With AI-powered attacks growing more sophisticated and premiums set to rise sharply in 2026, a cybersecurity specialist says businesses that treat insurance as an afterthought are taking an increasingly costly gamble.
A significant shift has taken place in how businesses approach cyber risk. According to figures from the cyber insurance statistics report, 62 percent of companies worldwide now hold a cyber insurance policy – up from 49 percent just twelve months earlier. The pace of that change reflects a growing recognition that digital threats have moved beyond the reach of technical defences alone.
Danny Mitchell, a cybersecurity writer at Heimdal Security, says the mindset change is overdue. “Cyber insurance was once an afterthought, but today it’s a strategic pillar of risk management,” he said. “Whether you’re a start-up or a multinational, you’re operating in a digital battlefield where attackers are faster, smarter, and often automated.”
A Maturing Market Facing Fresh Pressure
The global cyber insurance market reached $20.56 billion in 2025. Growth has moderated from the 31 percent annual rate recorded between 2017 and 2022, largely because the pool of uninsured businesses has shrunk considerably. Premiums are currently around six percent below their 2024 level and 22 percent below the 2022 peak – a period when intense ransomware activity drove insurers to reprice risk aggressively.
That relative affordability window appears to be closing. Analysts project premium increases of between 15 and 20 percent in 2026, driven by the growing capability and accessibility of AI-powered attack tools.
“Prices dipped because claims fell, but as AI makes attacks faster and more targeted, expect those savings to disappear,” Mitchell said. “What you save today on premiums could cost ten times more in the next data breach.”
Who Is Covered – and Who Isn’t
Adoption patterns vary considerably depending on how company size is measured and which market is examined. Swiss Re data suggests that 60 to 70 percent of large corporations with revenues above $1 billion hold coverage, compared with 40 to 50 percent of mid-market firms and just 10 to 20 percent of small and medium-sized enterprises globally.
UK government survey data presents a different picture, with small businesses (62 percent) and medium-sized firms (65 percent) more likely to be insured than large enterprises (53 percent). Mitchell attributes the relative hesitancy among larger organisations to an over-reliance on internal security teams.
“Cybercriminals don’t discriminate by company size – they follow the path of least resistance,” he said. “Smaller firms recognise that one successful attack could shut them down entirely. Larger organisations sometimes feel self-sufficient until they aren’t.”
What Is Driving Demand
Three categories of attack account for the bulk of the growth in claims and, by extension, the growing urgency around insurance: AI-generated phishing, ransomware, and business email compromise. Ransomware alone represents 60 percent of all large cyber insurance claims. The manufacturing sector generated the highest claim volume in 2025, accounting for 33 percent of the annual total.
Regulatory pressure is adding a further layer of urgency, particularly in finance, healthcare, and manufacturing, where data protection requirements are tightening. In these sectors, carrying insurance is increasingly functioning as a compliance consideration rather than a discretionary one.
“AI scams have changed the landscape completely,” Mitchell said. “You no longer need a sophisticated attacker to pull off a multi-million dollar breach. Anyone with access to AI tools can replicate authentic emails or voices in seconds. Cyber insurance isn’t a substitute for strong defences – it’s the buffer between an incident and insolvency.”
The Financial Stakes of Going Without
Despite a 50 percent fall in overall claim numbers in 2025, the cost of individual successful attacks has continued to climb. Average global claim sizes now stand at $115,000, with notable regional variation: $108,000 in the United States, $226,000 in Canada, and $35,000 in the United Kingdom. By company size, average losses run to $79,000 for small businesses and $228,000 for large enterprises. In healthcare and manufacturing, individual ransomware claims have reached $631,000.
The longer-term return on investment case is compelling. Insurer Howden estimates that covered firms achieve a 19 percent return on their insurance spend, with potential savings of €16 million over a decade for a mid-sized enterprise. Research from Allianz found that insured companies saw losses grow by 70 percent over four years – compared with 250 percent for those without coverage.
Reading the Small Print
Mitchell cautions that the protective value of a policy depends heavily on how it is written. Some exclude social engineering attacks – the category that underlies the majority of significant breaches – classifying them as human error rather than an insurable cyber incident. Businesses that discover this distinction only after filing a claim have effectively paid for coverage they cannot use.
Standard modern policies typically cover ransomware and extortion costs, business interruption losses, legal expenses, regulatory fines, forensic investigation, data restoration, and public relations support. Whether a specific incident falls within those parameters depends on the precise language of the policy.
“Companies must read the fine print and match their policies to their actual risk profile,” Mitchell said. “Otherwise, they’re paying for protection they might not get.”
Insurance and Cybersecurity as Complements
Mitchell’s consistent message is that insurance and proactive security are not alternatives – organisations that carry coverage tend, in practice, to invest more in defences, training, and regular audits. The two reinforce each other.
“Don’t wait for an attack to expose the gaps,” he said. “Pair strong cybersecurity defences with a well-structured insurance policy. Proactivity is the only real protection left in 2025.”