TL;DR

The global cyber insurance market hit $15 billion in 2025 and is on a trajectory to reach $28 billion by 2030 — but the structural foundations are creaking. At-Bay's 2026 InsurSec Report, drawn from 6,500+ claims and 100,000 policy years, reveals a market facing a concentration crisis: a single ransomware crew (Akira) exploiting a single firewall brand (SonicWall) now drives nearly half of all ransomware insurance claims. Meanwhile, U.S. premiums are rising on volume rather than pricing power, war exclusions are widening the coverage gap for nation-state attacks, 50% of SMBs remain critically underinsured, and AI is making underwriting materially harder. The market is profitable — for now. But it is one catastrophic correlated event away from a structural correction that most policyholders don't see coming.

Background: The Market Looks Healthy. Don't Be Fooled.

On the surface, the cyber insurance industry is booming. Munich Re's fourth annual Global Cyber Risk and Insurance Survey, published April 22, 2026, surveyed 9,500 respondents across 20 countries and paints an optimistic picture: cyber resilience is now a boardroom-level priority, and the market is growing at a 15% CAGR between 2020 and 2030. Fitch Ratings confirmed that U.S. cyber insurance direct written premiums rose nearly 11% in 2025, ending two consecutive years of decline.

But dig below the headline numbers and the picture changes fast.

The premium growth is not price-driven. Fitch's data shows that aggregate pricing actually softened in 2025 — the 11% revenue increase came almost entirely from a ~34% surge in policies in force. That means the market expanded its exposure base significantly while charging less per unit of risk. In any other insurance class, this would trigger alarm bells. In cyber, it is being treated as validation.

The competitive dynamics driving soft pricing are real: more carriers, more MGAs, and more reinsurers are entering a market they believe has favorable long-run economics. But they're underwriting a risk landscape that is shifting faster than their pricing models can track.

The Akira/SonicWall Revelation: Concentration Risk Goes Critical

At-Bay's 2026 InsurSec Report landed quietly in late April 2026, but its findings should be required reading for every CISO, CFO, and underwriter in the industry.

The headline finding: 73% of ransomware incidents in 2025 began with VPN compromise — a figure that has nearly doubled in two years. More striking still, SonicWall appliances appeared in 27% of all ransomware-related claims analyzed, making them the single most frequently targeted VPN technology for the first time ever.

The driver of that concentration? Akira ransomware, which At-Bay identifies as accounting for more than 40% of ransomware claims — the highest single-strain concentration ever recorded in the firm's dataset. Of Akira's victims in At-Bay's data, 86% were running SonicWall devices. The group wasn't choosing victims by industry, size, or security sophistication. They were running automated scanning infrastructure across the entire internet looking for a specific device type with a specific vulnerability profile, and then attacking everything they found.

The economics of this approach were devastating:

• Average Akira ransom demand: $1.2 million — approximately 50% higher than other groups
• Average severity across all ransomware: $508K, up 16% year-over-year
• Remote access tools involved in 87% of claims
• Business interruption losses 3× higher than direct ransom costs
• 1 in 10 victims experienced downtime exceeding 30 days
• Third-party liability claims up 70% year-over-year

Adam Tyra, At-Bay's CISO for Customers, framed it plainly: "The single biggest determinant of your ransomware risk last year wasn't your industry, your size, or even your security budget. It was whether you operated a specific type of network appliance."

This is not how underwriters model risk. Traditional cyber actuarial models assume broadly distributed, largely uncorrelated losses across a diversified portfolio. What At-Bay is describing is something closer to a single-point-of-failure scenario at industrial scale — one group, one device class, one exploit chain, generating almost half the claim volume in a multi-billion-dollar insurance portfolio.

For the industry, the implications are structural. If Akira-style concentration emerges with a more catastrophic payload — something closer to NotPetya in scope rather than ransomware with negotiated decryptors — the correlated loss event that reinsurers have feared for a decade becomes real.

The War Exclusion Problem: The Coverage You Think You Have, You Don't

While the Akira concentration risk is the most immediate concern, the longer-term structural threat to the cyber insurance market is the expanding landscape of exclusions.

Lloyd's of London's 2023 mandate requiring all syndicates to include state-sponsored cyberattack exclusions has now fully permeated market policy language. The intent was defensible: insuring nation-state cyberwarfare is unbounded systemic risk, and requiring syndicates to carry unlimited exposure to Kremlin or PLA cyber operations is a recipe for insolvency. The execution, however, created a problem.

