The Cyber Insurance Squeeze: Where Underwriting Goes After 2023

TL;DR
- US cyber insurance premiums rose an average of 79% in Q2 2022 versus the prior year, while carriers cut coverage and added exclusions.
- Only around 15% of SMBs had purchased specific cyber coverage as of 2022, which makes the SMB segment the largest growth opportunity for carriers, brokers, and MGAs.
- CIRCIA names Managed Service Providers among the covered entities subject to new cybersecurity incident reporting requirements.
- We expect carriers to eventually stop accepting self-attestation, moving toward accredited third-party audits or real-time evidence collection platforms.
- GRC platforms like Vanta and Drata, already automating compliance evidence, are positioned to become the evidence layer insurers rely on.
Cyber insurance is doing something unusual for an insurance product: getting more expensive and harder to buy at the same time. Premiums in the US rose an average of 79% in Q2 2022 versus the same quarter the prior year, questionnaires keep getting longer, and the chief executive of Zurich, one of Europe's biggest insurers, has warned that cyber attacks, rather than natural catastrophes, could become "uninsurable" as disruption from hacks grows. The market is evolving fast enough that it deserves a closer look. Below: the trends we see shaping the market as of January 2023, followed by five predictions for where underwriting goes next.
What changed in the market through 2022
Premiums up, appetite down, demand rising
A market research study by Mordor Intelligence (opens in new tab) put the cybersecurity insurance market at $9.29 billion in 2021, with an expected rise to $28.25 billion by 2027. Costly data breaches, ransomware attacks, and other incidents keep pushing premiums upward, and the reasons reduce to two buckets. First, insurance companies are less willing to take on the risk of providing coverage, the Zurich warning being the loudest version of that reluctance. Second, demand keeps climbing as businesses of every size wake up to the potential damage cyber risk can cause.
Beyond price, underwriters are trying to contain claim losses with much stricter underwriting requirements, making security protocols like multi-factor authentication and EDR solutions mandatory. Cybersecurity questionnaires are growing longer and longer as underwriters struggle to grasp the risks they are pricing.
And yet the market is still an infant. Research from Sedgwick (opens in new tab) found that despite cybercrime ranking among the top concerns for SMBs, only around 15% had purchased specific cyber coverage. That gap makes cyber insurance the single largest growth opportunity for carriers, brokers, and MGAs for the foreseeable future.
Regulators are tightening the screws
2022 brought the government into the picture more forcefully. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (opens in new tab) gives critical infrastructure companies strict new requirements for reporting cybersecurity incidents, and CIRCIA's definition of covered entities includes Managed Service Providers.
The DoD, meanwhile, is enforcing NIST 800-171 and CMMC requirements more strictly for defense contractors handling CUI (Controlled Unclassified Information). In 2022, the DoD released a memorandum to all its contracting officers reiterating that contractors handling CUI must implement at minimum the NIST SP 800-171 security requirements, with a Plan of Action & Milestones (POA&M) for each requirement not yet met. In 2023, new CMMC certification requirements are expected in new DoD contracts, and compliance with NIST 800-171 will no longer rest on self-attestation: contractors will need audits by accredited C3PAOs (Certified Third Party Assessment Organizations).
More tools, more complexity, less visibility
Cybersecurity revenue is expected to grow 13.33% annually through 2027, reaching a market volume around $300 billion. The rise of hybrid and remote work since COVID came paired with rising threats against businesses of every size, forcing companies to stitch together and pay for tools from many different vendors. Axonius (opens in new tab) reported in May 2021 that 72% of organizations saw increased complexity in their IT environment over the prior two years, and the June 2022 SolarWinds IT trends report (opens in new tab) found 54% of respondents had visibility into less than half of their app and infrastructure estate.
The GRC platforms are the wildcard
The connection to insurance becomes clear in the predictions, but first the trend itself: GRC tools have taken serious market share in the past few years. These companies already automate security and compliance evidence, integrate with many third-party solutions, and map to the most popular compliance frameworks. The biggest names:
- Vanta: SOC 2, HIPAA, ISO 27001, PCI, and GDPR Compliance (opens in new tab)
- Drata: Automated SOC 2, HIPAA, GDPR, Risk Management, and More (opens in new tab)
- Secureframe: https://secureframe.com (opens in new tab)
- Kintent: Revenue-Generating Compliance | Kintent Trust Cloud (opens in new tab)
Polaris Market Research predicts this market reaches $96.98 billion by 2028. Funding is pouring in: $1 billion went into the sector in the first 10 weeks of 2022 alone, and top providers are hitting billion-dollar valuations, including Vanta, whose Series B valued the company at $1.6 billion.
A related cluster of companies is already tethering businesses to cyber insurance carriers, providing security and compliance automation while using that data to partner with insurers on coverage:
- SolCyber: Managed Security Services for Start-ups and SMEs (opens in new tab)
- Coalition: Coalition Control (opens in new tab)
- Cyberwrite: Cyber insurance for a safer tomorrow (opens in new tab)
- Augmentt: SaaS Security and Management Software (opens in new tab)
- SecurityScorecard: Security Ratings and Cybersecurity Risk Management (opens in new tab)
Five predictions for where this goes
1. Carriers stop accepting self-attestation
This will take years to land at broad scale, but the partnerships forming around automated evidence collection point the way. We interviewed a few insurance providers on this topic, and they said bluntly that today they could not care less what automation you have around evidence collection. The larger carriers run so much volume that self-assessment questionnaires are an accepted risk; claims in that pool stay low relative to premiums. But the same carriers confirmed the trends visible in the market:
- Higher premiums quarterly
- Less coverage
- More exclusions
- New mandatory requirements slowly rolling out
We believe there is too much money in this market for cyber risk to actually become uninsurable. What the slow rollout of MFA and EDR mandates really shows is that insurers do not yet understand the risk they carry; those controls should be table stakes for any organization with a real security practice. Just as CMMC is replacing self-attestation with accredited audits in the defense space, we expect insurers to require an independent C3PAO-style audit or a real-time evidence collection platform as a condition of coverage.
