2025 has already been a busy year across the cyber landscape. New use cases for AI technologies continue to emerge almost daily throughout the market. Federal regulation and oversight initiatives have shifted dramatically, regarding national cyber security policy in the US. And all the while, cyber attack frequency remains persistent, across ransomware attacks, data theft and extortion, and socially engineered attacks; attacks now powered with AI enhanced persona-replication capabilities. All businesses today are exposed to far more emerging cyber threats than they are aware of, evolving at a faster pace than their network security providers can keep up with.
Despite this accelerating risk, cyber written premiums across the market are not growing at the same rate. By most marketwide measures, the take-up rate for SME businesses (< $20 Million revenue) hovers between 8-15%, even with all available underwriting solutions that exist, and an observably high-profit line of business. There are many perspectives on why this may be the case, but every explanation can be broadly stated under a single concept: the insurance industry simply does not fully trust ANY particular cyber model solution that exists today.
Guy Carpenter (GC) and Guidewire Cyence (Cyence) are highly cognizant of this reality. In the spirit of encouraging greater “trust” across the insurance market — that Cyber is in fact a modellable and profitable line of insurance business — GC and Cyence have now collaborated on construction of a 2025 US Cyber Market Industry Exposure Database (IED) with accompanying Industry Loss Curve (ILC). The findings of this work are founded upon GC CyberExplorer® Datalake exposure data and Cyence Model version 7 stochastic loss output. Results arepresented in the linked whitepaper 2025 US Cyber Industry Exposure Database and Loss Curve.
The whitepaper will firstly provide a broad range of cyber market industry metrics:
- 2025 projected industry loss ratios
- Estimates of exposed business counts, average take-up rates by segment, and total estimated written premiums
- Shape and composition of tail curves across the exposed industry, including listed cloud provider and software packages which present the most widespread threats
But beyond the suite of stats provided in this document: the true impetus behind this paper is to make the methodology and construction behind the IED fully transparent to the audience, in every facet. The paper will present overall findings in the main Executive Summary, and then proceed to walk readers through each of 7 stages of IED construction, with associated statistical detail.
In this approach, Cyence and GC are hoping not only to spark new conversations, methodology commentary, new debates and feedback; but to ultimately establish the market’s trust in the results being presented. Every cyber portfolio manager is guaranteed to have their own opinion on the legitimacy of this (or any) market IED: but, given that the construction blueprints are laid bare, the only decisions remaining for the reader will be to agree or disagree with the parameter selections made.
GC and Cyence believe that the cyber insurance market has extraordinary potential for expansion, if the market at large can begin to gain comfort and unify around the technical solutions available. We hope that this paper will contribute to that effort – thank you for reading!