I recently sat down with two leaders in cyber insurance to discuss the rapidly changing landscape of cyber risk and coverage. Neel Desai, Senior Vice President at Lockton’s Cyber and Technology Practice, and Laura Hawkins, Assistant Vice President, Claims at At-Bay, shared invaluable insights from their unique vantage points—Neel from the brokerage side and Laura from the claims management side.
What emerged from our conversation was a picture of an industry in flux: while the soft market has created opportunities for coverage expansion and rate relief, new challenges around litigation, AI, and business interruption continue to reshape how organizations approach cyber insurance.
The new economics of data breach litigation
The plaintiff’s bar has become increasingly aggressive in pursuing data breach litigation. According to Laura, the threshold for filing suit has dropped dramatically—where lawsuits once required class sizes in the hundreds of thousands, she’s now seeing cases filed with classes as small as 650 people. This creates a compounding challenge: even smaller cybersecurity incidents can trigger multiple lawsuits from different plaintiff’s firms, each seeking their share of settlement fees.
Navigating the gap between legislative intent and application
Several privacy statutes originally designed for analog-era concerns are now being applied to digital technologies in ways their drafters likely never anticipated. Laura pointed to the California Invasion of Privacy Act (CIPA) as a prime example—a law created to address telephonic communications that’s now being used to “shoehorn data privacy claims into it.”; Courts are growing increasingly frustrated with these applications, which complicate coverage decisions for insurers.
The same pattern appears with the Video Privacy Protection Act (VPPA), enacted in 1988 to protect video rental privacy, and New Jersey’s Daniel’s Law, passed to safeguard judges and law enforcement from targeted violence. Both are now being applied well beyond their original scope. The lack of federal standardization continues to create compliance challenges and litigation uncertainty across jurisdictions.
AI, business interruption, and emerging risks
The conversation inevitably turned to artificial intelligence, which is simultaneously making threat actors more sophisticated while creating governance headaches for organizations. Threat actors are using AI to craft convincing social engineering schemes. At the same time, companies struggle to implement appropriate policies for employee AI use and to navigate new exposures to IP infringement and data security.
Business interruption claims—particularly those stemming from supply chain incidents—are surging. High-profile events like the Change Healthcare cybersecurity breach have impacted thousands of downstream businesses. Neel characterized traditional business interruption claim adjustment as “the most painful process of any cyber incident.” However, he noted that parametric coverage (pre-agreed payments based on downtime) is emerging as a promising alternative approach.
Takeaway
What struck me most from this conversation was how cyber insurance has evolved beyond simple risk transfer. When a breach occurs, the real value often comes from immediate access to experienced breach coaches, forensic firms, and technical experts—resources that would be difficult and time-consuming to assemble in a crisis.
The discussion also highlighted how interconnected legal and insurance considerations have become. Questions about supply chain contracts, statutory interpretations of laws like CIPA, and AI governance policies all have insurance implications. As the threat landscape continues to evolve and new litigation theories emerge, understanding these intersections becomes increasingly important for anyone advising organizations on cyber preparedness.
Special thanks to Neel Desai and Laura Hawkins for sharing their insights at the Nixon Peabody Cybersecurity & Privacy Law Summit.
