The cyber insurance market has been hardening for three years. Underwriters are more selective, capacity is constrained in certain segments, and clients are asking harder questions about what their coverage actually includes. For brokers, this environment creates both pressure and opportunity — pressure to justify their value in a market where placement is harder, and opportunity to differentiate through expertise that clients genuinely need.
Privacy risk is one of the clearest areas where brokers can build that differentiation. The gap between what clients understand about their privacy exposure and what underwriters are beginning to assess is significant, and brokers who can bridge that gap — who can help clients understand and address their privacy risk before it becomes a claim or a coverage problem — are providing value that commodity brokers cannot replicate.
Cyber insurance claims have shifted meaningfully over the past four years. Ransomware events, which dominated claims activity from 2019 through 2022, have been partially addressed through improved security controls and more rigorous underwriting requirements. As ransomware frequency has moderated (though not disappeared), privacy litigation has become a larger share of the claims landscape.
BIPA claims, VPPA class actions, state wiretapping litigation under CIPA and similar statutes, and FTC enforcement actions have all produced significant loss events. Underwriters who track their privacy litigation claims carefully are noticing patterns that weren't visible in aggregate loss data: the companies filing privacy litigation claims often have good security ratings. They passed questionnaire review. Their controls looked fine. The exposure that drove the claim was invisible to traditional underwriting tools.
Forward-looking underwriters are beginning to ask different questions. They are requesting information about third-party tracking technology deployments. They are asking about consent mechanisms for data collection. They are inquiring about biometric data handling. For brokers whose clients haven't assessed these exposures, this creates a difficult situation at renewal.
Most mid-market and enterprise clients have significant gaps in their understanding of their own privacy risk. This is not a failure of sophistication — it reflects the genuinely difficult problem of tracking privacy behavior across complex organizations where marketing, technology, legal, and operations teams make decisions with privacy implications without coordinating through a central privacy program.
The specific gaps that appear most frequently:
Third-party tracking deployments that predate or bypass current privacy review. Marketing teams add pixels through tag management systems. Vendors include tracking code in their implementations. Website code gets updated without privacy review. The result is that the actual set of third-party data flows from a company's digital properties often doesn't match what the privacy team believes or what the privacy policy describes.
Biometric data collection that isn't recognized as such. Timekeeping systems, access control systems, and customer service tools increasingly include biometric components — fingerprint readers, facial recognition, voice analysis — that create BIPA and similar exposures the company hasn't assessed. The exposure often lives in vendor products, not in internally-developed software, which makes it easy to miss in privacy program reviews.
Privacy policies that don't accurately describe current practices. Privacy policies are typically written by legal teams at a point in time and updated infrequently. Technology practices change faster than legal documents. The gap between what the policy says and what the technology actually does is a core element of FTC enforcement theory and a common factor in state attorney general investigations.
Brokers who understand privacy risk can help clients assess and address these gaps before they create underwriting problems or claims. This requires building advisory capability that most insurance brokers haven't traditionally needed — but it creates significant client retention and relationship value.
The most direct way brokers can add value is by helping clients assess their privacy risk posture before the underwriting conversation. An outside-in assessment — the kind that privacy risk intelligence platforms can provide — gives clients a view of their observable privacy behavior: what data flows exist, what tracking technologies are deployed, how consent mechanisms compare to legal requirements, and where the highest-priority exposures lie.
A client who has completed this assessment before the renewal conversation is in a fundamentally different position than one who is encountering these questions for the first time from an underwriter. They have answers. They can demonstrate awareness and remediation. They can negotiate from a position of knowledge rather than uncertainty.
Privacy litigation claims sometimes fall into coverage gaps that clients don't discover until after a suit is filed. VPPA statutory damages, regulatory fines under state privacy laws, and biometric privacy class action settlements may or may not be clearly covered under standard cyber policy language. Brokers who have analyzed their clients' actual privacy exposure can identify whether coverage aligns with risk and advocate for appropriate coverage terms.
For clients with significant identified privacy exposure, brokers can provide — or facilitate — risk improvement consultation that addresses specific issues before they become claims. Identifying and remediating VPPA exposure through pixel management and consent mechanisms, for example, is both a compliance improvement and an underwriting factor that sophisticated carriers will recognize.
The brokers who are building privacy risk advisory practices are doing so because the market is moving in that direction whether or not they lead it. Underwriters are beginning to assess privacy risk more rigorously. Clients are facing claims driven by privacy theories. Regulators are increasing enforcement activity across all twenty state privacy frameworks.
Brokers who get ahead of this shift — who can speak fluently about VPPA exposure, biometric privacy risk, consent mechanism quality, and the regulatory landscape — are positioning themselves as essential advisors rather than placement intermediaries. In a hardening market where differentiation is increasingly about expertise, that positioning is worth building.
