The Premium Problem in California Tech
California's tech sector is generating more breach exposure every year, and I'd argue the premiums being written against that exposure don't reflect what the data is actually showing. I can't point you to a carrier filing that proves tech premiums are systematically underpriced. No such public dataset exists, as far as I can find. But when you lay the breach trajectory next to what underwriters are charging, the gap is hard to ignore.
What the Breach Data Actually Says
Between January 2012 and September 2018, California logged 1,437 reported breaches under its data breach notification law, averaging 18 per month, with the rate climbing at 0.18 additional breaches per month. That's not noise. That's a measurable, sustained upward trend. And the peak in that period hit 60 breaches in a single month, February 2017.
From 2017 through 2021, California recorded more data breaches than any other state, with losses exceeding $3.7 billion, nearly double the next closest state. Email compromise alone accounted for $1.18 billion in losses across 14,925 victims. These aren't rounding errors.
The per-incident cost picture isn't better. Average breach cost hit $3.86 million in 2018, up 6.4% from the prior year, with per-record cost rising to $148, up 4.8%. And the recidivism problem is real: there's a 27.9% probability of a repeat breach within two years of an initial incident.
Where Tech Fits In
Here's where I have to be straight with you. The California breach data doesn't single out tech as the most-targeted industry. Financial services and large employers with more than 10,000 employees dominated breach frequency, and healthcare has its own ugly track record in the state. In 2016, California had 39 healthcare breaches, the most of any state that year, compromising over 1.4 million records.
But tech companies aren't sitting this out. The California AG's breach list shows recent incidents including Ericsson Inc. with a breach date of April 2025, OSI Systems with a December 2025 incident, and Cierant Corporation breached in late 2024. No loss figures are attached to those filings, and I'm not going to invent numbers. What they do show is that the pipeline of tech-sector incidents isn't slowing.
And the attack vectors matter here. Software vulnerability was the most common breach vector in the California data, with ransomware and phishing rising sharply since 2016. Tech companies sit at the center of that exposure profile. They build on third-party dependencies, run complex software stacks, and often hold customer data that multiplies liability the moment something goes wrong.
The Pricing Gap I Can't Prove But Can't Ignore
I'll be direct: there is no public carrier filing or industry rate comparison I can point to that proves tech premiums are running below actuarially justified levels. That data isn't published in a form brokers can access. So I'm not going to state it as fact.
What I can tell you is that the inputs for a justified rate increase are all present. Breach frequency in California is trending up. Per-incident costs are up. Recidivism is high. The attack vectors most associated with tech sector exposure are the same ones driving losses statewide. If you're placing a tech account and the premium feels light relative to the company's data footprint, software dependencies, and employee count, that instinct deserves more scrutiny than a quick bind.
What to Do With This
Pull the California AG breach list and run your tech accounts against it. Not to check if your client was breached, but to calibrate what a realistic peer group looks like. If you're underwriting a mid-size SaaS company in the Bay Area and the carrier is pricing it like a dry cleaner in Fresno, the burden is on you to push back with specific exposure data, not just a sense that something feels off.
The research gap here is a problem in itself. Brokers need industry-segmented premium data to argue pricing with underwriters. Right now, that data either doesn't exist publicly or carriers aren't sharing it. That's worth raising with your markets directly. Ask them how they're segmenting tech versus other verticals in California, and what breach frequency data they're using to justify the number on the quote sheet.