Quick Answer
Cyber insurance premiums declined 5–15% across most market segments in early 2026, creating the most favorable buyer’s market since 2020. Despite average ransomware claims hitting $5.3 million, increased carrier competition, improved risk modeling, and better policyholder security practices are driving rates down. SMBs that have been on the sidelines should act now — lock in multi-year policies and negotiate coverage enhancements while carriers are competing for business.
Key Takeaways
- Premiums fell 5–15% in Q1–Q2 2026, with the steepest declines for mid-market companies ($10M–$50M revenue)
- Ransomware claims averaged $5.3M per incident, yet insurers are paying out more willingly as profitability stabilizes
- $240B protection gap remains for small businesses — most SMBs still lack any cyber coverage
- Underwriting scrutiny is increasing even as prices drop: MFA, EDR, and encrypted backups are now baseline requirements
- Multi-year policies are the smart play — lock in 2026 rates before the market hardens again
- Coverage enhancements (supply chain, business interruption, social engineering) are negotiable in a soft market
The Cyber Insurance Soft Market: What’s Happening in 2026?
The cyber insurance market has entered a soft market phase in 2026, characterized by declining premiums, broader coverage terms, and increased carrier capacity. According to Lockton’s Q1 2026 market update, average cyber insurance rates fell between 5% and 15% depending on the segment, with some mid-market accounts seeing declines of 20% or more at renewal.
This marks a dramatic shift from the hard market of 2021–2023, when premiums surged 30–100% year-over-year. Aon’s Q1 2026 Global Insurance Market Overview confirms that cyber is the only major commercial line experiencing consistent rate decreases, even as claims frequency and severity remain elevated.
Soft Market by the Numbers (Mid-2026)
| Metric | 2025 (H2) | 2026 (H1) | Change |
|---|---|---|---|
| Average premium ($5M revenue company) | $8,200/yr | $7,100/yr | -13% |
| Average premium ($25M revenue company) | $28,500/yr | $24,800/yr | -13% |
| Average ransomware claim | $4.7M | $5.3M | +13% |
| Claim payout ratio | 68% | 72% | +4pp |
| Policies with sub-$2,500 deductible | 14% | 22% | +8pp |
| Carriers offering multi-year terms | 45% | 67% | +22pp |
Sources: Lockton, Aon, WTW, Munich Re — Q1–Q2 2026 market reports
Why Are Cyber Insurance Premiums Falling?
Several converging factors are driving the soft market:
1. Increased Carrier Competition
New entrants — including Chubb, Beazley, Coalition, and At-Bay expanding their SMB footprints — have added significant capacity. With more carriers chasing a growing addressable market, pricing competition has intensified. Carrier Management reports that underwriters are offering broader terms and lower premiums to win or retain business.
2. Better Risk Modeling
After a decade of claims data, insurers have dramatically improved their actuarial models. Munich Re’s 2026 Cyber Risks and Trends report highlights that predictive models now incorporate:
- Real-time threat intelligence feeds
- Industry-specific attack probability scoring
- Security posture assessments (including MFA status, EDR deployment, backup verification)
- AI-driven claims forecasting
This allows carriers to price risk more precisely, reducing the “uncertainty premium” that inflated rates in 2021–2023.
3. Policyholder Security Improvements
SMBs are finally adopting baseline security controls. According to WTW’s 2026 cyber claims report:
- 78% of insured SMBs now have multi-factor authentication (up from 51% in 2023)
- 65% use endpoint detection and response (EDR) tools (up from 38%)
- 71% maintain encrypted, offline backups (up from 44%)
Better security means fewer successful attacks, which means fewer payouts — and carriers pass some savings back to policyholders.
4. Profitable Combined Ratios
The cyber insurance industry reached a combined ratio of 89% in 2025 (down from 104% in 2021), according to Munich Re. With premiums exceeding claims plus expenses, carriers have room to reduce pricing while maintaining profitability.
Claims Trends: More Attacks, Better Outcomes
While premiums are falling, claims are not. The paradox of the 2026 soft market is that attack frequency is rising but insurer profitability is improving.
Ransomware: $5.3M Average Cost
WTW’s latest data shows the average ransomware incident now costs $5.3 million when factoring in:
- Ransom payments (average: $850K, median: $320K)
- Business interruption losses (average: $2.1M)
- Recovery and forensic costs (average: $1.4M)
- Legal and regulatory costs (average: $950K)
Despite these eye-watering numbers, Willis’ 2026 cyber claims report found that cyber insurance is delivering meaningful financial protection — covering an average of 84% of first-party losses and 76% of third-party losses.
What’s Driving Claims in 2026?
