By Laszlo Gonc - Partner, Digital Risk Management at Sparc Partners

In today's digital-first world, cyber threats aren’t just possible; they’re inevitable. 

Over the years, while talking with countless business leaders, we’ve seen a clear shift in how companies approach cybersecurity. It’s not just about prevention; it’s about preparation. It’s a matter of when, not if, an incident will occur. That’s where cyber insurance becomes critical. 

Last month, I interviewed Jay Shelton, an insurance cyber risk expert at Marsh McLennan Agency, during Sparc Partner’s fireside chat at the Private Capital Global Chicago Conference, “AI-Powered Risk Management: Reduce Exposure, Secure Returns.” His insights on the evolving cyber insurance market offered practical guidance for Private Equity businesses navigating this complex terrain. Here’s what you need to know.

The Shifting Cyber Insurance Market

If you've been watching cyber insurance premiums over the past few years, you've likely experienced whiplash. The market has undergone dramatic fluctuations – from extreme premium increases during the pandemic to what Mr. Shelton describes as a "very soft" market today, with rates decreasing by approximately 80% from their peak.

This softening market post-COVID presents an attractive opportunity for businesses. Traditional insurers are re-entering the space and expanding their coverage offerings, while cyber-focused insurers continue to refine their specialized approaches. The difference between these two types of carriers is notable. Why should this be important to you?

"Traditional insurers are adding coverages and returning to the market," Mr. Shelton explains, "while cyber-focused players rely heavily on thorough cybersecurity review processes and benefit from having fewer legacy claims."

Cyber-focused insurers take a different approach than legacy carriers. They conduct extensive cybersecurity risk reviews before issuing policies and leverage real-time security scans to refine pricing. Since they have fewer legacy claims, they can often offer more competitive pricing.

Traditional insurers are catching up by investing in AI-driven risk assessment tools. They might not be as nimble as the cyber-specialists, but they bring decades of insurance experience to the table.

For organizations, this means more options and the need for more discernment when selecting a carrier that aligns with your unique risk profile.

I found it interesting that the market is evolving so quickly. As Mr. Shelton put it, "The cyber insurance landscape today barely resembles what it looked like ten years ago."

What's Triggering Claims These Days

When I asked about the most common types of claims, Mr. Shelton confirmed what I suspected — ransomware attacks remain a leading driver. What was significant was the increase in social engineering attacks, such as CEO fraud, where attackers impersonate executives to deceive employees into transferring funds or sharing sensitive information.

Learning about why cyber claims are denied or payments are delayed was more insightful and, at the same time, concerning. Three main reasons are:

1. Failure to meet policy security requirements (like not implementing multi-factor authentication or leaving vulnerabilities unpatched),
2. Gaps between what the policy expects and what security practices are actually in place, and
3. Failing to get a carrier’s prior approval for expenses or not utilizing panel providers without carrier approval.

The AI Factor in Cyber Insurance

AI is reshaping both sides of the cyber insurance equation. On the one hand, we're seeing more AI-generated fraud. Deepfakes and automated phishing attacks are increasingly sophisticated and challenging to detect.

In response, some insurers now include affirmative AI endorsements to clarify coverage. However, there's still legal uncertainty over whether AI-driven attacks qualify as insurable events in all cases.

"We're in uncharted territory with AI," Mr. Shelton explained. "The technology is evolving faster than policy language can keep up."

The OFAC Complication You Need to Know About

Many businesses are unaware of the OFAC (Office of Foreign Assets Control) restriction on ransom payments. If your attack originates from a sanctioned entity or region like Iran, Russia, or North Korea, your insurer may not cover the ransom payment.

Mr. Shelton recommended establishing proactive ransomware mitigation strategies, such as maintaining offline backups and implementing network segmentation. “The best defense is being able to recover without paying the ransom," he advised.

The best protection? Implement robust recovery capabilities so you don't ever need to pay ransoms.

Hidden Cyber Risks in M&A Transactions

Mr. Shelton highlighted a critical blind spot for private equity firms and companies involved in acquisitions: Hidden cyber liabilities in M&A deals.

"Many firms inherit cyber risks from newly acquired companies without realizing it," he explained. "I've seen cases where undisclosed cyber insurance obligations led to unexpected liabilities after the deal closed."

His best practices for cyber risk assessment in M&A include:

• Using cyber risk scanning tools like BitSight or Security Scorecard to assess external risks,
• Evaluating existing cyber insurance policies for coverage gaps,
• Conducting cybersecurity risk assessments to gauge actual exposure,
• Performing  penetration testing before acquisition, and
• Ensuring portfolio-wide cyber policy alignment to reduce systemic risk.

The Business Interruption Challenge

One of the most challenging aspects of cyber insurance claims is quantifying business interruption losses. Mr. Shelton noted that many businesses struggle to prove precisely how much revenue they lost due to a cyber incident.

"Insurers require historical revenue data to validate claims," he explained. "Without proper documentation, you might only recover a fraction of your actual losses."

