CyberSight 360: Cyber insurance trends shaping 2025 and beyond

As we look to 2025 and beyond, four key themes will impact the cyber insurance industry.

1. Coverage for AI risks

Artificial Intelligence (AI) technology continues to evolve rapidly, transforming nearly every industry. While AI presents significant opportunities, it also introduces new challenges for businesses. Businesses leveraging AI must proactively assess and manage these unique risks, ensuring their insurance programs adequately cover both current and emerging AI-related risks.

Insurers are slowly starting to respond to the use of AI by businesses and addressing potential coverage gaps for policyholders. While AI risks are potentially caught within current cyber coverage, insurers are increasingly addressing the "silent AI" issue by introducing affirmative AI insurance cover within cyber insurance policies to provide clarity on how incidents are covered when AI is involved, or creating a new insurance product to specifically address AI-related risks. For example, AXA XL has added a Generative AI models endorsement to its global cyber insurance coverage; Coalition has added a new Affirmative Artificial Intelligence (AI) Endorsement to clarify what is covered by its US Surplus and Canada Cyber Insurance policies, whilst Armilla Assurance has created a new Armilla Guaranteed product that provides warranty coverage for AI products. New insurance products and affirmative AI cover will continue to emerge in 2025 and beyond as the industry moves to address evolving AI-related risks faced by businesses utilising AI.

As stated above, even where AI risks are not explicitly covered, "traditional" policies such as property and liability policies (e.g. professional indemnity (PI) or directors and officers (D&O) policies) may respond to AI risks or provide "silent" coverage through the absence of AI-specific exclusions. The biggest risk for insurers here is to provide cover for unforeseen losses and claims where the risks have not been assessed or priced. In their efforts to address the silent AI issue, some insurers may also decide to include AI exclusions in policy wordings as AI risks become more defined or claims arising from AI-related risks increase. However, to date, we have generally not seen explicit AI exclusions in liability policies, at least in Australia. However, the dynamic and ongoing development of AI presents challenges for insurers in drafting exclusions that are able to strike the balance between precisely defining AI while not significantly reducing coverage ─ which impacts demand for the insurance product. We anticipate that insurers will seek to evaluate their suite of products to identify "silent AI" issues and whether any changes need to be made to clarify the scope of cover relevant to AI risks.

Before considering AI-specific insurance policies or endorsements, businesses should evaluate their use of AI ("In what processes do we utilise AI?"), their current "traditional" policies to understand the scope of coverage currently available ("Which liability insurance that we currently hold may respond to AI-related risks?"), including any applicable exclusions related to AI-related risks, and whether they need AI-specific coverage. In particular, policyholders should consult their brokers to review existing coverage and ensure that future coverage is designed to protect against and mitigate new risks associated with leveraging AI in their business.

2. Proactive breach preparation

As businesses uplift their cyber resilience and become more aware of evolving cyber risks, we expect to see more businesses undertaking proactive breach preparation.

A key benefit of cyber insurance is the provision of incident response management services by experts on the cyber insurer's panel, often without an excess applicable. However, for years, insureds have not been familiar with the insurer's incident response management services until an incident occurs, and it can be challenging to establish and maintain a good working relationship with an unfamiliar individual or team in the midst of a crisis.

As such, we have increasingly seen insureds reach out to the insurer's incident response management services panel to request pre-breach training, table-top exercises and/or to enhance their cyber incident response plan with that particular incident response management services expert in mind. If and when an incident does occur, the business is then already familiar with that expert, and can work seamlessly with them to manage the incident. Proactive breach preparation will enhance insureds' preparation and reduce any delays in the management of an incident. This is a positive development for the cyber insurance industry.

3. Increasing identity and access management requirements for cyber coverage

Cyber insurers typically impose certain baseline security requirements on businesses to qualify for cyber insurance coverage. These requirements often include preventative controls such as employee training, data backups and recovery policies, enabling multifactor authentication (MFA) and implementing Privileged Access Management (PAM). Insurers use these security requirements and risk assessments to evaluate and mitigate risks and quote coverage and premiums before providing cyber insurance coverage.

Globally, and in Australia, a growing proportion of cyber attacks and resulting claims are linked to identity and privilege compromises. For instance, Delinia's 2024 Cyber Insurance Research Report revealed that identity and privilege compromises account for 47% of cyber attacks leading to insurance claims. This trend underscores the growing vulnerability of business accounts and credentials in cyber attacks, reflecting threat actors' heightened focus on exploiting valid accounts and credentials to gain access to business systems.

In response, cyber insurers are and will continue to place greater emphasis on identity and access management within businesses and their associated risks. Consequently, we are witnessing an increase in the scope and extent of security requirements for privileged access and other identity security controls by cyber insurers. This trend is expected to continue in 2025 and beyond.

4. Growing importance of Contingent or Dependent Business Interruption cover

In 2024, a seemingly simple software update by cloud-based cyber security platform CrowdStrike caused a global crisis. The update sent 8.5 million Windows devices into chaos, crashing Microsoft Azure systems. Additionally, a ransomware attack on Change Healthcare, a provider of revenue and payment cycle management within the US healthcare system, resulted in file encryption and the theft of protected health information of an estimated 190 million individuals. This attack led to an outage that lasted for several weeks, severely hampering claims processing and causing massive disruption to the revenue cycles of providers such as physician practices, hospitals, and pharmacies.

These unprecedented events disrupted services to thousands of businesses, in both cases due to a single point of failure or interruption linked to a single third-party service provider. The CrowdStrike and Change Healthcare incidents (among others) highlight the systemic risk presented by third-party technology providers that may have thousands or even millions of users or customers. This systemic risk is caused by businesses being increasingly reliant on technology, creating a growing vulnerability to cyber risks arising from their third-party technology supply chains. Minor disruptions or interruptions can have widespread and cascading effects, bringing millions of businesses and entire industries to a standstill and potentially causing significant financial losses.

Contingent or Dependent Business Interruption (DBI) coverage refers to coverage for an insured’s loss of income as a result of a disruption or outage of a third-party service provider, which in turn disrupts the insured business’s operations. DBI coverage provides a solution to businesses looking to manage cyber risks arising from their third-party technology supply chains. In light of the recent CrowdStrike and Change Healthcare incidents and their widespread effects, we anticipate that DBI cover will become an increasingly important part of the risk management strategy of businesses in 2025 and beyond, with businesses seeking specific coverage for DBI to manage risks connected with third-party technology supply chains. This is already becoming more common in cyber insurance policies.

Businesses should evaluate their exposure to the risk of disruption or interruption to their third-party technology supply chains and consider whether their current insurance program or standalone cyber insurance policies include coverage for DBI. Businesses should also check that their cyber insurance policy has a “system failure trigger” or similar for DBI, which provides cover for disruptions caused by system failures, such as those seen in the CrowdStrike incident, which are not necessarily the result of a cyber attack. While some cyber policies provide standard business interruption cover, this cover is generally limited to the insured business’s own network and may not provide coverage for losses arising from a failure of a third party’s network.

This article appears in the 2025 edition of CyberSight 360: A legal perspective on cyber security and insurance