Cyber insurance keeps sprinting to match a threat environment that mutates every quarter, and it still feels behind the curve.
Barrett Wills, SVP for cyber at CAC Specialty, told Insurance Business magazine that cyber threat actors aren’t just getting sharper – they’re running more like specialised crews. Some groups focus purely on exfiltration. Others flip stolen data for cash.
The division of labour speeds up attacks and makes them weirder to forecast, especially as double extortion, supply-chain failures and AI-driven tools widen the surface.
Underwriters have tightened standards, reworked sector views and tried to keep pace with whatever made headlines last year. Retail firms in the UK took several hits in tight succession, and healthcare in the US remains under a regulatory microscope.
According to Beinsure, the spread of incidents across wildly different sectors shows how messy cyber segmentation has become.
Even so, clients aren’t walking the same path. SMEs want simple answers – what’s covered, what isn’t, and what they must fix.
Large enterprises come in with acquisition-driven exposure shifts or business-model changes that force brokers to rewrite manuscript wordings mid-cycle.
Mature buyers push for upgrades when past claims went sideways or wording gaps left them exposed. They don’t forget those moments.
The infrastructure backdrop complicates things further. Networks that once stood separate now blend with vendor systems, especially where OT environments used to sit in their own bubble.
That isolation is fading. Connectivity gives threat actors more endpoints to poke and, frankly, more chances to get lucky.
Wills says these changes pushed CAC Specialty to build a cyber peril pro form aimed at utility and energy clients – a patch for exposures that hadn’t been well served by existing covers.
The market itself has grown up, to a point. Cyber no longer hides inside property and casualty policies; it stands as its own cover with affirmative grants rather than vague silence.
But maturity doesn’t mean ready. Before the hard market, many carriers wrote business with barely any security controls. That era’s gone.
Insurers now expect minimum safeguards, and those bar levels shift depending on sector, company size and the limits requested.
Education remains the anchor. Wills says clients need a clear picture of both the upside and the downsides of emerging tech, especially AI systems that can harden defences or blow them open.
Maybe that’s the only stable rule in cyber: staying ahead depends as much on understanding how exposure changes next month as on what the attackers did yesterday.
