profile

LION Specialty

A third of D&O premium gone in four years. Cyber claims at record highs. And 6% now land in the same tower.

Published about 13 hours ago • 9 min read

Reading scan time: 5 minutes
Listen time: 5 minutes

Here's your Friday Five:

Every week our team rips through 200+ insurance, legal, regulatory, and market-risk articles so you don't have to!

Three developments caught our attention this week:

  • D&O premium dropped from $15 billion to $10 billion in four years. Loss ratios jumped 5 points in one. AM Best says the open claims patterns resemble the late 2010s, and that era ended badly.
  • 87% of ransomware claims in 2025 entered through remote access. One group accounted for 40% of all ransomware claims. And 60% of their victims had leading endpoint protection installed.
  • Six percent of ransomware claims now produce class action lawsuits. The D&O reserves those lawsuits will hit are the same ones AM Best just flagged.

Prefer to listen? Check out the audio version.

D&O profitability is eroding from both ends

Summary

AM Best published its latest D&O market segment report this week. The headline: the US D&O liability segment remained profitable in 2025. The details tell a different story.

Direct premium has declined for a fourth consecutive year. The market has dropped from nearly $15 billion in 2021 to just over $10 billion. Competition and excess capacity keep pushing rates down. The direct loss ratio jumped 5 percentage points in a single year. AM Best flagged reserve inadequacies for the 2023 and 2024 accident years that emerged in 2025, noting that the current level of open claims resembles patterns from the late 2010s, a period that produced poor results and significant adverse development.

Capital markets slowdowns have cut new D&O business opportunities. Geopolitical uncertainty, technology exposures, and regulatory scrutiny are expanding the risk profiles carriers underwrite. Social inflation is keeping claims open longer and eating into what had been favorable margins.

There are some signs of renewed demand through an uptick in IPO activity. But the structural pressures are moving faster.

Source: Captive.com

So what?

The pricing environment looks favorable if you're buying D&O this quarter. Rates are competitive. Carriers want the business.

The AM Best data suggests that favorable pricing may not last. Claims friction could increase before the next cycle turns. If carriers have been underpricing risk while reserves deteriorate, the correction won't land in your premium. It will land in how aggressively your claim gets defended. How tightly coverage gets interpreted. How quickly retentions get raised at the next renewal.

Those of us who were placing D&O in the early 2010s remember what happened with Torus. They wrote aggressively into specialty liability, then sold to Enstar, a run-off specialist, in 2014. Open claims turned into multi-year exercises in bureaucratic complexity, corporate name changes, and deadline traps. The lesson still applies: when carriers compete on price in a market where reserves are thinning, make sure every carrier on your D&O tower has the financial strength to be there when the claim arrives. Not just when the premium clears.

Monday morning, two questions for your broker: has our D&O carrier's reserve position for the 2023 and 2024 accident years been reviewed as part of our renewal strategy? And have we confirmed the financial stability of every carrier on the tower? If either answer is no, those conversations belong before the renewal meeting.

VPN compromises are now 73% of all ransomware intrusions

Summary

We read At-Bay's 46-page InsurSec Report so you didn't have to. New highs across the board in 2025. Overall claim frequency increased 7% year over year. Average severity reached $221K, an all-time high. Ransomware severity climbed 16% to $508K.

The most significant structural shift is in how ransomware attacks start. VPNs accounted for 73% of ransomware entry vectors in 2025, up from 66% in 2024 and 38% in 2023. Combined with RDP, remote access infrastructure accounted for 87% of all ransomware claims. Email did not produce a single ransomware claim in At-Bay's 2025 portfolio.

One group drove the surge. Akira ransomware accounted for more than 40% of all ransomware claims, the most dominant single strain At-Bay has ever tracked. 86% of Akira attacks targeted environments running SonicWall devices. Akira's campaign drove a 53% increase in ransomware frequency in the second half of 2025 and a 364% increase in Akira-specific frequency. Average Akira ransom demands hit $1.2 million, 50% higher than non-Akira demands. Two-thirds of their attacks landed on nights and weekends.

