Cyber Insurance Underwriting in 2025-2026: Appetite Shifts and Data Signal Gaps

Cyber insurance underwriting has changed more substantially in the past three years than most commercial lines have in a decade. The combination of elevated ransomware frequency starting around 2019-2020, followed by significant rate hardening and appetite restriction in 2021-2022, and then gradual market stabilization in 2023-2025, has left carriers and MGAs with cyber appetite rules that often reflect the tightest-market posture — without necessarily reflecting the current risk landscape or available data signals.

This piece examines how cyber insurance appetite rules have shifted, what external data signals are now available at submission time that weren't available three years ago, and where the underwriting intelligence gaps remain largest.

How Cyber Appetite Rules Have Changed Since 2021

The 2021-2022 hard market in cyber insurance produced a rapid tightening of appetite rules across commercial cyber markets. Carriers that had previously written cyber as an add-on or endorsement product began underwriting it as a standalone line with dedicated screens. The specific appetite changes that became standard during this period:

Multi-factor authentication (MFA) became a near-universal requirement rather than a rating factor. Carriers moved from "MFA implemented gives a rate credit" to "no MFA on privileged accounts or remote access means decline." Endpoint detection and response (EDR) deployment became a frequent question. Backup integrity and offline backup capability — the primary defense against ransomware achieving total environment encryption — became required disclosure rather than optional information.

Sector-specific restrictions tightened dramatically. Healthcare organizations, critical infrastructure operators, educational institutions, and municipal governments — sectors with both high ransomware targeting frequency and constrained IT security budgets — saw sharp appetite restrictions. Some carriers excluded these sectors entirely from their admitted market programs; others offered coverage only at significantly elevated rates with co-insurance requirements or ransomware sublimits.

Sublimits and coinsurance on ransomware became standard in primary market programs. A $5M cyber policy might carry a ransomware sublimit of $1-2M and a 20% coinsurance requirement on ransomware claims — substantially changing the economics of the coverage for buyers and the exposure for carriers compared to pre-2021 structures.

External Data Signals Available at Submission Time

One of the most significant changes in commercial cyber underwriting from 2021 to 2025 is the availability of external data signals at submission time. Three years ago, a cyber underwriter evaluating an ACORD 125 submission and a cyber supplemental had primarily self-reported information: the insured's statements about their security controls, their prior claims, and their IT environment. External validation was limited.

Several data providers now offer cyber-specific signals that can be queried at submission, including: outside-in security ratings (DNS hygiene, open ports, TLS certificate configuration, known exposed services accessible from the public internet); breach history data (whether the insured's domain or email addresses appear in known credential breach datasets); and technology stack identification (which software platforms, cloud providers, and SaaS tools the insured is running, derivable from DNS and web infrastructure fingerprinting).

These signals are imperfect — outside-in data doesn't capture inside-the-firewall security controls, which are often the most operationally relevant — but they provide a baseline external validation that wasn't available when self-reported cyber supplemental questions were the primary underwriting input. An insured that reports strong MFA and EDR deployment but shows multiple exposed services in an outside-in scan is providing inconsistent signals, and that inconsistency is worth flagging at the submission stage rather than discovering it at claim time.

The challenge is incorporating these external signals into the underwriting workflow at intake rather than as part of a separate manual research process. Cyber submissions that trigger an outside-in scan at ingestion — and produce a signal flag when the external data conflicts with the self-reported controls — get routed to underwriter attention more efficiently than ones where the external check happens only if the underwriter thinks to run it.

Where the Data Gaps Remain

We're not saying that available external cyber data signals are sufficient for underwriting decisions — they're not. The most significant underwriting-relevant cyber risk information remains self-reported or obtainable only through direct engagement with the insured's IT team.

Backup integrity is the clearest example. Whether an insured has offline, air-gapped backups that a ransomware attack couldn't encrypt is the single most important variable in determining the potential severity of a ransomware event. It's also completely invisible from external data. An outside-in security scan can't tell you anything about backup architecture. This information is only available through the cyber supplemental questionnaire — which means the quality of the underwriting process depends on whether the producer and insured are answering that question accurately.

