Adnan Arain

Seasoned Executive – Trusted Adviser

Insurance – Law – Entrepreneurship

Professional Note – Insurance

The Ghost in the Machine: Navigating AI Hallucinations in D&O and E&O Insurance

March 2026

As we move through 2026, the integration of Artificial Intelligence into the core of business operations is no longer a “future” trend—it is the current standard. However, this rapid adoption has birthed a unique and often misunderstood risk: the AI Hallucination. Unlike a standard software “bug” or a connectivity glitch, a hallucination occurs when a Large Language Model (LLM) generates information that is factually incorrect or entirely fabricated, yet presents it with absolute confidence.

For a business, these are not mere technical hiccups. They are potential catalysts for litigation. When a company relies on hallucinated data to make high-stakes corporate decisions or deliver professional services, the resulting errors can trigger two primary pillars of executive protection: Directors & Officers (D&O) and Errors & Omissions (E&O) insurance.

D&O Liability: The Duty of Oversight in the AI Era

In the corporate world, board members, C-suite leaders, and senior managers are held to a high standard of fiduciary responsibility. They are personally liable for the business decisions they make on behalf of the company. While the corporation typically indemnifies these leaders for such decisions, a D&O policy serves as the ultimate backstop, indemnifying the corporation for those costs and protecting the personal assets of the individuals.

The threat of AI hallucinations introduces a new layer of “Negligent Oversight.” If a board authorizes a major acquisition or a pivot in corporate strategy based on AI-generated market analysis that contains significant “blind spots” or “hallucinated context,” they may be in breach of their duty of care. Shareholders and regulators are increasingly asking whether leadership exercised a proper “human-in-the-loop” (HITL) verification before acting on AI outputs.

If a hallucination leads to a misleading financial disclosure or a flawed strategic move that impacts the stock price, the resulting damages fall squarely within the realm of D&O. Insurers are now scrutinizing corporate AI governance frameworks specifically to determine if leadership is “blindly” following the machine or maintaining the necessary oversight to catch these digital fabrications.

E&O Liability: Professional Services and the “Velocity of Error”

While D&O protects the decision-makers, Errors & Omissions (E&O) insurance—also known as Professional Liability—indemnifies the entity or the individual for mistakes made in the performance of services for others for a fee. In short, AI hallucinations can result in incorrect services being rendered, often with a “velocity of error” that human-led mistakes rarely achieve.

This risk is far from hypothetical; it is backed by a growing body of precedent:

  • The 2023 “Mata v. Avianca” Case: In a landmark 2023 instance, attorneys in the case of Mata v. Avianca, Inc. submitted a legal brief to a New York federal court containing six entirely fabricated case citations generated by ChatGPT. The AI had “hallucinated” the names of the cases and the judicial opinions. The judge ultimately sanctioned the attorneys, ruling that “technological assistance” does not absolve a professional of their duty to verify.
  • The 2025 “Lindell” Defamation Sanctions: In July 2025, a U.S. District Judge sanctioned attorneys representing Mike Lindell after they filed a brief riddled with nearly 30 “defective citations,” including non-existent cases. This demonstrated that even high-profile, high-stakes litigation is susceptible to AI-driven professional errors.
  • The 2025 Accounting Reprimands: Beyond the courtroom, E&O claims are emerging in the accounting sector. In 2025, several firms faced scrutiny after proprietary AI tax-advisor tools hallucinated specific tax regulations or misinterpreted IRS codes, leading to significant financial penalties for their clients.

In these instances, the “error” is the failure of the professional to catch the machine’s hallucination before it reached the client. E&O policies are now being tested to see how they handle these automated professional failures.

The Subrogation Question: Who is Ultimately at Fault?

Assuming a D&O or E&O claim is covered and paid by an insurer, a critical legal question emerges: Can the insurer subrogate against the provider of the AI services?

If a consulting firm’s E&O carrier pays a claim because an AI tool hallucinated a market forecast that caused a client to lose millions, does that insurer then have the right to sue the tech company that developed the underlying model? This introduces a complex web of “End User License Agreements” (EULAs), liability caps, and the “black box” problem of proving causation in algorithmic reasoning.

