The global cyber insurance market is forecast to grow to between US$30 billion and US$50 billion by 2030, according to Gallagher's 2026 Cyber Insurance Market Outlook. The market is currently estimated at US$16 billion to US$20 billion in 2025.
North America continues to hold the largest share of the market, accounting for 60% to 70% of global premiums. The Asia-Pacific region is expected to record the highest growth rate, driven by increased digitalisation across the region.
Gallagher noted that pricing has stabilised following a three-year softening period, with most buyers experiencing flat rates. The healthcare sector remains an exception, facing single-digit rate increases due to elevated claims activity.
The threat landscape continues to evolve. The average cost of a data breach in the United States reached US$10 million in 2025, according to the US House Committee on Homeland Security. Ransomware remains a persistent threat, though tactics have shifted from data encryption toward data exfiltration and extortion.
These findings align with separate data from Resilience showing a growing mismatch between claim frequency and severity. The average cost of an individual ransomware incident rose by 17% in H1 2025, while incurred claims volumes dropped by more than half at 53%. Ransomware accounted for 91% of incurred claims in that period.
Gallagher reported that ransom payment rates have declined, with only 28% to 32% of victims paying in 2025, down from 37% in 2024. Average ransom payments fell 10% to between US$1.2 million and US$1.8 million.
The report identified several threat actors of concern, including North Korean remote IT workers infiltrating US companies, criminal organisation Scattered Spider, and China-linked Salt Typhoon. Supply chain attacks targeting software-as-a-service companies and cloud providers also continued throughout 2025.
Gallagher highlighted AI-driven cyber losses as an emerging concern. Supply chain compromise accounted for 30% of reported AI-related security incidents, followed by model inversion at 24% and model evasion at 21%.
On the regulatory front, the Cyber Incident Reporting for Critical Infrastructure Act takes effect in May 2026, requiring 72-hour incident reporting. States introduced 200 cybersecurity bills in 2025 focused on breach notification and ransomware defence.
Carriers are tightening policy language around contingent business interruption coverage and non-breach privacy claims. At least one insurer has introduced a standalone AI policy, while others are offering endorsements covering costs to retrain large learning models.
Insurance Business NZ