- AI-powered phishing attacks — more convincing, higher volume
- Supply chain compromises — attackers targeting vendor ecosystems
- Business email compromise (BEC) — still the #1 claim type by frequency
- Deepfake-enabled fraud — emerging but growing fast
The $240B Protection Gap for SMBs
Despite falling premiums, Datavault AI estimates a $240 billion protection gap for small and mid-sized businesses. Most SMBs remain uninsured:
- 60% of SMBs have no cyber insurance at all
- 23% have coverage but are significantly underinsured
- Only 17% carry adequate coverage limits
The soft market represents a once-in-a-decade opportunity to close this gap. Premiums have never been more affordable, coverage terms have never been broader, and the threat landscape has never been more active.
Why Haven’t SMBs Bought Coverage?
| Barrier | % of Uninsured SMBs |
|---|---|
| ”Too expensive” | 34% |
| “Don’t think we need it” | 28% |
| “Don’t understand coverage” | 19% |
| “Haven’t gotten around to it” | 12% |
| “Denied coverage previously” | 7% |
With 2026 rate declines, the cost barrier is lower than ever. A small business with $2M in revenue can now secure $1M in cyber coverage for approximately $1,200–$2,500 per year — less than the cost of a single forensic investigation.
Underwriting Scrutiny Is Increasing — Even as Rates Drop
Don’t confuse a soft market with loose underwriting. Cybersecurity Dive reports that carriers are conducting more rigorous underwriting in 2026, not less. The difference is that they’re using better data and more targeted questionnaires rather than blanket exclusions.
What Insurers Now Require (2026 Baseline)
- Multi-factor authentication (MFA) on all remote access, email, and privileged accounts
- Endpoint detection and response (EDR) deployed on all endpoints
- Encrypted, offline backups with documented restore testing
- Security awareness training for all employees (annual minimum)
- Patch management with documented SLAs for critical vulnerabilities
What Insurers Are Starting to Ask About
- AI governance policies — are you monitoring AI tool usage?
- Supply chain risk management — do you vet vendor security?
- Incident response plan — when was it last tested?
- Identity threat detection — beyond MFA, are you monitoring for compromised credentials?
Companies that can demonstrate strong security posture are rewarded with the steepest rate reductions. Those with gaps may still get coverage, but at higher prices and with more exclusions.
Should SMBs Buy Cyber Insurance Now or Wait?
Buy now. The current soft market is unlikely to last beyond mid-2027. Here’s why:
Factors That Could Re-Harden the Market
- A major catastrophic cyber event (e.g., widespread infrastructure attack) could trigger industry-wide rate hikes
- AI-driven attack escalation could outpace security improvements
- Regulatory changes (SEC disclosure rules, CIRCIA reporting, state privacy laws) increase claim costs
- Reinsurance capacity could tighten if global cyber losses spike
The Multi-Year Policy Advantage
With 67% of carriers now offering multi-year terms (up from 45% in 2025), SMBs can lock in 2026 rates for 2–3 years. This protects against future rate increases and provides budget certainty.
| Strategy | Pros | Cons |
|---|---|---|
| 1-year policy | Flexibility to switch carriers | Exposed to rate hikes in 2027 |
| 2-year policy | Rate lock, moderate flexibility | May miss better terms if market softens further |
| 3-year policy | Maximum rate protection | Locked in if coverage needs change |
Recommendation: For most SMBs, a 2-year policy offers the best balance of rate protection and flexibility.
How to Capitalize on the 2026 Soft Market
1. Shop Around — Aggressively
With carriers competing, obtain quotes from at least 3–4 insurers. Work with a broker who specializes in cyber insurance to access markets that don’t sell direct.
2. Negotiate Coverage Enhancements
In a soft market, carriers are willing to add coverage at little or no cost:
- Supply chain / contingent business interruption — covers losses when a vendor is breached
- Social engineering fraud — expanded to include AI-enabled deepfake fraud
- Regulatory defense costs — covers SEC, state AG, and GDPR investigations
- Cyber extortion — unlimited sublimit rather than capped at 25% of policy limit
- Reputation repair — PR and customer notification costs
3. Lower Your Deductible
22% of policies now offer deductibles under $2,500 (up from 14% in 2025). If your current deductible is $10,000+, ask your broker about reducing it — the premium impact is often minimal.
4. Bundle for Discounts
Many carriers offer 10–15% discounts when cyber is bundled with other lines (D&O, E&O, general liability). If your business carries multiple policies, consolidate them with one carrier.
5. Improve Your Security Posture Before Renewal
Complete these upgrades 60–90 days before your renewal date:
- Deploy MFA on all accounts (if not already)
- Install EDR on all endpoints
- Document and test your incident response plan
- Conduct a tabletop exercise with key staff
Insurers use renewal questionnaires to price risk — better answers mean better rates.
