Cyber third-party claims rose 30% industry-wide in 2025, pushing the combined loss ratio to 53.0% for the first time since the COVID-era ransomware period, while eight consecutive quarters of rate cuts continued through Q1 2026 (AM Best, June 2026). The cause is structural rather than a frequency spike in the first-party claims that built most carrier triangles. Privacy class actions, regulatory investigations, and network liability suits develop over 36 to 60 months rather than the 12 to 18 months that characterize ransomware cleanup and business interruption. Actuaries running a single blended paid development pattern across a cyber book have a growing IBNR shortfall that compounds with each accident year the mix continues to shift.

What AM Best's June 2026 Report Shows

The AM Best market segment report released June 26, 2026 documented a second consecutive annual increase in the U.S. cyber insurance loss ratio, from 48.7% in 2024 to 53.0% in 2025. That 53.0% reading is the first above 50% since the pandemic-era ransomware surge, and it arrived while gross written premium was essentially flat at $7.5 billion. The nominal premium uptick from 2024 to 2025 traced entirely to Beazley relocating a block of offshore business to U.S. operations, not organic growth.

Surplus lines carriers, which now write close to two-thirds of all U.S. cyber premium, absorbed the sharper end of both trends. Their incurred loss ratio reached 55.9% in 2025 against 50.2% for admitted carriers. Third-party claims grew 40% at surplus lines writers versus 12% at admitted carriers. Christopher Graham, Senior Industry Analyst at AM Best, attributed the split directly to underwriting mix: "The gap is actually narrower than last year. But consecutive years of a higher incurred loss ratio suggest surplus lines carriers may be writing different business than admitted carriers, particularly business prone to a longer tail for which losses take longer to settle" (AM Best, June 2026). The report added that the surplus lines paid-loss development advantage earned when their books were first-party-dominated "may dissipate and possibly even turn the other way" as third-party exposure accumulates.

AM Best also flagged a pricing paradox. Rate cuts have persisted across eight consecutive quarters through Q1 2026, even as loss ratios rose in both 2024 and 2025. Most lines see softening arrest when ratios approach combined-ratio adequacy thresholds. In cyber, the backward-looking combined ratio still reflects 2022 and 2023 vintage business written at peak post-ransomware-surge pricing. The third-party claims generating the adverse development on those older accident years are only partially reflected in paid triangles at current evaluation ages; the full development will not be visible until 2028 and beyond.

First-Party and Third-Party: Why the Development Timelines Cannot Share a Triangle

The methodology problem begins with cash flow timing. First-party cyber losses, including ransomware extortion payments, business interruption, forensics fees, and notification costs, are cash-intensive at the earliest development ages. Vendors invoice quickly. Business interruption calculations settle within the policy period. Incident response firms submit final bills within weeks of engagement. By 18 to 24 months, a first-party cyber triangle is effectively mature: paid LDFs at the 12-to-24 month link ratio run in the 1.05 to 1.15 range for a seasoned book, and the tail factor beyond 36 months is typically 1.02 to 1.05. Chain-ladder on paid development is appropriate because cash flows and development are synchronized.

Third-party cyber claims behave like general liability. A privacy class action under the CCPA, BIPA, or a state data breach statute is filed months or years after the breach event. Case reserves at filing are conservative point estimates set under minimal facts. Discovery, motion practice, and class certification proceed over 18 to 36 months before settlement discussions become substantive. Cash payments are sparse until final resolution, which commonly arrives three to five years post-filing. Regulatory investigations by the SEC, FTC, or state attorneys general carry similar or longer timelines. Network liability indemnity demands, where the insured is sued by a downstream counterparty whose systems were compromised through the insured's breach, follow the same litigation-driven development arc.

The data privacy litigation environment intensified this problem substantially in 2025. More than 1,800 data privacy class actions were filed, representing more than 200% growth since 2022, with plaintiffs' firms now using mass arbitration tactics, cy pres settlement structures, and litigation funding to pursue breach claims that would previously have been uneconomic to litigate (Duane Morris Class Action Review, January 2026). A paid development triangle for third-party cyber at the 0-to-24 month range shows few cash outlays and produces LDFs that chain-ladder will multiply into implausibly large ultimate estimates. The history is too short, the early payments are too sparse, and the pattern is structurally different from the first-party claims that calibrated the historical triangle.

Building the Two-Component Development Triangle

The practical response splits the development analysis into two parallel triangles by claim type, tagged at assignment rather than at first payment.

