The Numbers Don't Support What Retail Clients Are Paying
Retail cyber premiums are out of step with actual breach costs in the sector, and the broader market data is starting to make that hard to ignore. Carriers have been quietly repricing downward across commercial lines while retail accounts, especially mid-market ones, are still getting quoted as if it's 2022. That gap deserves scrutiny.
The Market Has Already Moved
Start with the macro picture. US cyber direct gross written premiums fell from $7.25 billion in 2023 to $7.08 billion in 2024, the first year-over-year decline on record, per NAIC data cited in Aon's 2024 U.S. Cyber Market update. That's not a rounding error. The market collectively decided it had been overcharging.
Lockton reported an average 11% premium decline across its cyber portfolio, with coverage broadening at the same time, despite ransomware attacks hitting insurer earnings directly. And Swiss Re revised its global cyber premium growth forecast down to 5% for 2025, citing competition forcing concessions on rates, limits, and underwriting controls. Rates declined for the third consecutive year.
The loss ratios are part of the story too. AM Best put loss ratios in the 40% range for the sector, which is not the profile of a line that needs to hold firm on price. Carriers have been doing well. Retail clients haven't necessarily seen that reflected in their renewals.
What Retail Breach Costs Actually Look Like
Here's where the California angle gets complicated. I couldn't find primary retail-specific filing data from the California AG's breach database that would let me pin retail incident costs with precision. That gap matters, and I won't paper over it with a number I can't stand behind.
What we do have: NetDiligence's 2025 claims data puts average ransomware costs at $631,000 across all sectors. That's not retail-specific, but it's a useful anchor. For mid-market retail, with tighter margins and simpler IT environments than financial services or healthcare, there's a reasonable argument that actual incident costs skew lower than that average. I'd expect a regional retailer hit by ransomware to land well under $631,000 in total costs more often than not, but solid retail-segmented claims data is thin.
The M&S example is instructive even if it's a UK case. Marks & Spencer expects to recover over £100 million through cyber insurance after a major ransomware attack. That's a giant retailer with complex supply chain exposure. Most of your retail book doesn't look like M&S. Pricing it like it does is where the problem starts.
Concentration Is Down, Competition Is Up
One structural shift worth flagging: the top five US cyber insurers' combined market share dropped to 30% of written premiums in 2024, down from 48% in 2020. More carriers competing for the same accounts. That's downward pressure on price, and it gives you real leverage at renewal if you're willing to use it.
The carriers that built their retail cyber pricing on 2020-2022 loss experience are working from a dated model. The 30%-plus annual premium growth from 2017 to 2022 was a response to a genuine spike in losses. The market corrected. But not every underwriter recalibrated at the same speed, and retail has historically been bundled with higher-risk verticals when carriers build their cyber books.
What to Do With This at Your Next Retail Renewal
Push for loss ratio transparency on retail-specific accounts. If a carrier can't show you how their retail book has actually performed, that silence is informative. You have more market options than you did two years ago, and US premiums already dropped 7% in the prior year before the most recent data confirmed the trend continued. A retail account renewing flat or up deserves a hard question about what's driving that.
The incident volume is real. The UK's National Cyber Security Centre logged a 129% increase in nationally significant cyber incidents for the 12 months ending August 2025. Nobody's saying the risk disappeared. The argument is that the pricing stopped tracking the actual cost of that risk in retail specifically, and the broader market data backs that up. Your retail clients are likely subsidizing somebody else's loss history.