The cyber insurance market has reached a turning point in 2026, squeezed between two opposing forces. On one side, competitive pressure from new entrants and surplus capacity is pushing premiums lower. On the other, the threat landscape is expanding rapidly as generative AI enables sophisticated new attack vectors, particularly deepfake-powered social engineering. The result is a market in transition, where pricing discipline is eroding while the risks being insured are growing more complex.
According to Carrier Management, insurers describe the market as experiencing "soft market pressures" with heightened competition for accounts. Premium rates are flat to declining for well-managed risk profiles, while capacity has expanded as reinsurers seek to grow their cyber books. This sounds like good news for businesses buying coverage, but it raises questions about whether insurers are adequately pricing the emerging risks they are taking on.
The Deepfake Problem
- Deepfake technology can clone voices and faces with 90%+ accuracy using 30 seconds of audio
- Social engineering attacks using deepfake CEO impersonation have increased 400% since 2024
- Average loss per deepfake-enabled fraud: $243,000 for mid-market companies
- Video deepfakes used in business email compromise (BEC) attacks tripled in 2025
- Only 23% of cyber policies explicitly cover deepfake-related losses
How Deepfakes Change the Threat Model
Traditional social engineering attacks, such as phishing emails and CEO fraud, relied on text-based deception. Employees trained to spot suspicious emails could often identify the threat. Deepfake technology eliminates this defense. A phone call from a cloned CEO voice directing a CFO to wire funds sounds identical to the real person. A video call featuring a synthetic face that matches the CEO's appearance passes visual verification.
In February 2026, a Hong Kong-based multinational reported losing $25 million after a deepfake video call impersonated the company's CFO and instructed staff to process transfers. The attack used publicly available conference footage to train the AI model. Six other confirmed deepfake-enabled frauds exceeding $5 million occurred in the first quarter of 2026 alone.
"Deepfakes have fundamentally changed social engineering risk," said Joshua Motta, CEO of Coalition, a cyber insurance provider. "The old playbook of training employees to verify requests through visual or voice confirmation no longer works when AI can replicate both perfectly. We need new verification protocols, and cyber insurance policies need to explicitly cover these attacks."
How Insurers Are Responding
Coalition expanded its cyber coverage in Canada with an "Active Cyber Policy" that explicitly covers AI-driven attacks, including deepfake-enabled social engineering and funds transfer fraud. The policy offers reduced retention (deductible) for companies that report suspected fraud within 24 hours, incentivizing rapid incident response.
BreachRx launched a cyber incident response management warranty providing up to $3 million in liability protection for executives and corporations facing cyber incidents. The product addresses the growing personal liability risk for C-suite executives in the wake of SEC cybersecurity disclosure rules.
What Businesses Should Do
Review your cyber insurance policy for deepfake and social engineering coverage. Many policies exclude or limit coverage for voluntary funds transfers, which is how deepfake fraud typically works. Request explicit coverage for AI-driven attacks. Implement multi-factor verification for financial transactions: require email confirmation plus callback to a known number (not the number provided in the request) for any transfer above a threshold. Consider adding AI-powered voice verification tools that detect synthetic audio in real time.
Market Outlook
Some forecasts project that cyber insurance could surpass the traditional property and casualty market by 2035, potentially reaching $37 billion in annual premiums. The growth trajectory reflects the expanding digital attack surface and regulatory requirements for cybersecurity insurance. For businesses, the key takeaway is to secure adequate coverage now while premiums remain soft. When a major systemic cyber event triggers significant losses across the industry, pricing discipline will return quickly.
