As AI-powered attacks grow more sophisticated and claim costs continue to rise, a cybersecurity specialist argues that insurance and strong defences must go hand in hand.
The proportion of businesses holding cyber insurance has climbed sharply, with 62 percent of companies worldwide now carrying a policy – up from 49 percent just a year earlier, according to figures cited by Heimdal Security. The shift reflects a broader change in how organisations are approaching digital risk: less as a technical problem to be solved and more as an ongoing financial exposure to be managed.
Danny Mitchell, a cybersecurity writer at Heimdal Security, says the trend is being driven by the growing sophistication and accessibility of attack tools. “Cyber insurance is no longer seen as optional – it’s fast becoming a cornerstone of modern business resilience,” he said.
A $20 Billion Market Recalibrating After a Turbulent Few Years
The global cyber insurance market reached $20.56 billion in 2025, though growth has moderated from the 31 percent annual rate recorded between 2017 and 2022 – a reflection, in part, of how many firms are already covered. Premiums are currently around six percent lower than in 2024 and 22 percent below their 2022 peak, after a period of intense ransomware-related losses prompted insurers to reprice risk significantly.
That relative affordability may be short-lived. Analysts are projecting premium increases of between 15 and 20 percent in 2026 as AI-driven attacks become faster and more targeted.
“Prices dipped because claims fell, but as AI makes attacks faster and more targeted, expect those savings to disappear,” Mitchell said. “What you save today on premiums could cost ten times more in the next data breach.”
Who Is – and Isn’t – Buying Coverage
Adoption rates vary considerably by company size, though not always in the direction one might expect. Data from Swiss Re suggests that 60 to 70 percent of large corporations with revenues above $1 billion carry coverage, compared with 40 to 50 percent of mid-market firms and just 10 to 20 percent of small and medium-sized enterprises globally.
UK government survey data presents a notably different picture, however, with 62 percent of small businesses and 65 percent of medium-sized firms covered, compared with 53 percent of large enterprises.
Mitchell attributes the relative hesitancy among larger organisations to a sense of self-sufficiency. “Larger organisations often have internal teams and feel self-sufficient,” he said. “But cybercriminals don’t discriminate by company size – they follow the path of least resistance.”
What Is Driving Demand
Three categories of attack account for the bulk of claims growth: AI-generated phishing, ransomware, and business email compromise. Ransomware alone accounts for 60 percent of all large cyber insurance claims, with the manufacturing sector generating the highest volume of claims in 2025 at 33 percent of the annual total.
Regulatory pressure is adding a further push. In finance, healthcare, and manufacturing – all sectors subject to increasingly strict data protection requirements – cyber insurance is beginning to function as a compliance consideration rather than a discretionary purchase.
“AI scams have changed the landscape completely,” Mitchell said. “You no longer need a sophisticated hacker to pull off a multi-million dollar breach. Anyone with access to AI tools can replicate authentic emails or voices in seconds.”
The Financial Case for Coverage
While overall cyber insurance claims fell by 50 percent in 2025, the cost of individual successful attacks has continued to climb. Average global claim sizes now stand at $115,000, with significant regional variation: $108,000 in the United States, $226,000 in Canada, and $35,000 in the United Kingdom. By company size, average losses run to $79,000 for small firms and $228,000 for large enterprises. In healthcare and manufacturing, individual ransomware claims have reached $631,000.
The longer-term return on investment figures are striking. Insurer Howden estimates that covered firms achieve a 19 percent return on their insurance investment, with potential savings of €16 million over a decade for a mid-sized enterprise. Research from Allianz found that insured companies saw losses increase by 70 percent over four years, compared with 250 percent for their uninsured counterparts.
Reading the Fine Print
Mitchell cautions that not all cyber insurance policies offer equivalent protection. Some exclude social engineering attacks – the category that underlies the majority of significant breaches – classifying them as human error rather than a covered cyber incident.
“Companies must read the fine print and match their policies to their actual risk profile,” he said. “Otherwise, they’re paying for protection they might not get.”
Standard modern policies typically cover ransomware and extortion costs, business interruption losses, legal expenses, regulatory fines, forensic investigations, data restoration, and public relations support. Whether a specific incident falls within those parameters depends heavily on how the policy is worded.
Insurance as One Layer, Not a Complete Solution
Mitchell’s overarching message is that cyber insurance and proactive cybersecurity are not alternatives – they are complements. Organisations that carry insurance tend, in his observation, to also invest more in defences, staff training, and regular security audits.
“Insurance isn’t a silver bullet, but it gives you breathing room when the worst happens,” he said. “Pair strong cybersecurity defences with a well-structured insurance policy. Don’t wait for an attack to expose the gaps. Proactivity is the only real protection left in 2025.”