This opens a massive new frontier in insurance law—one that shifts the focus from the user of the tool to the architect of the tool.Check back for our next entry, where we will dive deep into the world of AI Subrogation and the coming battle between insurers and AI providers.

Sources

  1. Mata v. Avianca, Inc. – Official Court Order (PDF via Berkeley Law)
  2. Massachusetts Board of Bar Overseers (BBO) – Public Reprimand No. 2025-2
  3. JD Supra: Lawyers Sanctioned Over AI-Hallucinated Citations
  4. IARDC Report: The Fallout of AI Hallucinations in Court Filings (PDF)

Are Hospital Systems Really Unable to Buy Cyber Insurance?

March 2026

For the past several years, headlines have depicted a negative outlook for the healthcare cybersecurity landscape. In the wake of large, systemic events such as the Change Healthcare attack in 2024 and a subsequent wave of AI-driven ransomware in 2025, a common narrative has emerged: that hospital systems are now “uninsurable.”

Recent reports from the Internet Crime Complaint Center (IC3) and the Health Sector Coordinating Council (HC3) confirm that healthcare remains the most targeted sector, with hundreds of major ransomware and data breach complaints filed annually. For many rural facilities and mid-sized systems, the struggle to secure a quote is real, leading to the perception that the insurance market has simply turned its back on the industry.

However, the reality of the cyber market is more nuanced. The issue for most hospital systems is not an objective inability to buy coverage, but rather an unwillingness to meet specific, non-negotiable standards of modern underwriting.

The “Insurability” Gap: Requirements vs. Reality

To understand why some hospitals are “failing” to secure coverage, we must look at the shift from “checkbox compliance” to “evidence-based underwriting.” In the current environment, insurers are no longer taking an organization’s word for its security posture; they are demanding verifiable proof of an active defensive posture.

Most “uninsurable” risks today fall into one of two categories of unwillingness:

  1. Unwillingness to Adopt Technical Measures: Insurers now view tools like Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and immutable, air-gapped backups as basic “table stakes.” For many hospitals, implementing MFA across every single legacy system or medical device is a massive operational headache. Yet, 2026 insurance contracts frequently include “Condition Precedent” or “Maintenance of Controls” clauses. If a forensic investigation reveals that MFA was disabled for “workflow convenience” at the point of entry, the insurer may have the grounds to deny the claim or significantly sub-limit the loss.
  2. Unwillingness to Accept Pricing and Retentions: Healthcare data is the most valuable commodity on the dark web, often selling for up to $1,000 per record compared to just $5 for a credit card number. Because of this, the cost to clean up a breach has skyrocketed, with the average healthcare data breach cost reaching $7.42 million in 2025. Many hospital systems are balking at the resulting premium hikes and the demand for higher Self-Insured Retentions (SIRs). They are essentially being asked to have more “skin in the game” to a degree they find unpalatable, despite their loss histories justifying the shift.

The above two factors significantly alter the insurance outlook for any hospitals or large healthcare providers. It’s worth noting, however, that the effect is even more pronounced for entities with recent claims history.

The 2026 Healthcare Cyber Outlook: A Disciplined Softening

This brings us to the current state of the cyber marketplace for healthcare. Underwriters describe the current rate environment as one of “disciplined softening.” While general commercial lines have softened significantly, the healthcare cyber segment remains cautious.

Capacity has returned to the market, and we are seeing rate reductions for “best-in-class” risks—those who have done the hard work of modernizing their stacks. However, for those with legacy infrastructure and weak controls, it remains a permanently hard market.

Factors Driving the Current Market:

  • Systemic Risk & Vendor Dependency: Post-Change Healthcare, underwriters are scrutinizing “single points of failure.” If your hospital relies on a single SaaS provider for your EHR, expect lower sub-limits for Dependent Business Interruption.
  • The Rise of Agentic AI: Threat actors are using AI to automate social engineering and find vulnerabilities in medical devices (IoMT) faster than human teams can patch them.
  • Regulatory Fines: With the Office for Civil Rights (OCR) increasing enforcement, policies are being refined to address the evolving landscape of Civil Monetary Penalties (CMPs) and regulatory defense costs, subject to insurability under state law.
  • Reinsurance Stability: A three-year run of profitability for cyber reinsurers has provided an “oasis of stability,” allowing primary carriers to continue deploying capacity for healthcare risks.

