AI-driven scams and cyberattacks are becoming more sophisticated, moving faster than most businesses can keep up with. From phishing emails generated by large language models to deepfakes of a CEO’s voice authorizing fraudulent wire transfers, scammers are taking full advantage of both human error and machine deception.
According to Heimdal Security’s latest cyber insurance statistics report, 62% of businesses worldwide now hold a cyber insurance policy, up sharply from 49% in 2024. This rapid rise shows a clear shift in mindset.
“Cyber insurance is no longer seen as optional; it’s fast becoming a cornerstone of modern business resilience,” says Danny Mitchell, cybersecurity writer at Heimdal Security. Below, Mitchell explains the reasoning and statistics behind this growing trend.
The rise of cyber insurance: A $20.56 billion market
In 2025, the global cyber insurance market reached $20.56 billion. That’s a significant milestone, though growth has slowed from the explosive 31% rate seen between 2017 and 2022.
The reason? A mature market, as more firms are already insured than ever before.
Recommended Articles
Premiums are currently 6% lower than in 2024 and 22% lower than their 2022 peak. However, experts predict a rebound in 2026, with costs expected to jump between 15% and 20%.
“This fluctuation reflects insurers recalibrating after an era of intense ransomware losses,” says Mitchell. “We’ve reached a point where insurers finally understand cyber risk at scale. Prices dipped because claims fell, but as AI makes attacks faster and more targeted, expect those savings to disappear. What you save today on premiums could cost ten times more in the next data breach.”
Who’s buying, and who’s still hesitant
While nearly two-thirds of global firms now have some form of cyber insurance, adoption varies by company size. According to Swiss Re, a leading insurance firm, 60% to 70% of large corporations (more than $1 billion in revenue) have coverage, compared with 40% to 50% of mid-market firms and just 10% to 20% of small and medium-sized enterprises.
Curiously, data from a U.K. government survey paints a different picture: 62% of small businesses and 65% of medium-sized firms are insured, compared with 53% of large enterprises.
“Smaller firms recognize that one successful attack could shut them down entirely; they need insurance to back them up,” says Mitchell. “Larger organizations often have internal teams and feel self-sufficient. But cybercriminals don’t discriminate by company size; they follow the path of least resistance.”
What’s driving the surge in demand?
The surge in adoption is directly tied to AI-driven phishing, ransomware, and business email compromise, three of the most financially devastating cyber threats to businesses today. Heimdal reports that ransomware alone accounts for 60% of all large cyber insurance claims, with the manufacturing sector making the highest number of claims in 2025, at 33% of the yearly total.
At the same time, regulatory pressure and data privacy mandates have pushed more firms to seek coverage. In heavily regulated sectors such as finance, healthcare, and manufacturing, insurance is becoming a distinct compliance requirement.
“AI scams have changed the landscape completely,” Mitchell says. “You no longer need a genius hacker to pull off a multimillion-dollar breach. Anyone with access to AI tools can replicate authentic emails or voices in seconds. Cyber insurance isn’t a substitute for strong defenses, but it’s the buffer between an incident and insolvency.”
The cost of being uninsured
While insurance claims fell by 50% in 2025, the cost of successful attacks continues to rise. Average global claim sizes now sit at $115,000, but vary widely by region:
- $108,000 in the U.S.
- $226,000 in Canada.
- $35,000 in the U.K.
The average loss is $79,000 for small firms and $228,000 for large enterprises. For industries like health care and manufacturing, individual ransomware claims have reached $631,000.
“A single attack can trigger legal fees, ransom payments, data restoration, and weeks of downtime,” Mitchell explains. “Cyber insurance gives businesses a fighting chance to recover, covering the damage while they rebuild operations.”
What cyber insurance actually covers
Mitchell explains that modern policies typically include coverage for:
- Ransomware and extortion costs;
- Business interruption losses;
- Legal expenses and regulatory fines;
- Forensic investigations and public relations support; and
- Data restoration and notification costs.
However, Mitchell warns that not all insurance is created equal.
“Some policies exclude social engineering, the very type of attack behind most major breaches. We still see businesses shocked to learn that a phishing attack isn’t fully covered because it was labeled ‘human error,’” Mitchell says. “Companies must read the fine print and match their policies to their actual risk profile. Otherwise, they’re paying for protection they might not get.”
Cyber insurance’s ROI: The numbers don’t lie
The financial argument for cyber insurance is strong. Insurer Howden estimates that covered firms see a 19% return on investment, with potential savings of €16 million over a decade for a midsized enterprise. Allianz adds that insured companies saw losses rise only 70% over four years, compared with 250% for uninsured firms.
“Companies that invest in cyber insurance are often more security-aware,” says Mitchell. “They tend to also invest in better defenses, employee training, and regular audits. Insurance and prevention go hand in hand.”
Cyber insurance was once an afterthought, but today, it’s a strategic pillar of risk management. As cyber threats grow more sophisticated and regulations become more demanding, having coverage signals not only preparedness but also professional credibility, he says.
“Whether you’re a startup or a multinational, you’re operating in a digital battlefield where attackers are faster, smarter, and often automated. Insurance isn’t a silver bullet, but it gives you breathing room when the worst happens,” Mitchell adds. “My advice to businesses is simple: pair strong cybersecurity defenses with a well-structured insurance policy. Don’t wait for an attack to expose the gaps. Proactivity is the only real protection left.”
Photo credit: amgum/iStock
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