Component 1 captures first-party claims, using paid development and chain-ladder as the primary method. The data quality for this component is relatively strong: cyber books from 2016 through 2022 are overwhelmingly first-party, and link ratios at the 12-, 24-, and 36-month evaluation ages carry reasonable credibility across most surplus lines and admitted carriers. Volume-weighted average paid LDFs through 36 months provide the base development pattern. The tail beyond 36 months is set as a judgment factor in the 1.02 to 1.05 range, reflecting near-complete development of ransomware and business interruption claims by that age. For pricing, the first-party a priori expected loss ratio can be derived from the carrier's own selected frequency and severity, loaded for incident response cost inflation and the shift in refusal-rate dynamics that has compressed extortion severity for a portion of the distribution.

Component 2 captures third-party claims separately, using incurred (reported) development rather than paid. The triangle is younger; most carriers began writing meaningful third-party volume after 2019, producing at most six to seven years of data at the most mature evaluation ages. Within this constrained history, volume-weighted average incurred link ratios at the 12-, 24-, and 36-month ages provide the development pattern, but the chain-ladder estimate for the current accident year cohort should be treated with skepticism. Sparse early incurred values in the triangle's immature diagonal create wide confidence intervals that chain-ladder amplifies into unrealistic ultimate selections.

Bornhuetter-Ferguson for the Third-Party Component

BF is the appropriate response when actual emerging losses are not reliable indicators of IBNR, which is exactly the condition the third-party cyber triangle presents in the first 24 months of development. The method blends an a priori expected loss ratio with the actual reported pattern, preventing chain-ladder from amplifying sparse early-period incurred amounts into implausible ultimates.

For the third-party component, the a priori ELR is best derived from two external anchors. The first is published ISO or NCCI Excess Loss Factors for errors-and-omissions or commercial general liability lines at the relevant per-occurrence limit; these provide market-calibrated benchmarks for the litigation-driven tail behavior that third-party cyber claims are exhibiting. The second is the pricing actuary's own selected expected loss ratio for the accident year, loaded through the rate filing process and reflecting the specific underwriting characteristics of the book. Where the two diverge, the blend should weight toward the external benchmark in the earliest development ages (where company experience is least credible) and toward the company ELR in later ages as the triangle matures.

IBNR under BF then equals the a priori ELR multiplied by the percent-unreported factor from the incurred development pattern at each evaluation age, times earned premium. The percent-unreported factor is one minus the reciprocal of the cumulative incurred LDF at that age: if the cumulative incurred LDF from current age to ultimate is 3.50, then 71.4% of losses are unreported and percent-unreported is 0.714. This structure carries most of the IBNR estimate from the a priori rather than from sparse early payments, which is the stabilizing property the third-party triangle needs when data is young and litigation volumes are accelerating.

Tail Factor Selection: The Judgment Problem Beyond 60 Months

The tail factor for the third-party component, from 60 months to ultimate, cannot be read from the data. The post-2016 modern cyber market provides at most eight to ten years of claims history; most carriers have no credible development observations beyond 48 months. Three approaches are available, and a combination is more defensible than any single method.

The first is curve fitting. The observed incurred development pattern through available ages can be fitted to a beta distribution or log-normal curve and extrapolated beyond the observed data range. The extrapolated tail factor is sensitive to the parametric choice and the observed tail shape, but a confidence interval around a curve-fitted tail is more informative than a point estimate drawn from four or five link ratios. Actuaries fitting the curve should test both the beta and inverse power distributions, as each produces different extrapolation behavior in the far tail.

The second is benchmark borrowing. ISO Errors and Omissions tail factors at the 60-month evaluation age provide an external calibration point for technology professional liability claims that share the litigation profile of third-party cyber. GL excess loss factors at comparable limits offer a second anchor. The selected cyber tail should be at least as large as the comparable E&O or GL benchmark; data breach class actions are, if anything, faster to file and potentially slower to settle than traditional E&O claims because of the mass arbitration and litigation funding tactics now embedded in privacy litigation strategy. A tail factor below the E&O analog needs an explicit actuarial justification.

The third is a conservative constant-tail assumption: apply a fixed residual tail consistent with long-tail casualty norms (typically 1.10 to 1.25 at 60 months to ultimate for a GL-like line) and document explicitly that it is a professional judgment based on analog lines rather than observed cyber development beyond available ages. This approach is simplest and most transparent for reserve opinion documentation under ASOP No. 41.

Reweighting the Composite as the Third-Party Share Grows

A carrier whose third-party share of earned cyber premium rose from 20% in 2022 to 35% in 2025 cannot apply last year's blended LDF to the current book. The composite LDF is a premium-weighted average of the Component 1 and Component 2 factors. When the Component 2 weight rises by 15 percentage points over three accident years, the composite LDF changes materially each year even if neither component's own LDF moved. Actuaries who track a single blended triangle will see their historical link ratios understating the current accident year's development, because the 2022 to 2024 diagonal is dominated by the faster first-party pattern that was the larger share when those claims developed to their current evaluation ages.

