42 Cyber Insurance Statistics for 2026 — Premiums & Claims Data

The cyber insurance market has undergone a dramatic transformation over the past three years. Premiums stabilized in 2025 after two years of aggressive rate increases, but underwriting requirements have become far more stringent. Insurers now demand specific security controls — MFA, EDR, offline backups, incident response plans — as baseline conditions for coverage. Businesses that can't demonstrate these controls face policy exclusions, higher deductibles, or outright denial.

This article compiles 42 cyber insurance statistics drawn from Munich Re, Swiss Re, Marsh McLennan, Coalition, Gallagher, AM Best, and the National Association of Insurance Commissioners (NAIC). For the broader threat landscape driving these costs, see the 75 cybersecurity statistics for 2026. These numbers reflect where the market stands in 2026 and what businesses need to know about coverage, cost, and claims.

Cyber Insurance Market Size & Growth

1. The global cyber insurance market is projected to reach $16.6 billion in gross written premiums in 2026, up from $14 billion in 2025 (Munich Re, 2026 Cyber Risk Report).

2. Munich Re forecasts the market will hit $22 billion by 2028, representing a compound annual growth rate of roughly 15% from 2024 levels.

3. North America accounts for 67% of global cyber insurance premiums, with the U.S. alone making up $10.2 billion of the total (Swiss Re).

4. The European cyber insurance market grew 28% year-over-year in 2025, driven by NIS2 directive compliance requirements that took full effect in late 2024 (Marsh McLennan).

5. Asia-Pacific cyber insurance penetration remains below 5% of eligible businesses, compared to 35% in the U.S. — the largest untapped market globally (Swiss Re).

6. Standalone cyber insurance policies now make up 72% of all cyber premiums, overtaking packaged endorsements which dropped to 28% (AM Best, 2025 Market Segment Report).

7. The combined ratio for U.S. cyber insurance improved to 65.4% in 2025, making it one of the most profitable lines of commercial insurance (Fitch Ratings).

Premium Pricing & Rate Trends

8. Average cyber insurance premiums declined 6% in 2025 after rising 50% in 2022 and 28% in 2023 — the first meaningful rate decrease since the market hardened in 2020 (Marsh Global Insurance Market Index).

9. For businesses with fewer than 250 employees, median annual cyber insurance premiums sit at $1,740 in 2026, down from $2,100 in 2024 (Coalition Cyber Claims Report). That's still a meaningful line item in SMB IT budgets that average $10,400 per employee.

10. Businesses in healthcare pay 42% more in cyber insurance premiums than the cross-industry median, reflecting the sector's elevated breach costs and regulatory exposure (Gallagher).

11. Companies that deploy MFA across all critical systems receive premium discounts averaging 18-22% from most major cyber insurers (Coalition).

12. Deductibles for ransomware events increased to a median of $25,000 for SMBs and $100,000 for mid-market firms, up 40% from 2023 (Marsh McLennan).

13. Retention rates for cyber insurance renewals hit 89% in 2025, indicating that businesses view coverage as essential rather than optional (AM Best).

Claims Frequency & Severity

14. Claims frequency increased 12% in 2025, driven primarily by ransomware and business email compromise (BEC) incidents (Coalition Cyber Claims Report, H2 2025).

15. The average cyber insurance claim payout reached $118,000 in 2025, up from $96,000 in 2024 (NetDiligence Cyber Claims Study).

16. Ransomware accounted for 28% of all cyber insurance claims in 2025, but represented 52% of total claims costs due to higher severity (Coalition). Our 40 ransomware statistics for 2026 detail the full cost and frequency picture driving these claims.

17. Business email compromise (BEC) was the most frequent claim type at 33% of all claims filed, though average payouts were lower at $68,000 (Coalition).

18. Funds transfer fraud claims — where attackers redirect wire payments — averaged $285,000 per incident, making it the highest-severity non-ransomware claim type (Marsh McLennan).

19. First-party breach response costs (forensics, notification, credit monitoring) averaged $410,000 per incident for mid-market companies (NetDiligence).

20. Only 41% of cyber insurance claims involved an actual data exfiltration event — the rest were system outages, ransomware without data theft, or BEC (Corvus Insurance).

Claim Denials & Coverage Gaps

Denial Reason	% of Denials	Preventable?
Failure to maintain stated security controls	34%	Yes — audit regularly
Late notification of incident	22%	Yes — report within 72 hours
War/nation-state exclusion applied	16%	Partially — review exclusions
Pre-existing vulnerability not disclosed	14%	Yes — full asset inventory
Policy sublimit exhausted	9%	Review sublimits at renewal
Other	5%	Varies

21. Approximately 21% of cyber insurance claims were denied or partially denied in 2025, up from 15% in 2023 (Deloitte, Global Insurance Outlook). Denial rates correlate with rising breach costs — according to IBM's Cost of a Data Breach Report, the global average breach now exceeds $4.88 million, putting enormous pressure on both insurers and policyholders.