Privileged access management and identity architecture — how privileged accounts are controlled, whether service accounts have domain admin rights, whether lateral movement within the network would be constrained by segmentation — are equally important and equally invisible from external data. These questions require a technically informed supplemental, and the quality of answers varies considerably by insured and producer.

For smaller commercial insureds in the $2M-$20M revenue range — a significant portion of the commercial package market — IT security is often managed by a single person or a managed service provider. The controls in place may be better or worse than larger companies, but the ability to accurately describe them in a supplemental questionnaire is limited. Underwriting that relies heavily on supplemental responses for this segment is operating with systematically noisy input data.

A Scenario: Appetite Rule Configuration for a Mid-Market Cyber Program

Consider a specialty MGA building a commercial cyber program for mid-market commercial insureds — businesses with $5M to $50M in annual revenue, across manufacturing, professional services, and light industrial sectors in the Midwest. The MGA's capacity provider requires screening for ransomware controls as a condition of binding authority.

The MGA's initial appetite configuration used a set of binary screening questions: MFA on email (required), MFA on remote access (required), EDR deployed on endpoints (required), offline backup present (required). Any submission with a "no" on any required control was routed to senior underwriter review with a documented reason for any non-standard consideration.

The first-quarter submission flow revealed a pattern: manufacturing accounts in the MGA's target market consistently showed "no" on EDR deployment, not because they lacked security controls but because their industrial control system (ICS) environments couldn't support standard EDR tools without operational disruption. The binary question didn't have a mechanism for capturing the compensating controls those accounts did have — network segmentation between OT and IT networks, dedicated OT security monitoring.

Refining the appetite configuration to handle manufacturing separately — with an ICS/OT environment flag that triggered a different control screening path — reduced the manual referral rate on manufacturing submissions while maintaining appropriate scrutiny for the specific risks that matter in that environment. The configuration change required adding a sector flag to the ACORD 125 intake and a separate control questionnaire for ICS-present accounts, not a rebuild of the underlying appetite framework.

Coverage Form Evolution and TRIA Interaction

Commercial cyber coverage forms have evolved significantly since 2020, and the current market has moved toward more explicit coverage definitions for first-party losses (system restoration, business interruption, ransom payments) versus third-party liability (data breach notification costs, regulatory defense, liability to third parties for systems damage).

The interaction between cyber coverage and TRIA deserves attention in appetite configuration. The Terrorism Risk Insurance Act applies to commercial property and casualty lines, and cyber policies are increasingly asked by buyers whether cyber terrorism is within scope. Most commercial cyber forms now include explicit language addressing the TRIA interaction. The appetite rule for cyber should note whether the program is TRIA-eligible, and if so, how terrorism-related cyber events interact with the sublimit and coinsurance structures in the primary form.

Appetite Stability in a Stabilizing Market

The cyber insurance market has stabilized meaningfully from the 2021-2022 peak of hard market conditions. Ransomware frequency, while still elevated relative to pre-2019 levels, has not continued the acute escalation of 2020-2021. Rate levels have moderated in most commercial cyber segments after the significant increases of 2021-2022.

Appetite rule maintenance in a stabilizing market requires judgment about which restrictions from the hard market cycle remain actuarially justified versus which were responses to acute uncertainty that no longer applies. The MFA requirement is clearly durable — it reflects a fundamental access control principle that hasn't changed regardless of market cycle. Ransomware sublimits calibrated to 2021-2022 severity assumptions may be worth reviewing against current claim data. Sector exclusions applied broadly to healthcare and education may be worth disaggregating by insured size and security maturity, rather than maintained as categorical rules.

Appetite review for cyber should happen more frequently than for other commercial lines — at least semi-annually — given the pace at which the threat landscape, coverage forms, and external data availability continue to evolve. An appetite matrix built in mid-2022 for the peak hard market may no longer reflect where the risk and the market actually are in 2025-2026.