2. GRC tools grow beyond the startup niche
Today the funded GRC tools mostly serve startups, companies under 200 employees chasing SOC 2 because they lack in-house resources for self-attestation and need compliance fast. Their core value is deep cloud integrations that automate evidence collection plus framework mappings. As more companies move to the cloud, these tools are uniquely positioned to support a durable security practice. Regulation will keep tightening, and companies will not be able to afford manual self-assessment while keeping pace with technical change. Tools like these become a necessity for scaling securely, and potentially a requirement for obtaining cyber insurance. Even if the requirement lands on accredited C3PAO audits instead, these platforms slash the time and money it takes to hand an auditor what they need.
3. Companies cut vendor count
The explosion of SaaS apps inside companies accelerated through COVID. If a recession arrives, expect heavy scrutiny on the number of apps in use, driven by cost first, with reduced operational overhead and a smaller attack surface as the bonus. Security awareness keeps spreading, and the vendors a business works with will face more of that scrutiny too. We expect vendor risk management to become a standard requirement for acquiring cyber insurance.
4. Transparency of trust becomes commonplace
Some GRC tools already offer a "Trust Page": real-time, public insight into a company meeting security and compliance standards, drawing on data collected across the applications the company uses to do business. With threats growing, awareness rising, and regulation tightening, we believe this kind of transparency becomes normal for every business, regulated or not. It will take years, and the first wave will be vendors that touch sensitive data, but the end state looks like every vendor exposing a real-time API that summarizes its risk.

5. AI moves into underwriting
No predictions post escapes AI, and in this case the fit is genuine: an automated, data-driven underwriting process. Picture GRC tools expanding their integrations and aggregating the data; the picture of overall company risk, including trends over time, gets much clearer. Even Microsoft Graph data alone says plenty about the risk of users, devices, and applications. How often are users blasted with phishing campaigns? How often do they click malicious links? How frequently do devices show new incidents? Are employees accessing corporate data securely? Those observed risk levels would ultimately determine whether a policy gets written and what premium it carries based on the expected direct loss ratio.
Sources
- Vanta lands $40M to automate cybersecurity compliance | TechCrunch (opens in new tab)
- The SME Cyber Insurance Market: Perception and Adoption (Sedgwick, PDF) (opens in new tab)
- Cybersecurity Insurance: A Complete Guide | Cybersecurity Guide (opens in new tab)
- Cyber Insurers Raise Rates Amid a Surge in Costly Hacks | WSJ (opens in new tab)
- Cyber Insurance Premiums Are Up, and That's Not the Only Industry Shakeup | Forbes (opens in new tab)
- The 2021 State of Enterprise Breaches | Forrester (opens in new tab)
- The Cyber Insurance Gap: What Is It, and How Can We Close It? | BlackBerry (opens in new tab)
- Cyber Security Market Overview by Size, Growth and Trends, 2029 | Fortune Business Insights (opens in new tab)
- Report: 4 Key Factors Driving IT Complexity | Axonius (opens in new tab)
- SolarWinds IT Trends Report 2022 (opens in new tab)
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA (opens in new tab)
- Cyber attacks set to become 'uninsurable', says Zurich chief | Financial Times (opens in new tab)
- ConnectWise Introduces MSP-Specific Cybersecurity Framework and Security Partner Community | ChannelPro Network (opens in new tab)
- CompTIA Introduces Cybersecurity Trustmark | ChannelPro Network (opens in new tab)
- Cyber Incident Reporting For Critical Infrastructure Act of 2022 (CISA, PDF) (opens in new tab)
- Critical Infrastructure Sectors | CISA (opens in new tab)
- Presidential Policy Directive: Critical Infrastructure Security and Resilience | whitehouse.gov archives (opens in new tab)
- New Regulations from the Government for MSPs and Cybersecurity | Pax8 Blog (opens in new tab)
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 | Eversheds Sutherland (opens in new tab)
- If You're Waiting for CMMC to Start Compliance, You're Already Behind | PreVeil (opens in new tab)
- System Security Plans | DIB SCC CyberAssist (opens in new tab)
Frequently asked questions
What is CIRCIA and does it apply to MSPs?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 imposes strict cybersecurity incident reporting requirements on critical infrastructure companies, and its definition of covered entities includes Managed Service Providers. Reporting obligations are coming to the channel, not just to enterprises.
Will MFA and EDR stay sufficient for getting cyber coverage?
They are becoming mandatory minimums rather than differentiators. Carriers are slowly making controls like multi-factor authentication and EDR solutions required for coverage, controls that should be table stakes for any organization with a working security practice. Expect the bar to keep rising from there.
Evidence your insurer will actually accept
Questionnaires keep getting longer because underwriters cannot see inside your tenants. CloudCapsule documents 250+ Microsoft 365 controls per tenant in about 60 seconds, mapped to the frameworks insurers ask about.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


