why do cyber insurance claims get denied?

Industry reviews find more than 40 percent of claims are denied, most often for three reasons: security controls that did not match the application, notice given after the policy deadline, and exclusion clauses such as war or prior-known-incident carve-outs. Accurate applications, immediate carrier notice, and a pre-signing exclusion review prevent the large majority of denials.

Does a small business really need cyber coverage?

Around 72 percent of small businesses have none, yet the average claim of $221,000 exceeds what most small firms can absorb. Attackers favor small targets precisely because defenses are thinner. With entry pricing commonly near $145 per month and discounts of 18 to 22 percent for MFA adoption, coverage is usually far cheaper than the uninsured loss.

About the author and sources

Marcus Bedroix writes plain-English business coverage guides for InsuranceZenith, working directly from carrier filings, rating-agency reports, and regulator publications. This report draws on the At-Bay 2026 InsurSec Report, S&P Global Ratings’ 2026 cyber market outlook, Munich Re’s cyber trends research, Allianz Commercial’s 2025 cyber risk update, Insurance Journal market reporting, and primary rule texts from the SEC, CISA, and the NAIC. Where a figure could not be traced to a named organization, it was left out.

This report covers market data and regulatory developments for general information; it is not individualized advice. Figures are attributed to their publishing organizations and reflect the periods cited. Before buying, changing, or relying on any coverage, consult a licensed insurance advisor or broker who can evaluate your specific exposure.