Executive summary
Cyber insurance remains a useful financial instrument, but the market signals entering 2026 still point to the same central conclusion: risk transfer is not risk reduction. Softer pricing, wider capacity, and broader buyer appetite do not change the operational reality that losses are still being driven by exploited vulnerabilities, compromised credentials, ransomware, business email compromise, third-party dependency, and weak recovery disciplines.
A policy can finance part of a cyber loss. It cannot create trust, reduce blast radius, or prove resilience.
Evidence dashboard
| Indicator | 2026 signal | Why it matters |
|---|---|---|
| NAIC market report | $9.14B U.S. cyber direct written premium in 2024, down from $9.84B in 2023 | Pricing softness does not mean technical risk has fallen |
| Claims closure | 9,941 claims closed with payment vs. 28,555 closed without payment | A policy is conditional, not guaranteed recovery |
| Verizon DBIR | 31% of breaches started with software vulnerabilities; ransomware present in 48% of breaches | Loss drivers are operational and control-based |
| Coalition claims | BEC and funds-transfer fraud accounted for 58% of 2026 claims | Identity and business-process controls remain central |
| FBI IC3 | More than $20.8B in 2025 complaint losses | Financial impact remains large even when coverage exists |
These figures are presented as market indicators, not universal loss probabilities for any single organization.
Selected figures
Research figure 1
Research figure 2
Research figure 3
Research figure 4
Research figure 5