2026 Cyber Claims Trends for Healthcare

Given the above, it’s vital for hospital leadership to understand the claims environment when evaluating their risk transfer strategy:

  • Ransomware Severity over Frequency: While attack volume has stabilized, the severity (payout amount) has surged. In 2025, average ransomware payments increased by nearly 95% as attackers shifted toward “extortion-only” models—threatening to leak sensitive diagnoses unless paid.
  • Business Email Compromise (BEC) Sophistication: Often overlooked in favor of ransomware, BEC is now the second-costliest category of cybercrime. In the healthcare sector, the average loss per BEC incident reached $261,000 in 2025 (FBI/IC3), as attackers use AI-generated deepfakes and “conversation hijacking” to divert vendor payments and payroll.
  • Extended Business Interruption: Hospitals are no longer just dealing with “IT outages.” The average recovery time for a major attack now spans 19 to 23 days, during which time revenue stalls while labor costs for manual workarounds explode.
  • The 280-Day Breach Lifecycle: Healthcare continues to have the longest “dwell time” in the world. On average, it takes 207 days to identify a breach and another 73 days to contain it, giving hackers ample time to exfiltrate vast troves of PHI.

Cyber insurance is available for hospitals, but not as a passive purchase. It requires active engagement and adaptation in terms of data hygiene, standard operating procedures, and risk culture. Ultimately, cyber insurance is becoming a partnership that requires a commitment to technical excellence and a realistic understanding of the financial stakes.

Sources:

Evolving Threats

IBM Cost of Data Breach Report 2025

Sophos State of Ransomware 2025

The Sunsetting of CISA: A Step Backward at the Worst Possible Time

November 2025 – Updated February 2026

Congress’s decision to allow the Cybersecurity Information Sharing Act (CISA) to sunset—along with its core safe-harbor protections—comes at a moment when the private sector can least afford it.

1. Without Safe Harbor, Private Entities Lose Incentive to Share Threat Intelligence

For nearly a decade, CISA created a legal framework enabling private organizations to share cyber-threat indicators with the federal government without fear of regulatory, civil, or contractual blowback. Its safe-harbor provisions were the cornerstone: they shielded companies from liability and protected shared information from being used against them.

With the Act now lapsed, companies are abruptly exposed. Any shared intelligence could later be used:

  • In regulatory enforcement
  • In civil litigation
  • In contract disputes
  • In reputational harm scenarios

The result is predictable: information sharing will sharply contract. Without clear statutory protections, no rational enterprise—particularly those handling sensitive data, operating in healthcare, finance, or critical infrastructure—will volunteer threat intelligence knowing it could later be weaponized against them.

2. This Shift Arrives as AI-Enabled Threats Accelerate

The timing could not be worse.
Cybercriminals are leveraging AI-driven attack vectors at unprecedented scale:

  • Automated vulnerability discovery
  • Real-time social-engineering scripts
  • Deepfake-driven credential harvesting
  • Autonomous malware decision-making

The private sector, which owns and operates the overwhelming majority of U.S. digital infrastructure, depends on timely intelligence to detect and triangulate such threats. The absence of CISA’s protections strips away the single most efficient incentive structure for sharing emerging indicators of compromise.

This is the paradox: at the exact moment when cross-sector intelligence sharing is most needed, the legal architecture supporting it has been dismantled.

A Call for a Modernized Replacement

Policymakers must act quickly. A new framework—one that reflects today’s AI-accelerated threat landscape—is essential. Safe harbor isn’t a corporate “benefit”; it is a national security requirement.

Until Congress restores or modernizes these protections, organizations will be forced to navigate cyber risk with less visibility, less coordination, and fewer tools—while adversaries gain more powerful ones.

