After years of competitive pricing and broad coverage, cyber insurers are beginning to tighten the scope of protection they offer—particularly around privacy risks.
Speaking at Zywave’s Cyber Risk Insights Conference in New York this week, industry experts said a shift is underway as insurers reassess their exposure to emerging privacy-related liabilities.
Beth Gidicsin, regional cyber practice leader at Lockton, noted that many insurers are now scrutinising or restricting their “broad privacy” or “affirmative wrongful-collection” coverage.
“Many carriers are starting to say, ‘We’re not sure about this anymore,’” she said. “They’re introducing exclusions into policies, although clients can often buy the coverage back if the insurers are comfortable underwriting it.”
Gidicsin explained that this recalibration is driven by an increase in privacy litigation—spurred by regulatory changes both in the United States and abroad. Traditionally, cyber insurance responded to privacy issues only when a data breach occurred, covering regulatory fines and penalties. However, under new privacy laws, litigation can now arise without any breach event, exposing firms to new and unforeseen risks.
While Gidicsin continues to advocate for broad privacy protection for clients, she acknowledged that insurers must now underwrite with a deeper understanding of these evolving exposures.
The discussion also touched on coverage gaps between cyber and property insurance, particularly in cases of cyber-triggered physical damage. The industry is exploring hybrid solutions or new products to close such gaps.
Beyond privacy, insurers are experimenting with AI-related endorsements and enhancing business interruption cover to reflect the growing risk from system or dependent system failures—especially amid widespread reliance on cloud infrastructure.
David Derigiotis, president of RT Specialty Detroit and executive vice president at ProExec Practice Group, said there is still “room to negotiate” broader coverage where needed, but cautioned against a blanket approach.
“You can’t provide the broadest coverage to every client every time,” he said. “That creates significant exposure for insurers. Coverage must be carefully aligned with each client’s specific risk.”
Lori Bailey, head of global cyber and technology at Axis, agreed, saying the market is moving away from a “one-size-fits-all” model towards tailored products that address the needs of distinct customer segments.
Derigiotis added that both insurers and policyholders must stay alert to evolving regulations and their potential impact. “The worst outcome,” he said, “is to buy a policy and find out after a claim that the loss isn’t covered. We need to anticipate what’s coming next—and make sure policies evolve accordingly.”