The argument that upcoming federal healthcare cybersecurity regulations will lower cyber premiums is wrong, and brokers who are telling clients to expect relief at renewal are setting themselves up for an awkward conversation. The data doesn't support it. The market doesn't support it. And the regulations themselves are more likely to raise compliance costs before they move the loss curve in any direction carriers care about.
What the breach data actually shows
Start with frequency. HHS OCR logged 734 large healthcare breaches in 2023, up from 720 in 2022 and 715 in 2021. Slow creep upward, year after year. Severity is worse. Over 134 million individuals were affected by large healthcare breaches in 2023, compared to 51.9 million in 2022. That's a 158% jump in exposed individuals in a single year.
The cost picture is just as bad. The average healthcare data breach cost $10.93 million in 2023, the highest of any industry and a 53% increase from $7.13 million in 2020. And ransomware attacks on healthcare organizations increased roughly 128% between 2020 and 2023, with 46 hospital systems hit in 2023 alone. These are not numbers that make underwriters feel generous.
Where pricing actually is right now
Yes, the broader cyber market softened. Marsh's Global Insurance Market Index for Q4 2023 shows U.S. cyber pricing fell an average of 6%, but their report specifically calls out healthcare and the public sector as exceptions where underwriters held tighter terms and higher retentions. Healthcare didn't ride that softening wave.
Aon's 2024 Cyber Market Update identifies healthcare as one of the three most-challenged sectors, with many accounts seeing rate increases of 10 to 25% at renewal in 2023 and early 2024. Willis Towers Watson reported large health systems facing cyber rate uplifts in the mid-teens to 30% range, with some accounts absorbing capacity reductions or co-insurance on ransomware coverage. Fitch noted higher loss ratios for healthcare and flagged that carriers are responding with higher deductibles and sublimits rather than premium cuts.
That's the market your clients are actually operating in.
What the regulations actually do
The federal activity is real. HHS released a healthcare cybersecurity strategy in December 2023 built around voluntary performance goals, financial incentives for hospitals, tighter enforcement, and an eventual path to mandatory requirements. The department explicitly flagged those performance goals as informing future regulatory action, which means the mandatory piece isn't here yet.
The more concrete move came in January 2025. HHS published a proposed HIPAA Security Rule update that would require more detailed risk analyses, explicit contingency planning, encryption, tighter access controls, and demonstrated ongoing incident response capabilities. It's still in public comment, and mandatory compliance timelines are years out at minimum.
Even after it clears all of that, the path to premium relief is not automatic. Carriers need to see controls actually adopted and losses actually reduced before they reprice a class downward. That's not a one-year story in a sector where cumulative breach exposure from 2010 through 2023 exceeded 519 million individuals. It's a multi-year, maybe multi-decade story.
The question your clients will actually ask you
AM Best's 2024 cyber sector report flags healthcare as a loss-intensive class where pricing discipline remains necessary. Carriers aren't about to look at a proposed rule still in public comment and start softening their healthcare book. That much is straightforward.
The harder question is what happens when a client achieves full compliance with the proposed rule's requirements and still gets hit with a ransomware event. Does demonstrated compliance give them any underwriting defense at renewal? Or does the carrier simply point to the loss and hold firm on pricing? Carrier-side I don't have clean data on this yet, but my read is that compliance posture will matter more at the margin than at the headline. It won't cap a rate increase after a loss, but it may be the difference between retaining capacity and losing it.
The HIPAA proposed rule's requirements around risk analysis, access controls, encryption, and incident response map almost directly onto what underwriters already want to see. Clients who get ahead of compliance will have a better underwriting story to tell. Position it that way. Not as a discount mechanism, but as documentation that keeps a bad renewal from becoming a worse one.