Cyber Insurance Purchasing Seen Trailing Information Security Spending
July 02, 2026
While investments in cyber risk management have grown significantly over the past decade, the evolution and growth of cyber insurance have moved more slowly over the same period, according to a new report from Aon.
According to Aon, global spending on information security has more than tripled over the past 10 years, reflecting businesses' increasing reliance on digital infrastructure and the expanding scale and complexity of that infrastructure.
Aon reports that while cyber-insurance premiums have increased during that time as cyber coverage broadened and expanded, cyber insurance still represents only a small portion of businesses' overall cyber security expenditures.
Today, cyber insurance typically only represents around 4 percent to 5 percent—approximately $15 billion to $16 billion—of the $300 billion global information security market, the Aon report said, with the remaining investments directed towards controls, systems, and operational resilience.
The rate of cyber-insurance adoption tends to reflect the size of organizations, Aon suggests. Among large enterprises—those with revenue of $1 billion or more—as much as 94 percent of organizations purchase cyber insurance, while among smaller organizations—those with less than $10 million in revenue—17 percent or less of organizations purchase cyber coverage.
"This divergence highlights more than a coverage gap. It reflects how organizations prioritize spending on cyber risk," the Aon report said. "Most capital continues to flow toward prevention and mitigation, while comparatively little is allocated to transferring financial volatility. In effect, many organizations are self-insuring a growing portion of cyber risk, often without explicitly framing that choice as a capital decision."
The Aon report noted the evolution of cyber insurance, suggesting that the coverage has changed in response to the types of losses that have emerged. Earlier cyber-insurance policies focused on a narrower risk environment, with only limited emphasis on operational disruption or financial severity, Aon said.
"Over time, loss experience exposed those limits. Coverage expanded beyond breach response and regulatory investigation to address business interruption, dependent system failures, ransomware, privacy liability, and regulatory defense. Capacity also increased through facility-based structures designed to support higher severity loss scenarios."
Those changes reflect the cyber-insurance market responding directly to real-world loss experience rather than theoretical exposures, Aon said.
"The more difficult question is whether buying decisions, expectations, and program structures have kept pace with what today's coverage is designed to address," the Aon report said. "As potential cyber losses grow in scale, assumptions around limits and retained risk are increasingly being tested."
July 02, 2026