I was in New York last week for Zywave’s Cyber Risk Insights conference, and you could feel a definite shift in the air. For the last few years, the cyber insurance market has been, frankly, a bit of a free-for-all. Carriers were falling over themselves to offer broader coverage and competitive pricing to win your business. It was a great time to be a buyer.
But sitting in on a panel discussion, a theme started to emerge that I think we all need to pay close attention to. The party might be winding down. When the panelists were asked if carriers are starting to pump the brakes and restrict coverage, the answer was a very clear, "Yes."
It’s not a huge, dramatic slam of the door. It’s more subtle. It’s a quiet tightening of the screws, especially around one of the most sensitive parts of a cyber policy: privacy coverage. And if you're not looking for it, you could easily miss it until it’s too late.
The Pendulum is Swinging Back
Think of the insurance market like a giant pendulum. For a while, it was swung way over to the "buyer's side." Capacity was everywhere, and policies were written with broad, sweeping language that covered a ton of different scenarios. It was the "all-you-can-eat buffet" of cyber insurance.
Now, that pendulum is starting its slow swing back toward the "insurer's side." Carriers are getting a lot more specific and a lot more cautious. They're moving away from the buffet and handing out a-la-carte menus where you have to pay close attention to what is—and isn't—included.
So, what does this look like in the real world? We're seeing insurers get much more granular about what they will and won't cover when it comes to privacy claims. This isn't about refusing to cover data breaches altogether; it's about carving out specific types of privacy risks that they now see as too unpredictable or too expensive.
Why Are Insurers Getting Nervous Now?
You might be wondering, "What changed?" Well, a few things. The world of data privacy has gotten incredibly complex in a very short amount of time, and insurers are reacting to the new reality on the ground.
It really boils down to a few key hotspots that are causing major heartburn in the underwriting departments.
The Explosion of Biometric Lawsuits
If there's one thing that keeps insurance lawyers up at night, it's the Illinois Biometric Information Privacy Act (BIPA). This law (and others like it popping up in other states) has led to a tidal wave of class-action lawsuits against companies that collect biometric data—think fingerprints for time clocks or facial recognition scans.
The potential payouts on these are massive, and insurers have been hit hard. As a result, many are now adding specific exclusions for BIPA-related claims or any claim arising from the collection of biometric data. They've decided the risk is just too high to cover under a standard policy.
The "Tracking Pixel" Problem
Here’s another one that’s become a huge issue. You know those little bits of code on websites (like the Meta Pixel) that track user activity? Well, lawsuits are now arguing that sharing that data with platforms like Facebook without explicit, specific consent is a violation of privacy laws.
This has opened up a whole new can of worms. Insurers are looking at this and seeing a potentially bottomless pit of liability. It's not a data breach in the traditional sense—no one hacked anything. But it is a privacy violation. In response, we're seeing new policy language specifically aimed at excluding claims related to this kind of "wiretapping" or data sharing via web-tracking technologies.
A Messy Patchwork of State Laws
Remember when GDPR was the big, scary privacy regulation we were all worried about? Now, it's like we have a mini-GDPR in every other state. With laws like the California Consumer Privacy Act (CCPA) and its successor, the CPRA, plus new laws in Virginia, Colorado, Utah, and more, it's a nightmare to navigate.
Each law has slightly different rules, and that lack of consistency creates uncertainty. And if there’s one thing insurers hate, it’s uncertainty. They're finding it difficult to price the risk when the legal goalposts are constantly moving. Their solution? Restrict coverage for violations of these specific state statutes until the dust settles.
How to Spot These Changes in Your Own Policy
Okay, so this is all interesting, but what does it actually mean for you when your renewal paperwork lands on your desk? You have to become a bit of a detective. These changes won't be on the front page in big, bold letters.
Here are the kinds of things you and your broker should be hunting for:
- New Exclusions: Look for language that specifically excludes claims arising from "biometric data," "unlawful collection of data," or specific statutes like BIPA or CCPA.
- Sub-limits: This is a sneaky one. The policy might still technically "cover" a certain type of privacy claim, but they'll cap the payout at a much lower amount than the overall policy limit. For example, you might have a $5 million cyber policy, but a new sub-limit for regulatory fines might cap that specific coverage at just $250,000.
- Tighter Definitions: Pay attention to how the policy defines a "privacy event" or "wrongful act." Carriers are narrowing these definitions to ensure they only cover very specific scenarios, leaving out these new, emerging risks.
- Higher Retentions: They might agree to cover the risk, but only after you pay a much larger deductible (or retention) for claims related to privacy violations compared to, say, a ransomware attack.
It’s Time to Have a Real Conversation About Your Coverage
Look, I'm not trying to be an alarmist here. Cyber insurance is still one of the most critical tools you have for managing risk. But the days of assuming your policy covers "all things cyber" are officially over.
The big takeaway from what I heard in New York is that we've entered an era of specialization. The market is maturing. Insurers are no longer just reacting to breaches; they're proactively trying to get ahead of the next wave of claims.
This means you can't just 'set it and forget it' with your cyber policy. When renewal time comes, you need to have a serious, in-depth conversation with your broker. Don't just ask, "Am I covered for a data breach?" Ask the tough questions. Ask about biometric data. Ask about web-tracking pixels. Ask about state-specific privacy law violations.
Force them to show you, right there in the policy language, where and how you are covered. And more importantly, where you aren't. It’s the only way to make sure the safety net you think you have is actually there when you need to use it.
