A new report reveals the top three cyber incidents that account for a majority of reported claims: 

1. Data breaches (33.5%)
2. Cybercrime (31.8%)
3. Extortion events (18.3%)

This data comes from Cowbell’s 2026 Claims Report, which assesses claims made to the organization within the last 18 months.

“With geopolitical tensions and AI innovation defining the cyber threat landscape, the cyber insurance industry is feeling the impact,” the report states. 

According to an AM Best Report, U.S. cyber insurance premiums decreased to $9.14B; however, claims increased by 40%. Cowbell’s report asserts that this trend is “signaling increased loss activity despite reduced premium volume,” which indicates a more active risk environment. 

Below, security leaders share their insights on these findings. 

Security Leaders Weigh In 

Rich Seiersen, Chief Risk Technology Officer at Qualys:

Cyber insurance moves in cycles, wavering between hard and soft markets.

Most analysts anticipate moderate hardening: gradual premium increases, more selective underwriting, and closer attention to security controls. However, it’s doubtful that we’ll return to the severity of previous hard markets, when applicants faced comprehensive questionnaires and long-lasting underwriting delays. A major wildcard is the possibility of a systemic cyber event — a cloud outage, widespread supply-chain compromise, or high-impact ransomware wave that hits many insureds at the same time. An event like this could push the market into a sharper hardening cycle. Still, it’s imperative to recognize that insurance pricing is shaped just as much by macroeconomic factors, such as interest rates, capital flows, and reinsurance pricing, as it is by cyber-specific incidents. Losses matter, but wider financial conditions often dominate the cycle.

This environment also influences how CISOs should think about cyber insurance as part of a coordinated risk-management strategy. Increasingly, CISOs are partnering with CFOs to treat cyber insurance not as a compliance checkbox, but as one component of a broader risk-financing portfolio. With many organizations undergoing rapid digital and AI-driven transformation, this may be a perfect time to reassess the balance between risk transfer (insurance) and risk reduction (controls).

There is meaningful opportunity here for forward-looking companies:

• Firms with strong security postures can often secure more favorable coverage and larger limits without dramatically increasing cost.
• Brokers and underwriters are actively looking for ways to differentiate good risks from poor ones, and software platforms that provide clearer visibility into controls and exposure can help insurers deploy capital more efficiently without damaging their loss ratios.
• For buyers, this creates room to increase coverage economically during a softening cycle, while simultaneously improving resilience.

The challenge is that today’s soft market means buyers have low tolerance for friction. Any security-oriented underwriting tools must be lightweight, fast, and aligned with the realities of the purchasing process. But as the market gradually tightens, organizations that invest early in transparency and measurable security posture may find themselves with more options, and leverage, when seeking coverage.

Randolph Barr, Chief Information Security Officer at Cequence Security:

AI is rapidly evolving from simple automation to deeply personalized, context-aware assistance—and it’s heading toward an Agentic AI future where tasks are orchestrated across domains with minimal human input.

In the haste to bring AI to market quickly, engineering and product teams often cut corners to meet aggressive launch timelines. When that happens, basic security controls get skipped, and those shortcuts make their way into production. So, while organizations are absolutely starting to think about model protections, prompt injection, data leakage, and anomaly detection, those efforts mean little if you haven’t locked down identity, access, and configuration at a foundational level.

Cybersecurity must be part of the development lifecycle from the beginning.

Diana Kelley, Chief Information Security Officer at Noma Security: 

Insurers have moved from self-attestation toward evidence-based underwriting. For traditional cyber risk, that still means strong baseline cyber hygiene, including enforced multi-factor authentication (MFA) for cloud and privileged access, comprehensive and tested backups, endpoint detection and response with 24x7 monitoring, vulnerability management with documented SLAs, and regularly exercised incident response plans. What has changed over the past year is how rigorously insurers expect those controls to be proven, not just described.

What is emerging alongside that is a parallel shift around AI risk. Insurers are increasingly concerned about AI as a source of systemic, aggregated loss. The concern is not just individual failures, but correlated loss driven by shared models, platforms, and agent frameworks. There has already been real financial and regulatory harm from AI failures, including deepfake-enabled fraud, IP exposure through public LLMs, and automated systems making unsafe or noncompliant decisions. As a result, some carriers are exploring AI-related exclusions, while others are beginning to underwrite AI risk explicitly by evaluating the strength of an organization’s AI security and governance controls.

If organizations cannot demonstrate these requirements, the consequences can show up in several ways. At underwriting time, it can mean higher premiums, higher retentions, ransomware or business interruption sublimits, or exclusions tied to AI-driven incidents. Post-incident, claims can be reduced or denied if an organization represented that controls existed but cannot produce evidence that they were enforced and operating as described. Cyber and AI insurance are increasingly conditional products, and without proof, the policy may not respond or pay out as expected when it matters most.

James Maude, Field CTO at BeyondTrust: 

In order to effectively deal with ransomware and other threats, we need to invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise rather than just thinking post breach. Ransomware and other threats are only as effective as the privileges and access they manage to acquire so if we can implement better hygiene and focus on least privilege then the threat actors are far less likely to ransomware us in the first place.