The sector's fast growth masks deep coverage gaps and weak SMB penetration
Cyber
By Chris Davis
Nov 24, 2025Share
Cyber insurance may be gaining traction fast, but its infrastructure remains underdeveloped - and in many cases, dangerously incomplete.
“The cyber insurance sector is still in its relative infancy - experiencing rapid growth but also facing notable challenges and gaps in coverage,” said Matthew Belkin (pictured), head of cyber services at Acrisure Cyber Services.
Though cyber coverage has been around since AIG issued the first policy in 1997, Belkin pointed out the industry’s age pales in comparison to traditional lines. “Compared to other insurance verticals, it is quite new,” he said, recalling early incidents like the 1983 breach by the “414” gang that targeted Los Alamos National Laboratory.
Are you an insurance innovator? Tell us — we want to hear your story
That relative newness is playing out most visibly in coverage shortfalls. A significant portion of the market remains either uninsured or underinsured - particularly among small and mid-sized businesses (SMBs). “A recent Acrisure survey of US businesses with 500 or fewer employees revealed that 82% do not have a dedicated cyber insurance policy,” Belkin said.
For carriers and brokers, that’s a double-edged sword: a massive exposure problem on one side, and a growth opportunity on the other.
Post-CrowdStrike: policy shortcomings go mainstream
The global 2024 CrowdStrike outage delivered a jarring wake-up call. A software update - not a cyberattack - brought operations to a halt across industries, grounding flights and triggering system crashes worldwide.
“System crashes impacted millions of Windows machines, with estimated global damages around $5.4 billion,” Belkin said. “However, insurer losses are projected at less than a quarter of that.”
Why the gap? Many policies excluded this kind of event altogether. Even those with business interruption coverage often had waiting periods of 6 to 24 hours - rendering them effectively useless since CrowdStrike was able to deploy a fix within about 90 minutes “Businesses had little control - the outage resolution depended entirely on CrowdStrike,” he said.
Now, lawsuits are stacking up. Companies like Delta Airlines have launched legal action, alleging gross negligence as they try to recover losses. At the same time, demand is shifting. Clients want policies that don’t just cover malicious acts, but also operational disruptions from third-party dependencies - whether caused by attacks or internal errors.
Underwriting moves beyond static models
While client expectations evolve, underwriting is starting to catch up. “We’re seeing a move away from static, annual questionnaires toward continuous, API-driven data collection,” Belkin said.
The shift allows insurers to tap real-time insights from endpoint detection and cloud security tools, aligning premiums with a company’s current risk posture. “It marks a step change in how cyber risk is evaluated and managed,” he added.
That evolution is critical as exposures diversify. Static assessments can’t keep pace with today’s fluid threat environment. Continuous monitoring offers a more responsive model - one that may become the new baseline in the years ahead.
The SMB market: big risks, bigger opportunity
The most glaring gap - and most significant opportunity - lies in the underserved SMB market.
“While 82% of businesses with 500 or fewer employees reported not having cyber liability coverage, more than half of those (53%) indicated they are ‘very likely’ to purchase a policy within the next year,” Belkin said.
But even among those ready to buy, too many don’t understand the product - or haven’t even been offered one. “A 2024 Munich Re survey found that 28% of companies had never even been offered cyber insurance,” Belkin said. “Furthermore, 26% of businesses without coverage said they did not know cyber insurance existed, and 23% cited confusion over what is covered.”
The lack of awareness points to a broader education gap. Belkin argued that brokers need more support, not just in understanding the product, but in how to communicate its relevance to clients.
To bridge that divide, Acrisure rolled out Simple Cyber℠, a bundled solution that combines managed detection and response (MDR), email security, and optional cyber coverage into one package. “It reflects a shift toward holistic protection - delivering both proactive defenses and financial risk transfer in one solution,” he said.
Modeling for systemic risk still lags
Despite improvements in underwriting and innovation, one key area remains behind: systemic risk modeling.
“The industry needs to advance how it models systemic risks - in much the same way natural catastrophe models have evolved in property insurance,” Belkin said.
That means better frameworks for evaluating digital supply chain risk, vendor exposures, and aggregated vulnerabilities across sectors. The current approach lacks the granularity and predictive strength to handle wide-scale digital failure.
Staying relevant means moving beyond resale
Looking ahead, Belkin said managed service providers (MSPs) like Acrisure Cyber Services will need to rethink their role entirely. “The biggest challenge over the next two to three years will be evolving from traditional perimeter-focused models to proactive, AI-driven security services,” he said.
Reselling products isn’t enough. With cyber threats escalating and skilled talent in short supply, MSPs will need to offer automation, proprietary tools, and expert guidance to stay competitive.
“Simply reselling products will no longer be sufficient,” Belkin said. “To remain relevant and sustainable, MSPs must focus on service innovation, proprietary expertise, and automation.”
Related Stories
- Selling cyber coverage to SMBs: What agents may miss
- CYE warns of wide cyber insurance coverage gap
Top-rated Choice