Addendum: Recent Legislative Extensions

Despite the uncertainty following the initial September 30, 2025 sunset, Congress has intervened with two critical short-term extensions to maintain the information-sharing framework:

  • First Extension (November 2025): Following a brief lapse during a government shutdown, the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026 reauthorized CISA 2015 effective through January 30, 2026.
  • Second Extension (February 2026): As part of the Consolidated Appropriations Act, 2026, President Trump signed a further extension that keeps the law’s current protections and liability safeguards in place through September 30, 2026.

Sources:

CISA Act

Fortune.com: Anthropic Says It Disrupted the First Documented Large Scale Cyber Attack

Crowdstrike: AI-Accelerated Ransomware Surges

CybersecurityDrive: AI-Based Malware Makes Attacks Stealthier and More Adaptive

Why Early-Stage Tech, SaaS, and Consulting Companies Need Executive Liability Insurance

November 20, 2025

Early-life-cycle companies—especially pre-revenue startups and emerging tech, SaaS, or consulting firms—navigate unique risk exposures long before they generate meaningful income. While founders often focus on product buildout, fundraising, and customer acquisition, a critical question tends to get pushed aside:

What Property & Casualty policies need to be in place before the business even turns
the lights on?

Below is a simple framework founders can use to understand the phases of required insurance—culminating in executive liability insurance, a category many early-stage leaders mistakenly believe they can delay.

Phase 1a: Operational Requirements (Day 1 Must-Haves)

Before revenue, before your first customer, and often before a contract is signed, counterparties will almost always require:

  • Cyber Liability – Increasingly required even for pilot or beta-phase deployments. Any company handling data or connecting to a client’s systems will be required to show evidence of cyber coverage.
  • Along with the following Non-Executive Liability policies:
    • General Liability (GL) – Protects against bodily injury or property damage claims—standard for landlords, vendors, and partners.
    • Property / BPP – Covers equipment and business property, often required by landlords or coworking spaces.
    • Workers’ Compensation – Mandatory the moment you hire your first employee.

These policies are foundational and often considered required as a condition of doing business.

Phase 1b: Professional Liability (Tech E&O / Consultants E&O)

For tech, SaaS, or consulting businesses, the most important “Day 1” coverage is Errors & Omissions (E&O)—also referred to as Technology E&O, Consultants E&O, or Miscellaneous E&O.

This policy covers claims that your services caused a financial loss to a client or alleged client, including:

  • Improper implementations
  • Faulty code
  • Missed deadlines
  • Alleged negligence
  • Failure to deliver contracted results

If you provide services for a fee, E&O should be in place before the first engagement.

Phase 2: Directors & Officers (D&O) Insurance

D&O is where early-stage companies often misunderstand their exposure.

Even sophisticated executives are often surprised to learn that they are personally liable for the business decisions they make.

D&O insurance fills that critical gap by protecting individual leaders and the company’s balance sheet against claims alleging:

  • Mismanagement
  • Breach of fiduciary duty
  • Misrepresentation
  • Failure to supervise
  • Improper corporate governance
  • Investor disputes
  • Regulatory inquiries

A typical structure looks like this:

  • The organization indemnifies the individual executive, and
  • D&O insurance reimburses (“indemnifies”) the organization,
  • Or, in many cases, the D&O policy directly protects the individual when the organization cannot.

This is not just a “big company” protection. Any company with decision-makers has D&O exposure—even pre-revenue startups.

That said, many of my early-stage clients wait until they’ve achieved a concrete milestone—proof of concept, initial revenues, or early capital raises—before binding D&O coverage. There’s no single right answer; it depends on the company’s vertical, governance structure, investor profile, and overall risk tolerance.

Closing Thought

Executive liability insurance is not a luxury reserved for mature companies. It’s an essential component of a well-governed startup—and it protects both the leaders who drive the business and the balance sheet they’re building.

In a subsequent post, I’ll break down other key executive lines—Employment Practices Liability (EPLI), Fiduciary Liability, Crime, and more—and how they fit into a growing company’s risk-management roadmap.

November 20, 2025

UK ransomware claims up 230%–what does it mean for the U.S. cyber insurance market?

November 11, 2025

UK ransomware claims frequency shows a recent, dramatic surge—and cyber underwriters on both sides of the Atlantic are trying to decide if this is a U.K.-specific storm or an early warning for the US.

The headline: what’s actually happening?