The correct method is to split the triangle, compute each component's LDF, and rebuild the composite bottom-up using the accident-year premium share for each component. This requires the claims system to tag claim type at assignment. Carriers that cannot split existing triangles retrospectively can apply an approximate correction: quantify the premium-share shift between the oldest and newest accident years, derive the implied composite LDF from the two-component system at the old and new weights, and use the weighted average rather than reading the blended historical factor directly. The adjustment is not small. Moving from a 20/80 third-to-first-party split to a 35/65 split on a combined LDF of 1.40, where the third-party component carries a 1.90 factor and the first-party carries a 1.25 factor, shifts the composite LDF to roughly 1.48, an 8-point gap that flows directly into IBNR.

Social Inflation in Third-Party Cyber Litigation

Historical third-party cyber LDFs, to the extent observable from 2019 to 2024 accident years, reflect a privacy litigation environment materially less aggressive than 2025 and 2026. Data privacy class actions grew more than 25% in 2025 relative to 2024, with plaintiffs' firms now deploying litigation funding, coordinated mass arbitration, and cy pres settlement structures to pursue breach claims that would have been uneconomic to litigate five years earlier (Duane Morris Class Action Review, 2026). The same social inflation trends driving adverse LDF development in casualty loss development factors, including nuclear verdict pressure and expanded settlement expectations in data-sensitive cases, now apply to third-party cyber.

An explicit upward LDF trend of 2 to 5% per year on the third-party development pattern is supportable from the class action volume growth and the trajectory of settlement sizes in major CCPA and BIPA matters. The CAS Working Party's social inflation trend-selection methodology for long-tail casualty lines provides the framework: isolate the time trend in the development pattern itself (the diagonal trend in the triangle, not just the ultimate trend), attribute the portion attributable to legislative and litigation environment changes rather than underwriting mix, and apply a prospective adjustment to the selected LDF. Importing the more benign 2019 to 2022 settlement patterns into reserves for 2025 and 2026 accident years, in a litigation environment that has expanded by 200% in class action volume since 2022, understates the tail for the exact claims that AM Best has now flagged as the market's primary reserve uncertainty.

Reserving and Pricing Implications

Surplus lines actuaries face the most acute version of this problem. Their carriers concentrated third-party cyber exposure when surplus lines was the natural home for non-standard cyber risk; now that third-party claims are growing 40% per year in their books, those same actuaries are furthest from having credible third-party development data. The combination of a 55.9% incurred loss ratio, eight consecutive quarters of rate cuts, and a systematic IBNR shortfall from blended paid triangles leaves minimal margin for underpricing 2026 accident years.

The two-component framework is not methodologically exotic. It is the same approach property-cat actuaries apply when separating attritional from catastrophe reserves, applied to a line where the taxonomy is claim type rather than peril. The BF method has the stabilizing property the third-party triangle needs: when paid activity is sparse in the early development ages, the a priori loss ratio carries most of the IBNR estimate rather than amplifying the sparse actual into an implausible ultimate. As the book matures and more third-party claims reach settlement, the credibility weight shifts gradually from the a priori to the observed development, which is exactly the convergence behavior a reserving actuary needs when the underlying data history is short and the claim type is evolving rapidly.

Actuaries who implement the split now, and carry explicitly selected tail factors beyond 60 months with documented analog-line benchmarks, will hold materially more adequate reserves into the casualty-like tail that AM Best's June 2026 report makes explicit. Those who continue running a single paid triangle across the two fundamentally different claim types will find themselves strengthening reserves in precisely the market environment where rate adequacy is already eroding and the litigation environment is still accelerating.

Further Reading on actuary.info

Sources

  1. Insurance Journal: US Cyber Insurance Market Sees Flat Premium, More Third-Party Claims Hit Loss Ratio (June 30, 2026)
  2. The Insurer: US Cyber Market Splitting Into Distinct Segments as Loss Ratios Climb, AM Best Says (June 26, 2026)
  3. Reinsurance News: AM Best Reports Split in US Cyber Insurance Market as Losses and Pricing Pressures Shift (June 2026)
  4. AM Best Market Segment Report: US Cyber Market's Premium Grows Slightly; Surplus Lines Writers Continue to Increase Role (June 2026)
  5. Duane Morris Class Action Review 2026: Comprehensive Analysis of Class Action Litigation (January 2026)
  6. Stinson LLP: A New Era of Comprehensive Privacy Laws and the Surge in Data Privacy Litigation (2026)