Cost Comparison: 2025 vs 2026 by Company Size
Use these benchmarks to evaluate your premium. If you’re paying significantly more than the 2026 column, it’s time to renegotiate.
| Company Revenue | Coverage Limit | 2025 Avg Premium | 2026 Avg Premium | Savings |
|---|---|---|---|---|
| Under $1M | $500K | $1,800–$3,500 | $1,500–$3,000 | -15% |
| $1M–$5M | $1M | $3,500–$7,000 | $3,000–$6,000 | -14% |
| $5M–$10M | $1M–$2M | $6,500–$12,000 | $5,500–$10,500 | -15% |
| $10M–$25M | $2M–$5M | $12,000–$25,000 | $10,000–$21,000 | -17% |
| $25M–$50M | $5M–$10M | $22,000–$45,000 | $18,500–$38,000 | -16% |
| $50M–$100M | $10M–$25M | $40,000–$85,000 | $33,000–$72,000 | -17% |
Estimates based on Lockton, Aon, and WTW 2026 market data. Actual premiums vary by industry, security posture, and claims history.
Ready to get a personalized estimate? Use our cyber insurance cost calculator to see where your business falls on the pricing curve.
Industry-Specific Impact
The soft market affects industries differently. Here’s how key sectors are faring:
- Healthcare: Modest declines (5–8%) due to high claim frequency. HIPAA compliance is table stakes. See our healthcare cyber insurance guide.
- Financial Services: Significant declines (12–18%) as banks and fintechs have strong security postures.
- Retail: Mixed — ecommerce retailers see 10–15% declines, but POS-dependent businesses face more scrutiny.
- Technology/SaaS: Largest declines (15–22%) as tech companies naturally meet security requirements.
- Legal/Professional Services: 8–12% declines. See our law firm cyber insurance guide.
FAQ
How much have cyber insurance rates dropped in 2026?
Cyber insurance premiums declined an average of 5–15% in Q1–Q2 2026, with mid-market companies seeing the steepest reductions (up to 22%). According to Lockton and Aon, this is the most significant sustained rate decrease in the cyber insurance market’s history.
Is cyber insurance getting cheaper for small businesses?
Yes. A small business with $2M in revenue can now secure $1M in cyber coverage for approximately $1,200–$2,500 per year — down 15% from 2025. However, the $240B protection gap shows most SMBs still don’t carry coverage despite falling prices.
Why are cyber insurance premiums falling despite more claims?
Premiums are falling due to increased carrier competition, better actuarial risk modeling, improved policyholder security posture (78% MFA adoption), and profitable combined ratios (89% in 2025). Even with rising claims, insurers can offer lower rates because they have better data and more capacity.
Should I lock in a multi-year cyber insurance policy in 2026?
Yes. With 67% of carriers now offering multi-year terms, a 2-year policy is the smart play for most SMBs. It locks in current soft-market rates and provides budget certainty. If the market hardens in 2027–2028 due to a major cyber event or AI-driven attack escalation, you’ll be protected from rate hikes.
What security controls do insurers require in 2026 soft market?
Insurers require MFA on all remote access and email, EDR on all endpoints, encrypted offline backups with tested restores, annual security awareness training, and documented patch management SLAs. They’re also increasingly asking about AI governance policies, supply chain risk management, and incident response testing.
How long will the cyber insurance soft market last?
Industry analysts expect the soft market to persist through mid-to-late 2027. Factors that could re-harden the market include a catastrophic systemic cyber event, AI-driven attack escalation outpacing defenses, or tightening reinsurance capacity. SMBs should take advantage of current pricing while it lasts.
Can SMBs negotiate better cyber insurance rates in 2026?
Absolutely. In a soft market, carriers compete for business. SMBs should obtain 3–4 quotes, negotiate coverage enhancements (supply chain, social engineering, regulatory defense), request lower deductibles, and bundle cyber with other lines for 10–15% discounts. Working with a specialized cyber insurance broker is highly recommended.
What coverage enhancements should SMBs add during the soft market?
Priority enhancements include supply chain / contingent business interruption, social engineering fraud (expanded for AI deepfake incidents), regulatory defense costs, unlimited cyber extortion sublimits, and reputation repair coverage. Carriers are adding these at little or no cost in 2026 to win business.
Conclusion: The Window Is Open — But It Won’t Stay Open Forever
The 2026 cyber insurance soft market is a generational buying opportunity for SMBs. Premiums are down 5–15%, coverage terms are broader than ever, and carriers are actively competing for business. But soft markets are cyclical — a major breach, regulatory shift, or AI-driven attack wave could reverse the trend quickly.
The smart move: Evaluate your coverage needs now, improve your security posture, shop multiple carriers, and lock in a 2-year policy at today’s rates. Don’t wait for the market to harden before taking action.
Ready to estimate your costs? Use our cyber insurance cost calculator to get an instant premium estimate based on your industry, revenue, and security profile.