Attribution is not binary. The Lazarus Group operates for North Korea. Sandworm operates for Russia. LockBit took ransom payments while sheltering under Russian diplomatic protection. Akira may or may not have state adjacency. When an attack arrives — encrypted data, extortion demand, production systems offline — the victim's first call is to their insurer. The insurer's first question is increasingly: who did this? Attribution that takes months of forensic work is now a coverage condition that takes minutes at claim filing.

Insurers are adopting what practitioners are calling "prior knowledge" clauses, "known vulnerability" exclusions, and now "state nexus" riders that allow carriers to deny claims if the government of any nation was "materially involved" in developing the exploit — a standard that, applied to commodity tooling, could theoretically void coverage on any attack using techniques originally developed by intelligence agencies.

The practical result: the attack scenarios most likely to cause catastrophic losses are increasingly excluded from coverage. The scenarios for which coverage is available — attritional ransomware, BEC, accidental data breach — remain covered but are being priced at a race-to-the-bottom in a soft market. The market is concentrating coverage in exactly the wrong place.

The SMB Underinsurance Gap: $15 Billion in Annual Unprotected Exposure

At-Bay's data reveals another dimension that the aggregate market statistics obscure: smaller organizations are being hit harder, more frequently, and with less cushion.

Businesses under $25 million in annual revenue experienced:

• 21% increase in ransomware frequency year-over-year
• 40% increase in ransomware severity year-over-year
• Average ransomware loss of $422K — representing a life-altering proportion of annual revenue
• 26% increase in overall claim severity across all incident types

Despite this exposure, Beinsure's 2026 analysis estimates that 50% of small and medium-sized businesses remain materially underinsured relative to their actual cyber risk exposure. The reasons are structural: limited procurement sophistication, budget constraints, and a broker market that has historically prioritized enterprise accounts.

The SMB underinsurance gap is, paradoxically, the market's biggest growth opportunity and its biggest systemic risk. If SMBs begin to encounter losses that their policies don't cover — because the coverage caps are too low, the deductibles too high, or the exclusions too broad — trust in cyber insurance as a category erodes. And unlike enterprise accounts, SMBs rarely have the legal firepower to challenge claim denials.

AI: Underwriting Headwinds in Both Directions

The AI dimension of the 2026 cyber insurance market is genuinely double-edged, and neither edge is reassuring for underwriters.

On the threat side, Beinsure's analysis specifically flags Anthropic's Mythos model series as a potential driver of materially increased cyberattack frequency. AI-assisted attack tools have reduced the skill floor for ransomware deployment and phishing campaigns, increasing the volume of the "attritional" loss category that policies are designed to absorb. Higher frequency means higher claim ratios even at stable severity.

On the defense side, AI improves detection, triage, and incident response — At-Bay's own data showing that organizations combining EDR with 24/7 MDR had substantially better outcomes (stopping full encryption in the majority of cases) is a preview of what AI-augmented SOC coverage will look like in the next generation of policies. But those controls are not yet standard across the insured base, and they're not yet reflected in pricing differentials at the scale they should be.

The Fitch finding that the market stayed profitable despite rising loss ratios and AI-induced underwriting complexity is real — but it reflects the benefits of 2022-2023 hard market pricing that is now washing out of the book. The next two to three years will test whether AI-assisted underwriting tools can keep pace with AI-assisted attacker tooling.

Strategic Analysis: Where the Industry Goes From Here

Several structural forces are converging that make 2026-2028 a genuinely pivotal period for the cyber insurance market.

Aggregation risk is the existential threat. The CrowdStrike outage of July 2024 was a dress rehearsal. A correlated loss event — a single EDR vendor compromised, a ubiquitous cloud provider taken offline, a critical industrial protocol exploited at scale — could simultaneously trigger millions of policy claims within hours. Current accumulation modeling tools are not designed for this scenario, and the reinsurance treaties that backstop primary carriers almost certainly don't price for it correctly. Howden's 2026 warning that the market risks a "severe correction" if profitability continues to erode is the polite version of what private reinsurance discussions apparently involve.

Public-private backstops are becoming policy reality. The cyber war risk problem has pushed multiple governments toward TRIA-style (Terrorism Risk Insurance Act) frameworks for state-sponsored cyberattacks. If the U.S. Congress or EU institutions formalize a cyber catastrophe backstop, it will meaningfully change what private insurance can price and offer — particularly at the systemic risk end. The discussions are active but unresolved.

Consolidation is coming. The combination of soft pricing, rising claims, and complex AI-driven risk assessment will accelerate market consolidation. Carriers with specialized underwriting talent, deep claims data, and integrated InsurSec (insurance + security services bundled) models will absorb market share from generalists. At-Bay's own model — offering security tooling and monitoring as part of the insurance package, then using claims data to refine both — is the archetype. Expect more of this bundling.

