Rapid changes in cyber risk are forcing underwriters into near-constant recalibration

Cyber

By Chris Davis

Nov 20, 2025Share

The cyber insurance market has become almost unrecognizable from where it was just a few years ago, according to Anthony Dagostino (pictured), president and chief underwriting officer at Avoca Risk. “The market today is ultra fluid,” Dagostino said. “It was probably fluid a couple of years ago, and now it's ultra fluid.” 

That volatility isn’t cyclical. It’s structural. As cyber threats mutate and expand, insurers are forced into a pattern of short-term rate cuts and aggressive coverage - only to abruptly reverse course after the next wave of claims. 

“Everybody starts to get very aggressive in coverage and rates,” Dagostino said. “Then something might happen. There's a little bit of a knee-jerk reaction... like we saw with ransomware a few years ago.” 

Are you an insurance innovator? Tell us — we want to hear your story

He described a fast-moving, reactionary cycle driven not by long-term loss trends, but by short-term shifts in threat activity. In some years, the lull in claims invites competition and broader coverage. The moment a major event hits - whether systemic or targeted - rates harden, appetite tightens, and underwriting scrutiny returns. 

Risk appetite fluctuates with attack trends 

Dagostino has seen the sector from all angles - underwriting, broking, consulting - and now runs an MGA serving clients from small businesses to large enterprises across sectors. From his perspective, the market’s fluctuations are baked into how cyber risk operates. “It just seems to ebb and flow very, very quickly, and it's moving as fast as the technology itself is evolving,” he said. 

Over the past year, he has noted a rise in tech-enabled underwriting, starting with external scans and expanding into deeper assessments through cybersecurity partnerships. But for all the innovation, one truth hasn’t changed: cyber remains a serious risk for small and midsize businesses, many of whom are still coming online to the realities of digital exposure. 

“Ransomware is still real, business email compromise resulting in stolen funds is very, very real for small businesses,” Dagostino said. “We see it in real estate. We see it in law firms.” 

Many of these businesses once viewed cyber insurance as optional. That’s changing. “There is still that need from the small and mid-market, especially in the US...They see value in actually purchasing the assurance,” he said. 

Insurance struggles to keep up with rapid exposure shifts 

While the industry has generally kept pace with cyber exposures, there’s a pattern of retrenchment after major events. Dagostino likened it to a two-steps-forward, one-step-back evolution. He pointed to regulatory changes in the early 2000s, and again to the ransomware surge of 2020, as moments that forced underwriters to pause and reassess. 

“All of a sudden we start to pay a lot of [attention to] ID theft and notifications. So then you tighten up the belt, you revisit underwriting, take a step back, you raise the rates, and then you start moving forward,” he said. 

He believes that approach is still relevant, but increasingly inadequate given the speed of today’s threat environment. “We’re running pretty fast,” he said. “You see a little bit of systemic events from vendor issues, so more of those vendor aggregation issues.” 

Still, he doesn’t believe the industry has hit its defining moment. “We haven't really seen that [hurricane-level event] yet, which causes the underwriters to say, ‘wow’,” he said. 

That moment may still be ahead. “There’s probably something on the horizon,” Dagostino said. “Whether it’s new technology or new evolution in how attacks are done... that would probably give us another ‘aha’ minute to then tighten the belt.” 

The claim cycle is now real-time 

One of the key distinctions between cyber and traditional lines is the pace at which underwriters must now adapt. “It really is on a monthly, quarterly basis looking at claims, what were the techniques that the hackers used, what were the vulnerabilities, are we asking the right questions?” he said. 

He flagged that controls once seen as underwriting gold standards - MFA, encryption, segmentation - may soon become insufficient. A new control could be exploited before insurers even recognize it as a risk. 

“Somewhere on the horizon there will be a control that has an exploitation that isn't understood,” Dagostino said. “It’s not doomsday... but suddenly we're going to have to re-underwrite.” 

He pointed to secure DevOps and EDR (endpoint detection and response) solutions as areas that need more underwriting scrutiny. “We talk about that, but I don't think we're really underwriting to that,” he said. 

Third-party and systemic risks closing in 

Cyber’s impact doesn’t stop at the policyholder. Increasingly, it hits through dependencies—third-party systems, external vendors, and upstream IT failures. 

“If you're talking about third party... that paywall has an attack, that has a knock-on detriment to your business,” Dagostino said. “That’s business interruption for a third party.” 

He drew parallels to contingent business interruption in supply chains, and warned that vendor aggregation risk is growing. “Technology doesn’t have the boundaries or the geographic limitations,” he said. “But there’s still similarities... product recall, aviation. There’s other ones where I think we can definitely learn.” 

Policyholders not using built-in services 

While some risks are evolving, others remain frustratingly unchanged. One persistent issue: clients not using the free services built into their policies. 

“I’ve banged my head against the wall for the last decade,” Dagostino said. “The clients, the policyholders, still don’t understand about all the free services that they get under these policies.” 

He called out providers like Beazley, Canopius, Chubb, and QBE for investing heavily in tools that remain underused - like phishing simulations, training platforms, and monitoring services. 

He recently met with small rural hospitals in Virginia, where the disconnect was obvious. “They don’t realize what they can get under the cyber insurance,” he said. “If they utilize the free phishing simulation and training that’s in their policy, you’re going to save these rural hospitals a few thousand dollars per year.” 

Responsibility for that uptake, he argued, is shared across the value chain. 

“I think it falls a little bit on the underwriting side to push it more,” Dagostino said. “It very much falls on the broker side... and the fault is also on the policyholder side to actually utilize these things and do it.” 

High-profile breaches raise broader questions 

Dagostino is closely watching the aftermath of major breaches in the UK, including incidents involving Marks & Spencer and Jaguar Land Rover. “There’s still some stewards that are lagging and having issues,” he said. “I have a hard time believing that [it’s] UK specific.” 

To him, these weren’t one-off attacks. They reflected broader weaknesses. “There’s certain vulnerabilities where it was just the luck of the draw the hackers hit them first,” he said. “They could apply to anybody in the world.” 

Related Stories

• Cyber insurance at a crossroads as rates fall and growth slows
• Selective and devastating