Fresh UK market data shows a sharp jump in cyber insurance payouts driven by ransomware:

  • UK insurers paid ~£197m in cyber claims for 2024, up about 230% from 2023. Ransomware and malware made up around half of all claims, up from roughly one-third the prior year.
  • The UK’s National Cyber Security Centre (NCSC) continues to flag ransomware as the most pressing cyber threat, with increasing impact on critical infrastructure and essential services.

In the U.S.:

  • Ransomware remains severe but the pattern is different: FBI IC3 data for 2024 shows ransomware complaints up ~9% year-over-year, still a leading threat to critical infrastructure, with total cybercrime losses hitting $16.6bn.
  • Some major cyber insurers report stabilizing ransomware claim frequency in the U.S. in 2024 (though with high severity), suggesting a more mature control environment and pricing response in parts of the U.S. market.

One way of characterizing the U.S.-UK dichotomy is that the UK is seeing a sharper claims frequency spike right now; the US is in a steady but high-severity grind.

But why are UK ransomware claims surging NOW? 3 key drivers

1. Better insurance penetration + better reporting = more visible (and payable) losses

Over the last 12–18 months:

  • More UK firms—especially SMEs—have purchased standalone or packaged cyber cover; ABI data shows a notable rise in policy uptake in 2024.
  • Wordings have improved: broader incident response, forensics, business interruption, and data extortion coverage. That turns what used to be “quietly absorbed IT disasters” into formal, reportable claims.
  • The UK marketplace shows a lag: cyber attacks including ransomware from earlier periods are being detected and crystallized into 2024–2025 claims.

Juxtaposing the U.S. environment
Companies in the U.S. are experiencing similar attacks, but U.S. companies are further along the maturity curve. U.S. rates of adoption of cyber best practices, underwriting discipline, and breach reporting norms have been higher for longer, so the “visibility shock” phase hit earlier (2020–2022). Current U.S. data reflects a more normalized, though still high, ransomware loss environment—whereas the UK is catching up in a compressed window.

2. A sweet spot for attackers: mid-market UK organizations + uneven controls

Threat actors go where:

  1. The controls are inconsistent, and
  2. The victim can still pay.

In the UK:

  • Mid-market companies, local authorities, healthcare and education have rapidly digitized (cloud, remote access, OT/IoT) but often lag on patching, segmentation, backups and privileged access management.
  • NCSC’s recent reviews highlight a growing gap between the sophistication of threat actors and the defensive posture of many UK organizations, including critical sectors.
  • Ransomware groups increasingly use credential theft, living-off-the-land techniques, and double/triple extortion models—raising both frequency and severity of insured events.

Is this factor present in the U.S.?
This factor is absolutely present in the U.S., albeit with some differences:

  • U.S. critical infrastructure and large enterprises have faced sustained pressure for years, leading to stronger baseline controls, sector-specific regulation, and active collaboration with CISA, FBI, and insurers.
  • The exposed cohort in the U.S. is similar—mid-market, regional healthcare, municipalities, schools—but they’ve been under heavy attacker focus for longer, so this isn’t a “new spike” story so much as chronic exposure with incremental growth.
  • UK attackers may currently perceive relatively better ROI vs hardened U.S. Fortune-1000 targets, nudging some campaigns toward UK and European organizations.

So this driver exists in both markets, but it’s having impact later and harder in the UK mid-market right now.

3. Growing array of hacker resources, geopolitics & criminal economics: UK as a convenient target cluster

Over the past year, three intertwined dynamics have intensified UK exposure:

  1. RaaS + AI-enabled operations
    • Ransomware-as-a-Service platforms and AI-driven phishing make it trivial for less skilled actors to run high-yield campaigns.
    • UK-based brands with strong online footprints and large customer datasets are prime candidates for credential phishing and supply-chain attacks.
  2. Geopolitical and law-enforcement pressure displacement
    • High-profile actions (e.g., against LockBit and other groups) plus well-publicized U.S. takedowns and sanctions regimes may be nudging some operators to recalibrate targeting toward jurisdictions perceived as slightly less risky from an enforcement standpoint (including the UK and EU). (This is an informed inference based on incident patterns and enforcement actions referenced by NCSC/FBI, not a formally proven causal chain.) (Industrial Cyber)
  3. Macro conditions
    • Tight margins and economic pressure mean more orgs are one outage away from existential risk—making them more likely to consider payment and more likely to claim, inflating insured loss figures.

