Florida's cyber premiums are underpriced, and the breach data says so plainly. The state is running a 58% increase in reported data compromises since 2021, its healthcare sector is getting hammered, and carriers are quietly softening rates anyway, treating Florida like a low-loss geography. That's a mispricing problem. Michigan's market went through a painful correction when its loss experience caught up with its pricing. The analogy isn't perfect, but the direction is the same.
Florida's Breach Volume Dwarfs Michigan's
The Identity Theft Resource Center's 2023 Data Breach Report puts Florida at 249 publicly reported data compromises in 2023, against Michigan's 104. That's not a rounding error. And the trajectory matters more than the snapshot. Florida ran 158 breaches in 2021, 205 in 2022, and 249 in 2023, a 58% increase over two years. Michigan went from 82 to 96 to 104 over the same period, roughly 27% growth. Florida's curve is steeper and shows no sign of flattening.
On a population-adjusted basis the gap narrows but doesn't close. Using 2023 Census estimates, Florida runs about 11.0 breaches per million residents versus Michigan's 10.4. But population adjustment obscures the healthcare exposure, which is where the real severity sits.
The Healthcare Numbers Are the Real Story
The HHS OCR Breach Portal logged 87 large health-data breaches in Florida in 2023, meaning incidents affecting 500 or more individuals. Michigan had 29. PHI breaches carry OCR investigation risk and class-action exposure that most commercial breaches don't, and the notification cost sits on top of both. Florida insureds in healthcare, and the vendors who touch healthcare data, are generating a loss profile that flat or declining premiums don't reflect.
What Michigan's Correction Actually Looked Like, and Why Florida Is Different
Michigan's pricing didn't drift upward politely. According to a Michigan Bar Journal analysis from December 2022, cyber pricing for Michigan firms grew by 96% year-over-year in Q3 2021 alone. Marsh's broader data confirms that Midwest accounts, where Michigan's ransomware loss experience was concentrated, saw above-average increases through 2021 and 2022, part of a national pattern where U.S. cyber pricing increased 130% in 2021 and 28% in 2022 before moderating to 6% in 2023. Michigan insureds absorbed that correction hard and fast.
Michigan's correction was driven primarily by ransomware loss ratios, not raw breach count. Florida's elevated numbers are dominated by healthcare PHI breaches, which is a different severity driver. But the loss ratio argument still holds. Coveware's Q4 2023 report puts the average ransom payment at $812,380, up 32% year-over-year, with data exfiltration involved in 83% of cases. Healthcare breaches generate comparable or greater per-incident costs once you factor in OCR enforcement, mandatory credit monitoring, and the litigation exposure that follows a PHI incident at scale. The mechanism is different from what hit Michigan. The severity math isn't.
Fitch Ratings, citing NAIC Cyber Supplement data, shows Michigan standalone cyber direct written premium growing from $112M in 2021 to $148M in 2023, a 32% increase in two years. The market priced the risk in after the losses accumulated. That's the pattern to watch for in Florida.
Florida's Current Pricing Doesn't Match the Exposure
MoneyGeek's state-level benchmarking shows the average Florida small-business cyber premium at roughly $1,140 per year for $1M aggregate coverage, against a national average of $999 and Michigan at roughly $1,280. Those figures reflect small-business accounts, not the healthcare or mid-market risks where Florida's actual severity exposure sits. If anything, that benchmark understates the gap.
The soft-market objection is worth naming directly. The Marsh Global Insurance Market Index for Q4 2023 flags Florida among states where carriers were cautiously expanding underwriting appetite and where some accounts saw flat or slightly decreasing rates as capacity returned. You could read Florida's current pricing as the market working correctly in a soft cycle, with carriers rationally competing for share as loss ratios improved nationally. The problem with that read is that it treats all cyber exposure as fungible. Florida's breach volume is not concentrated in the sectors that drove national loss ratio improvement. It's concentrated in healthcare, where severity per incident is rising and regulatory enforcement is accelerating. Flat pricing on that exposure isn't a soft-market signal. It's a lag.
What to Do With This Now
Don't place Florida cyber accounts on the assumption that current pricing is adequate or stable. If you've got renewals coming up for Florida healthcare clients, or the vendors and business associates who sit inside that exposure chain, you should be having the correction conversation now rather than after carriers have already moved. The Michigan experience says that when the adjustment comes, it comes fast. Clients who get ahead of it with better controls documentation and longer policy terms will be in a materially better position than those who don't.
One concrete trigger to watch: OCR has been signaling increased enforcement appetite against covered entities and business associates following the Change Healthcare breach. If a large Florida health system or clearinghouse draws a headline settlement in 2024 or 2025, expect carriers writing Florida healthcare risks to reprice quickly. That's the kind of event that ends the soft market conversation in a single renewal cycle.