Cyber insurance trends 2025: what carriers actually want to see

The cyber insurance market in 2025 looks different than it did three years ago. After two years of brutal premium increases (some renewals doubling or tripling) and aggressive sub-limit reductions, the market has stabilized. Capacity has returned. New carriers have entered. Premium increases have moderated to the low single digits in many segments — and in some classes, premiums are actually declining at renewal.

But the underwriting bar has not relaxed. Carriers are smarter, more specific, and increasingly willing to walk away from accounts that don't meet their control expectations. Here's what they're actually looking for in 2025.

The non-negotiables

Across the market, certain controls have become table stakes. Without them, many carriers won't quote at all:

• Multi-factor authentication on email, remote access, and admin accounts. The most consistent ask in the industry. "MFA everywhere" used to be the gold standard; now "MFA on remote access AND email AND admin" is the floor.
• Endpoint detection and response (EDR). Carriers want to see a real EDR — not just legacy AV. Several major carriers explicitly disqualify accounts running only signature-based AV.
• Segregated, immutable backups. "We have backups" is not enough. Carriers want to see backups that are isolated from the production network and protected from ransomware-driven mass deletion.
• Email security with sandbox / link rewriting. Either a major secure email gateway or M365/Workspace native protection at the higher tier.

If any of these are missing, the underwriter conversation tends to be short.

The new ask: documented awareness training

Where insurance application questionnaires used to ask "do you do security awareness training?" and accept "yes" as the answer, the 2025 question set is more specific. Common variations we're seeing:

• Frequency: "How often do you run security awareness training? How often do you run phishing simulations?"
• Coverage: "What percentage of your workforce has completed awareness training in the past 12 months?"
• Outcomes: "What is your phishing click-through rate? Has it changed in the past year?"
• Targeting: "Do you provide additional training to employees with access to financial systems or sensitive data?"

The shift is from "do you check the box" to "show me the program." A vague yes doesn't pass underwriting anymore.

Why the shift

Three things drove the change.

1. Loss data caught up with the rhetoric. Carriers have years of incident data now, and the correlation between social engineering and large losses is so strong that underwriting can't ignore it. Business email compromise alone accounts for a meaningful fraction of all cyber claims paid — most of which start with a person being persuaded.

2. Regulatory pressure made it a structural requirement. Several state-level regulations and industry frameworks (HIPAA, NYDFS 500.14, GLBA Safeguards Rule, CMMC for defense contractors) now explicitly require documented awareness training. If you're regulated, you need it. Carriers are increasingly aligning their underwriting with the same expectations.

3. The market matured. A maturing market segments more aggressively. Two organizations of the same size and industry can have meaningfully different premiums based on control posture. Awareness training is one of the cleanest controls to verify and one of the cheapest to deploy — so it became a lever underwriters could pull on.

What "good" actually looks like to a carrier

The accounts that get the best terms tend to share some patterns:

• Continuous training rather than annual one-time modules. Quarterly cadence at minimum.
• Phishing simulation with a varied template library. Not the same five templates every quarter.
• Adaptive remediation. When someone clicks, they get follow-up training automatically. Carriers like to see this — it's evidence the program closes the loop.
• Reporting on outcomes. "Our click rate fell from X to Y over the past 12 months" is a story carriers want to hear.
• Coverage across the workforce. Including contractors and third parties who have access. The DBIR's finding that third-party involvement doubled is showing up in underwriting questions too.

The premium math

The exact dollar value varies by carrier and account, but generally: organizations with documented, continuous awareness programs see better quotes than peers without them. In some cases, the premium delta is enough to fully fund the awareness program. In nearly all cases, the program pays for itself if a single phishing-driven claim is avoided over the policy period.

That's the pitch most awareness vendors make. The new context is that the carrier is now making the same pitch — and the bar for what counts as "documented" keeps rising.

What to do at next renewal

Two suggestions for any organization heading into a 2025 cyber renewal:

1. Treat your awareness program as a control documentation exercise. Write down your cadence, your tools, your coverage percentages, your outcome metrics. If you can't produce that document in a 30-second ask, your program won't fully credit at underwriting.

2. Ask your broker for the specific underwriter ask. Different carriers weigh different controls. Some care intensely about MFA coverage; others lean harder on EDR; the savvy ones want to see your awareness metrics. Brokers who specialize in cyber can tell you exactly what each market is asking for and where the marginal control investment moves the premium.

The cyber insurance market is past the panic phase. It's now in the differentiation phase — and the organizations with serious awareness programs are going to come out of it with materially better terms than peers who treat training as compliance theater.

---

Sources: Verizon 2025 Data Breach Investigations Report — Executive Summary, IBM Cost of a Data Breach Report 2025.