Are these dynamics visible in the U.S.?
Yes, but with some offsets:

  • The same RaaS and AI tooling targets U.S. entities heavily.
  • However, stronger coordination between U.S. agencies and the private sector, plus a longer history of very large publicized breaches, has pushed many U.S. enterprises into more robust incident response and resilience planning.
  • Net effect: high, costly U.S. ransomware activity, but not the same sudden proportional surge in paid insurance claims we’re currently seeing reported in the UK.

Key Takeaways

It will be crucial to stay up-to-date regarding the frequency and severity of the onslought of UK ransomware claims, and to continue to push for the broadest coverage terms possible despite this claims trend. At GuardianSpec, we help clients avoid gaps in coverage and secure the right cyber protection before an incident occurs. Contact us to review your current policy or start a cyber insurance application today.

Sources:

November 2025

Jaguar Landrover Ransomware Attack: A Cyber Insurance Wake-Up Call

September 24, 2025

The Incident: Global Shutdown from a Cyber Attack

On or about August 31, 2025, Jaguar Land Rover (JLR), owned by Tata Motors Ltd (NSE: TATAMOTORS), suffered a suspected ransomware attack. The incident forced JLR to shut down manufacturing operations worldwide, halting production across multiple plants.

The shutdown continues at the time of writing, with losses estimated at £50 million ($68M) per week. Roughly 33,000 employees have been told to stay home, underscoring the scale of disruption that a single cyber event can cause.

No Cyber Insurance Coverage in Place

According to multiple media reports, Jaguar Land Rover had not completed its cyber insurance renewal prior to the attack. As a result, the company must absorb the entire financial impact without an insurance backstop.

The oversight is costly. A standard cyber insurance policy would typically provide:

  • Ransomware coverage (ransom negotiation and payment, along with detection, remediation, data restoration)
  • Business interruption coverage (revenue replacement during downtime)
  • Incident response resources (law firms, PR firms, forensic IT specialists)
  • Replacement of damaged software and possibly hardware under certain sublimits

Reports indicate JLR had started the renewal process with its broker but never finalized it—leaving the company fully exposed when the attack struck.

Lessons for Businesses: Cyber Insurance Is Critical

The JLR ransomware attack highlights several urgent lessons for businesses of all sizes:

  1. Complete Applications and Renewals on Time
    Insurance is designed for unforeseen events. Delaying applications or renewals leaves businesses vulnerable to exactly the kind of loss JLR is now experiencing.
  2. Even Standard Policies Offer Robust Protection
    Many assume that only customized cyber programs cover ransomware or business interruption. In fact, even off-the-shelf cyber insurance policies often include these coverages—plus access to legal, PR, and forensic experts during a crisis.
  3. Losses Can Be Existential for Mid-Market Companies
    While JLR may receive government support, most mid-sized businesses would not survive weeks of halted operations. A ransomware attack can be financially devastating without cyber insurance.

Final Takeaway: Don’t Wait Until It’s Too Late

The Jaguar Land Rover case is a stark reminder: cyber insurance must be purchased and renewed on time. For companies in healthcare, manufacturing, and other critical industries, the cost of coverage is a fraction of the potential loss.

At GuardianSpec, we help clients avoid gaps in coverage and secure the right cyber protection before an incident occurs. Contact us to review your current policy or start a cyber insurance application today.

Sources:

Insurance Business Magazine Article

Carrier Management Article

The Guardian Article #1 and #2

Car and Driver Article

September 26, 2025

Cyber market update – Q3 2025

Cyber Insurance Market Update: Rates Ease, Risks Persist

Cyber insurance rates in the U.S. fell an average of 6% year-over-year, according to industry sources. The decline is driven largely by competitive pressures as insurers seek new business. For example, CFC — one of the earliest historical cyber underwriters — revamped its rating system in early 2025 and launched an aggressive marketing campaign. Many competitors have followed, resulting in meaningful savings for insureds with clean loss histories.

