hugo
ResearchBook demo
← Research

Market

Why Cyber Loss Ratios Stay Above 70 Percent

Industry cyber loss ratios have hovered above 70 percent for most of the past decade. Pricing has been raised, then lowered, then raised again. The line still loses money for most of the carriers writing it. The fix is selection, not price.

Noah Kanji
Noah KanjiCo-founder and CEO, Hugo
PublishedMay 5, 2026
Read6 min
Why Cyber Loss Ratios Stay Above 70 Percent

The number every cyber CUO knows by heart: industry loss ratios on cyber have stayed above 70 percent for most of the past decade. Rate hardened in 2021 and 2022. It softened again in 2024. The line is still unprofitable for most of the carriers writing it, even after the hard market.

The reflexive answer is that pricing must be wrong. The carriers who have actually broken the pattern do something different. They select better.

The cyber book that beats the index is not the one with the highest rate. It is the one whose worst risks were declined or surcharged before they were ever quoted.

Why pricing alone does not fix cyber

Three structural reasons rate hikes underperform expectations on cyber:

  1. Loss severity is bimodal. Most cyber accounts have a small loss frequency or none at all. A small share of accounts drive the catastrophic losses. Rate, applied across the whole portfolio, taxes the well-controlled accounts and underprices the badly controlled ones.
  2. Threat actors adapt faster than rate filings. By the time a carrier has loss data showing that a class of risk has deteriorated, the threat has already moved. Rate is always backward looking.
  3. Brokers route on price. When a carrier raises rate without raising the bar on selection, the better risks shop away first. The carrier ends up with concentrated exposure in the risks that no one else would write.

What better selection looks like in practice

The carriers running below the industry loss ratio share three habits. None of them are exotic.

  • They read the SOC 2 in full, not the executive summary. They map controls to their appetite. They reconcile application claims against control evidence.
  • They treat attack surface data as a leading indicator, not a feature. An insured with a high score on the standard third-party rating tools is a relatively safer risk. An insured with a low score and no remediation plan is a decline, regardless of price.
  • They track decline rationales as a portfolio metric. Carriers who measure why they decline what they decline can spot drift in their appetite before it shows up as a loss ratio change.

Why this is hard to do at scale

The selection work above takes time. A senior cyber underwriter can do it on three or four submissions a day. The same desk receives twenty. The math does not close. Two outcomes follow:

  • Submissions get rushed. The underwriter does the application, skims the SOC 2, glances at the loss runs, and quotes. Selection quality drops, especially at the tails of the distribution where the worst risks live.
  • Submissions get triaged out. The desk declines the harder cases by reflex because there is no time to read them properly. Some of those declines are good risks. The carrier loses access to its best potential renewals.

Either way, the loss ratio stays above 70 percent.

Where AI changes the equation

The structural fix is to make the selection work scalable without lowering its quality. The senior underwriter still makes the bind decision. The AI does the reading. Specifically:

  • Hugo reads every page of the SOC 2 against the carrier's appetite and the application's claims.
  • Hugo pulls attack surface data through the carrier's existing feeds and incorporates it into the memo with citations.
  • Hugo writes the decline rationale in clear language so the broker knows what would have to change for the risk to fit, and so the portfolio can track decline reasons in aggregate.

The math changes. A senior underwriter who could review three submissions a day with this work assist can credibly review fifteen. Selection quality goes up, not down. That is what separates the cyber books that beat the index from the ones that track it.

What we would not claim

AI does not invent new information. If the submission does not include a SOC 2, Hugo cannot read one. If the application is missing a key supplemental, Hugo cannot fill it in. If the broker is hiding a prior loss, Hugo will not surface it unless there is corroborating evidence in the submission. The contribution is leverage on the underwriter, not omniscience.

The carriers who fix their cyber loss ratios in the next two years will be the ones who pair tighter selection with the work assist that makes tighter selection possible at volume.

Frequently asked

Questions readers ask

Where does the 70 percent figure come from?
Industry trade publications and rating agencies have reported cyber direct loss ratios above 70 percent for most of the past decade, with peaks well above that during ransomware-driven years. The exact number varies by data source and year. The point is structural, not the precise figure.
Does this apply to all cyber, or only standalone primary?
The pattern is most acute in standalone primary cyber. Excess and reinsurance behave differently because the primary layer absorbs the high-frequency losses. The selection argument still applies on excess: better selection on the underlying primary book improves the excess layer's behavior.
How quickly does Hugo affect a portfolio's loss ratio?
Selection effects compound through the renewal cycle. A carrier that improves selection at new business sees the impact 12 to 24 months later when the bound year has matured. Hugo's faster impact is on quote turnaround and decline quality, both of which affect broker routing inside one quarter.