Soft Market, Hard Truths: Governing Cyber Like Property Before The Market Turns

The cyber insurance market is experiencing a period of relative calm. Premiums have softened, capacity has expanded, and underwriting pressure has eased compared to the hard market conditions of recent years. For many risk pools, this is a welcome reprieve after navigating prolonged pricing volatility and structural tightening.

But beneath the surface calm, underwriting scrutiny is increasing.

Insurers and reinsurers are asking more rigorous questions about aggregation, systemic exposure, and portfolio trajectory. Even in softer market conditions, insurer expectations are becoming more precise. Insurers are seeking evidence of baseline posture, concentration management, and trend improvement—not just attestations or activity reports. Markets are watching for how risk behaves across portfolios, even if premiums do not yet reflect that scrutiny.

Softer pricing should not be mistaken for reduced expectations. For risk pools, this moment is not a signal to relax. It’s a window to begin governing cyber risk with the same discipline long applied to property—before the market tightens again.

The Real Disconnect: Pricing Is Down, Exposure Is Not

While competition among carriers has driven premiums down, cyber incidents continue to climb. Reported systemic and third-party incidents have increased 20% year-over-year, with many exposures still undermanaged across sectors.

Ransomware groups increasingly target shared vendors and cloud platforms. Zero-day vulnerabilities are exploited within hours of disclosure. A single dependency can affect dozens—or hundreds—of members at once.

Recent incidents illustrate how quickly this risk can materialize. The PowerSchool breach exposed sensitive data across hundreds of school districts through a single widely used platform, demonstrating how concentration in shared systems can create portfolio-wide exposure. Similar patterns exist across pools, where municipal ERP providers, managed service providers (MSPs), or regional technology vendors often serve large portions of the membership.

These are not isolated risks. They are portfolio risks.

Insurance pricing may feel forgiving today, but correlated exposure accumulates quietly. When it surfaces, the market reacts quickly—and often bluntly.

The last hard market made this clear. Pools that could not evidence portfolio-level cyber posture faced higher premiums, elevated co-pays and deductibles, structural tightening, and reduced negotiating leverage—not always because losses had materialized, but because insurers lacked clarity.

And in the absence of evidence, markets default to conservative assumptions.

Cyber Has Become a Governance Issue

Cyber risk is no longer a collection of member-level IT projects. For risk pools, it has become a governance issue—one that affects renewal outcomes, aggregate exposure, and long-term insurability.

Property risk has long been governed through baselines, concentration analysis, trend evidence, and remediation tracking. Cyber now demands the same discipline.

Insurers are increasingly asking:

• Where does risk concentrate across the portfolio?
• How has the portfolio’s risk evolved over time?
• Which systemic dependencies exist?
• Are interventions measurably improving risk posture?

KYND’s recent analysis of 23 risk pools, representing more than 1,500 public entities, shows persistent control gaps across portfolios. Notably, nearly half (48%) of member entities do not encrypt sensitive data at rest—an exposure that directly increases breach severity and insurer loss potential when aggregated across a pool. Individually, these may appear as operational issues. In aggregate, they create concentration and systemic exposure.

Many pools have more cyber data than ever before—applications, scans, training metrics, and advisory reports. But fragmented data does not automatically translate into governance readiness. It does not produce defensible baselines, trend visibility, or credible insurer narratives. Insurability is ultimately a portfolio outcome, not a member outcome.

When visibility is fragmented, insurers apply blunt financial and structural controls. Premium increases, higher retentions, and tighter terms often reflect uncertainty just as much as loss history.

Portfolio visibility is no longer optional. It is the mechanism by which pools replace insurer uncertainty with evidence.

The Soft Market Is A Temporary Window 

Insurance markets are cyclical. While pricing may soften during periods of high competition and capacity, growing systemic exposure and loss ratios may ultimately drive a market correction. When that shift occurs, only pools that can demonstrate measurable portfolio governance will retain leverage. Those that rely on favorable pricing alone may face tougher underwriting scrutiny.

The difference will not be activity. It will be evidence.

Soft market conditions create an opportunity for risk pools to strengthen governance deliberately—establishing portfolio baselines, identifying concentration risks, and demonstrating measurable improvement over time. Because when the market hardens again, the conversation will not center on how active a cyber program appeared. It will be about whether the portfolio was governed with discipline.

Pools that use this window to establish defensible baselines and evidence-driven governance will enter the next market cycle with leverage. Those that rely on favorable pricing alone may find that soft conditions masked structural vulnerability.

Cyber is now governed like property risk. The only question is whether pools are governing it that way too.