Claims Trends: Frequency Down, Severity Up
While total reported claims fell 53% in the first half of 2025, severity continues to rise. Ransomware remains the dominant driver, accounting for 76% of incurred losses, with the average claim now costing $1.18M — up 17% from last year. Survey data suggests that even large companies often fail to implement basic protections such as firewalls, leaving them vulnerable despite falling premiums.

Takeaway
Well-managed risks should expect savings at renewal — but coverage and limits matter more than ever given rising severity. GuardianSpec can help you benchmark your program, ensure you’re capturing market savings, and confirm your coverage is adequate for today’s threats.

Sources:

CFC relaunch

Risk and Insurance Article

Insurance Business Magazine Article

September 24, 2025

Cyber market overview – Q2 2025

Cyber insurance in 2025 is paradoxical. Coverage is cheaper and more abundant than it has been in years, yet the risk environment has never been more severe. Businesses are navigating falling premiums, evolving threats driven by artificial intelligence, and shifting policy language. Below are the ten most important trends shaping the U.S. cyber insurance market today.

1. Client-Favorable Pricing

The market is experiencing unusual “client-favorable anomalies.” Premiums are falling, capacity is growing, and insureds can often secure higher limits for lower costs. This dynamic is expected to continue until the market consolidates or experiences a major correction.

2. AI as a Double-Edged Sword

Artificial intelligence is reshaping the cyber landscape. While AI enhances defenses, it also empowers criminals. Generative AI tools have fueled an explosion in phishing attacks—making them more personalized, harder to detect, and easier for low-skill actors to launch.

3. Threats Intensifying

Despite falling premiums, attacks are rising sharply. Cyber incidents increased 47% worldwide in Q1 2025, with business email compromise (BEC) the most frequent attack. Ransomware remains a top concern, with some reports showing a 126% surge this year.

4. “Blue Collar” Industries in the Crosshairs

Sectors once considered low-risk—construction, manufacturing, wholesale distribution—are now frequent targets. These firms are appealing to attackers because of the large wire transfers involved in daily operations.

5. Vendor Risk and Downstream Losses

Third-party vendor attacks highlight the fragility of interconnected digital ecosystems. A single vendor compromise can trigger cascading losses across dozens of insureds, driving both claims frequency and severity.

6. Gaps in AI Liability Coverage

While AI-driven attacks are usually covered under cyber policies, liabilities arising from an organization’s own use of flawed or biased AI models are not. These exposures may require tailored Errors & Omissions (E&O) coverage—or eventually, new niche products.

7. Commoditization with Inconsistencies

Policy language is gradually becoming standardized, making it harder to distinguish between carriers. Yet underwriting and claims practices remain inconsistent. Similar risks may receive very different premiums and terms depending on the insurer.

8. Insurers Driving Better Security

Carrier requirements such as multi-factor authentication (MFA) and off-site backups have improved overall cyber hygiene. Even first-time applicants now present stronger controls than in prior years, raising the baseline level of security across industries.

9. Human Error Still Dominates

Phishing, user mistakes, and “MFA fatigue” remain leading causes of breaches. Organizations must fight complacency by reinforcing training and monitoring, since cyber risk is never static.

10. Claims Growing More Severe

The next wave of losses is expected to be larger and more complex. Vendor-driven incidents, tighter data privacy rules, and a rise in class-action lawsuits all point to escalating claim severity and legal exposure.

The Bottom Line

The next 12–18 months may be the most favorable buying window clients will see for cyber coverage—falling premiums, higher limits, and more capacity. But risk itself is not decreasing; it is expanding and evolving, particularly with AI and vendor-driven exposures. Organizations should use this window not only to negotiate strong coverage but also to review exclusions, strengthen controls, and prepare for a more volatile future.

GuardianSpec helps businesses identify coverage gaps, benchmark terms, and align insurance with real-world cyber risks. Now is the time to act.

Source: 2025 US Market Outlook Series – Cyber – Insights on the Current and Future State of the US Cyber Insurance Market – by our business partner RPS – Published Q2 2025. Available Upon Request