Cyber insurance will increasingly function as a security audit. The trajectory of underwriting questions has been moving toward security verification for years. Expect mandatory control attestation, real-time network telemetry, and third-party security assessments as preconditions for coverage at the enterprise level within 24 months.

IOCs / Market Risk Indicators

Not a traditional IOC section — this is an Industry Analysis piece. Key risk signals to watch:

• SonicWall VPN exposure inventory — If your organization or portfolio companies run SonicWall appliances without the latest patches and 24/7 MDR coverage, you are statistically Akira's target profile
• Policy war exclusion language — Review whether "state nexus" language in your policy could void coverage on commodity ransomware using leaked NSA/GRU tooling
• SMB sub-$25M revenue segment — If this is your customer base, your cyber insurer's claims data says you have materially rising exposure that may not be reflected in your policy limits
• Aggregation correlation in EDR/cloud providers — Single-vendor dependency across security stack is a systemic risk multiplier that most cyber policies do not price in your favor

The Lyrie Take

The cyber insurance industry is at a structural inflection point that the soft market is temporarily obscuring. The At-Bay 2026 data is the most important disclosure in the market this year — not because Akira is novel, but because the pattern it reveals is. Infrastructure-led exploitation is the new ransomware playbook: find a device class with a high-value CVE, own the CVE, own everything running that device. That's not attritional risk. That's correlated risk at the scale insurers have always feared.

From a defender's perspective, the insurance signal is actionable: your VPN/edge device choices are now more consequential to your insurer — and to your actual risk — than your endpoint security stack. Patch and replace legacy network appliances on a schedule that matches their CVE velocity, not your refresh budget.

From a market perspective, the Munich Re $28B by 2030 forecast is plausible — but the path is not smooth. The market will have to solve systemic aggregation modeling, war exclusion standardization, SMB underinsurance, and AI-augmented underwriting before it reaches that number with sustainable loss ratios. One major correlated event before those problems are solved, and the number looks very different.

At Lyrie, we treat the insurance market as a lagging indicator of real-world risk — it measures yesterday's threat landscape, but it prices tomorrow's. The 2026 data says tomorrow's exposure is concentrated, infrastructure-led, and faster-moving than legacy policy language anticipated.

Defender Playbook

For enterprises and SMBs:

1. Audit your edge device exposure today. SonicWall was 2025's top target; Ivanti, Fortinet, and Palo Alto have all had their seasons. Run a VPN/firewall CVE scan against current advisories and patch within 72 hours of critical disclosure.

2. EDR alone is not enough. 60% of Akira victims had EDR deployed. EDR + 24/7 MDR was the differentiator. Budget for managed detection if you can't staff it internally.

3. Review your policy's sub-limits. Business interruption caps, third-party liability sub-limits, and ransom sublimits are likely below your actual exposure given 2025 averages.

4. Read the war exclusion language word for word. If your policy excludes "state-nexus" attacks and uses broad attribution standards, you may have less coverage than you think for the highest-impact scenarios.

5. Report within 3 days. At-Bay's data shows a 70% fund recovery rate for organizations reporting within 3 days vs. 27% for those waiting 30+ days. Speed of notification is a material claims outcome driver.

For CISOs engaging with underwriters:

6. Quantify your MDR coverage hours — insurers are increasingly pricing 24/7 monitoring as a distinct risk factor.

7. Prepare attestation documentation — MFA coverage maps, patch cadence evidence, and third-party vendor security assessments are becoming prerequisites, not add-ons.

8. Model your maximum probable loss for a SonicWall-class incident: full encryption, 30+ days downtime, third-party liability exposure. Compare it to your policy limits and sublimits.

Sources

1. At-Bay 2026 InsurSec Report — reinsurancene.ws

2. Munich Re Global Cyber Risk and Insurance Survey 2026 — munichre.com

3. Fitch Ratings / Beinsure — U.S. Cyber Insurance Premiums Rebound 2025 — beinsure.com

4. Insurance Business Mag — One ransomware crew now drives half of all cyber claims — insurancebusinessmag.com

5. Insurance Day — Cyber markets risk a 'severe correction' (Howden, 2026) — insuranceday.com

6. Insurance Business Mag — Why cyber war risks push market toward public-private solution — insurancebusinessmag.com

7. Resilience / Cybersecurity Dive — Manufacturing ransomware 90% of losses — cybersecuritydive.com

8. Precursor Security — What Cyber Insurance Actually Covers 2026 — precursorsecurity.com

Lyrie.ai Cyber Research Division — Senior Analyst Desk