22. The most common denial reason — failure to maintain stated security controls — accounted for 34% of all denials. Insurers increasingly verify that the controls declared in applications are actually in place at the time of the incident.

23. War and nation-state exclusion clauses were invoked in 16% of denied claims, a number that continues to rise as attribution of cyberattacks to state actors becomes more common (Lloyd's Market Association).

24. Only 38% of small businesses have cyber insurance as of 2026, compared to 78% of mid-market and 92% of enterprise organizations (NACD/Marsh Survey).

25. Among insured businesses, 44% are underinsured — their coverage limits are less than half their estimated maximum breach cost (Advisen).

Underwriting Requirements in 2026

Insurers have evolved from simple questionnaires to active security verification. Here's what underwriters now require or strongly prefer:

26. 96% of cyber insurers now require multi-factor authentication on all remote access, email, and privileged accounts as a non-negotiable condition of coverage (Marsh McLennan, 2025).

27. 88% of underwriters mandate endpoint detection and response (EDR) tools across all managed devices — basic antivirus alone is no longer sufficient for policy approval (Coalition).

28. 73% of insurers now conduct external vulnerability scans of applicant networks before issuing or renewing policies (Corvus Insurance).

29. Organizations using a managed IT services provider for security operations received 14% lower premiums on average compared to those relying solely on internal IT staff (Gallagher).

30. 82% of policies now include requirements for offline or immutable backup systems — up from 45% in 2022 — as a direct response to ransomware actors targeting backup infrastructure (Munich Re).

Ransomware & Cyber Insurance

31. Only 29% of insured organizations that experienced ransomware in 2025 chose to pay the ransom, down from 46% in 2022 — a direct result of better backup practices mandated by insurers (Coveware).

32. The median ransom payment for insured organizations was $345,000 in 2025, compared to $568,000 for uninsured victims — insurers' breach coaches negotiate lower payments (Coveware).

33. 58% of cyber insurance policies now include sub-limits on ransomware payments, capping coverage at 50-75% of the overall policy limit (Marsh McLennan).

34. Insurers reported that policyholders with strong security compliance programs experienced 65% fewer ransomware incidents than those meeting only minimum underwriting requirements (Munich Re).

35. 12 U.S. states now have active or pending legislation that would restrict or ban ransomware payments, creating tension with insurance coverage provisions (NAIC, 2025 Legislative Tracker).

Industry-Specific Data

36. Healthcare organizations filed 340% more cyber insurance claims per capita than the cross-industry average in 2025, driven by the sector's high breach costs and regulatory notification requirements (NetDiligence).

37. Financial services firms paid an average cyber insurance premium of $28,500 per year for $5M in coverage, compared to $18,200 for professional services firms with the same limit (Gallagher).

38. Manufacturing cyber insurance claims grew 56% year-over-year in 2025, reflecting the surge in operational technology (OT) attacks targeting industrial control systems (Coalition).

39. The education sector had the highest claims denial rate at 27%, primarily due to underfunded security programs failing to meet underwriting requirements (Advisen).

Future Outlook

40. By 2028, an estimated 60% of cyber insurance underwriting will rely on real-time telemetry from policyholders' security tools rather than annual questionnaires (Gartner).

41. AI-generated deepfake fraud is expected to produce $2.1 billion in cyber insurance claims by 2027, a category that barely existed before 2024 (Swiss Re).

42. Munich Re predicts that systemic cyber events — single incidents affecting thousands of organizations simultaneously — will produce an insured loss exceeding $10 billion before 2030, fundamentally reshaping how cyber risk is pooled and priced.

What These Numbers Mean for Your Business

The data tells a clear story: cyber insurance is no longer optional for any business handling sensitive data or relying on digital infrastructure. But coverage alone isn't enough — the 21% denial rate shows that insurers expect you to actually maintain the security controls you declare in your application.

The businesses getting the best outcomes — lower premiums, fewer denials, faster claim payouts — share three traits:

• They work with managed IT providers who maintain the security controls insurers demand (MFA, EDR, patched systems, tested backups)
• They review their policies annually to ensure coverage limits match actual risk exposure
• They document everything — incident response plans, security configurations, employee training records — because that documentation is what saves claims from denial

If your organization needs help meeting the security requirements that cyber insurers mandate in 2026, Medha Cloud's managed IT services include the full stack of controls — from MFA enforcement and EDR deployment to security compliance monitoring and tested backup restoration. These aren't nice-to-haves anymore. They're the baseline that determines whether your policy actually pays when something goes wrong.

Sources: Munich Re, Swiss Re, Marsh McLennan, Coalition, Howden, Delinea, IBM Cost of a Data Breach Report 2025, Sophos State of Ransomware 2025.