His advice? Maintain detailed financial records that can prove lost revenue, work with forensic accountants to substantiate claims, and ensure your company thoroughly documents downtime and incident impact.

What Insurers Are Looking For

When I asked what cyber insurers evaluate when determining premiums, Mr. Shelton outlined a few key factors:

• Essential cyber security control – like Multi-Factor Authentication (MFA), Endpoint Detection Response (EDR), encrypted back-ups, employee training, and dual payment authentication procedures,
• Ethical hacking and red teaming – helps uncover weaknesses before attackers do, and
• Comprehensive breach response planning – firms with tested plans secure better policy terms.

He emphasized that implementing good security practices isn't just about getting a lower premium; it's about qualifying for coverage. Many insurers now simply won't cover businesses without basic protections.

Mr. Shelton emphasized that cyber insurance should be viewed as a financial risk transfer tool, not a security substitute. "You must spend on prevention first," he advised, "but expect an attack to happen anyway."

Why Having Cyber Insurance Isn't Enough

Perhaps the most valuable insight from our conversation was learning that having a cyber insurance policy doesn't guarantee you'll be covered when an incident occurs.

"Firms need to maintain a breach response plan to ensure claims are paid," Mr. Shelton explained. "There's often a disconnect between stated policies and actual response execution."

To avoid claim denials, he recommended:

• Pre-selecting a breach coach independent of the insurer,
• Following the required incident response steps outlined in your policy, and
• Using a 'Reservation of Rights' letter to keep claims open while under review.

How to Select the Right Cyber Insurance

Over the past few years, I've learned that choosing the right cyber insurance is about ensuring coverage works when you need it, not just price. The right policy should align with your firm’s risk profile, industry threats, and the unique exposures of your portfolio companies. Mr. Shelton recommends working with insurers experienced in PE and portfolio companies, as different sectors have different risk profiles. 

My takeaways from our conversation:

1. Evaluate claims-handling reputation and responsiveness – this matters greatly during a crisis,
2. Assess policy breadth – coverage should align with evolving threats; different industries have differing threat landscapes, and
3. Consider financial stability and longevity – cyber-specific insurers may offer better pricing but stricter risk controls.

There are trade-offs to consider between cyber-specific and general insurers. Cyber-specific insurers provide better risk modeling but stricter underwriting, while general traditional insurers have broader portfolios but may lack specific risk insights to your needs.

Future Trends to Watch

Looking ahead, Mr. Shelton identified several trends that will shape cyber insurance:

• Policy language will continue evolving to explicitly address AI-driven threats,
• Regulatory changes, like the SEC's requirement for public firms to report cyber incidents within four days, will force greater transparency, and
• AI will enhance risk underwriting and enable real-time risk modeling, but AI-driven threats will simultaneously force insurers to adjust coverage limits and exclusions.

Final Thoughts

Cyber insurance is essential, but it's only one piece of the puzzle. Organizations need to integrate cyber risk assessments into their overall risk management strategy. However, relying on cyber insurance alone is risky; strong cybersecurity practices are critical. Businesses that document losses properly, in general, secure better payouts. In addition, regulations and AI-driven threats will continue shaping cyber insurance policies.

Mr. Shelton’s three key takeaways from our discussion:

• Spend on prevention first – cyber insurance is valuable, but strong cybersecurity practices must come first.
• Be prepared for a hack – even with the best security, incidents will happen, and 
• Balance prevention with financial risk management – cyber insurance should be part of a broader risk strategy. 

He referred to this as the "three-legged stool" approach, which involves balancing security, incident preparedness, and financial risk transfer​.

As we look ahead to an increasingly complex threat landscape, the organizations that will best manage cyber risk view insurance as just one component of a comprehensive strategy. The convergence of AI, regulatory requirements, and evolving attack vectors demands a dynamic approach that combines technical controls, incident response readiness, and financial risk transfer mechanisms. 

By taking this integrated approach, businesses can survive cyber incidents, maintain resilience, and gain a competitive advantage in an environment where digital trust has become a critical business differentiator.

About the Author: This content piece was authored by Laszlo, Gonc, Partner of Digital Risk Management, AI/ML and Cybersecurity at Sparc Partners & CEO of Next Era Transformation Group. Laszlo is a recognized seasoned leader in cybersecurity, AI/ML, and digital risk. A sought-after keynote speaker and advisor, he helps organizations navigate digital transformation, leveraging AI/ML to drive growth and cybersecurity to protect operations. Laszlo serves on several advisory boards, holds a CISSP certification, and is a Digital Directors Network QTE.

About Sparc Partners: Sparc Partners provides tailored executive search, leadership consulting, and a full spectrum of advisory services. We work closely with organizations in the Private Capital sector, including Private Equity (PE), Venture Capital (VC), Mergers & Acquisitions (M&A), and Family Offices. Connect to learn moreSparc Partners

‍