For finance and insurance companies specifically, ransomware severity reached $731K, second only to technology. Companies under $25 million in revenue saw a 40% jump in ransomware severity to $422K.

Source: At-Bay, 2026 InsurSec Report

The LION Lens

What happened — VPNs became the dominant ransomware entry vector in 2025, climbing from 38% of intrusions in 2023 to 73%. The Akira ransomware group industrialized the attack by targeting SonicWall appliances at scale, accounting for over 40% of all ransomware claims in At-Bay's portfolio. Email produced zero ransomware claims for the full year.

Why it matters — One bright spot: the email security investments most institutions made over the past three years are working. Attackers moved to remote access because email got harder to exploit. But the attacker shift to remote access infrastructure means the threat model has structurally changed. A $10 million company and a $200 million company running the same VPN appliance now share the same risk profile. Attackers scan for vulnerable infrastructure at scale and strike whatever they find. Size and industry selection are secondary to what's exposed on the network perimeter.

Practical implications — 60% of Akira victims had leading endpoint detection and response (EDR) solutions installed. EDR alone did not prevent encryption. The only organizations in At-Bay's portfolio that avoided full encryption during Akira campaigns had a market-leading EDR tool backed by 24/7 managed detection and response (MDR). Not a single At-Bay MDR customer filed an Akira claim in 2025.

So what?

The ransomware numbers are severe. But two findings from the report compound the exposure in ways most cyber programs aren't built to absorb.

First, business interruption. One in three ransomware claims triggered business interruption coverage. Those claims averaged $510K in severity, three times the $168K average for ransomware claims without business interruption. The largest single business interruption claim reached $5 million, the policy limit, with actual costs likely higher. Roughly one in ten ransomware incidents caused downtime exceeding 30 days.

Second, the litigation tail. Third-party liability claims surged 70% year over year, the largest increase of any incident type. California Invasion of Privacy Act claims grew from 7% to 34% of the third-party liability category in two years. Class actions are filing on smaller breach classes, with multiple suits per incident becoming standard. 6% of ransomware claims and 4% of data breach claims eventually triggered class action lawsuits. These arrive months after the systems are back online, adding a year or more of defense costs on top of what the business thought it had already absorbed.

Financial fraud added another layer of pressure. It remained the most common incident type at 30% of all claims. Average stolen funds reached $285K, up 16% year over year. The single largest theft hit $9.65 million. Generative AI is making social engineering lures more convincing and harder to detect, even across language barriers. Attackers are now routing malicious links through legitimate cloud platforms like Cloudflare to bypass email security filters entirely.

The LION POV

Here's how we're advising clients:

Audit your remote access infrastructure before renewal. Map every VPN appliance, RDP endpoint, and remote access tool in your environment. SonicWall devices require immediate review. Confirm patch levels, assess whether the device should be replaced, and bring the inventory to the audit committee. 87% of ransomware intrusions came through remote access. The inventory is the first document an underwriter and a plaintiff will ask for.

Deploy 24/7 managed detection and response. EDR alone did not stop Akira. The only organizations that avoided encryption had EDR backed by around-the-clock human monitoring. If your MDR coverage doesn't extend to nights and weekends, it doesn't cover when two-thirds of attacks land.

Stress-test your cyber program against the business interruption multiplier. One in three ransomware claims triggered business interruption at 3X the severity. Model what a 30-day outage costs your institution and confirm your business interruption sublimit absorbs it. If the sublimit was set three years ago, the math has changed.

The question at your next cyber renewal is whether your program is structured for the remote access attack pattern or still priced for the email-based threat model that produced zero ransomware claims in 2025.

Source: At-Bay, 2026 InsurSec Report

We run the remote access audit and business interruption stress test with clients before every renewal cycle. If your program hasn't been tested against the 2025 attack pattern, let's talk. Book a 1:1 call with our team!

Your next cyber incident is your next D&O claim

Summary

Six percent of ransomware claims now produce class action lawsuits. AM Best just flagged the D&O reserves those lawsuits will hit. Two lines of business. One exposure.

We wrote the full essay this week because no one else was reading these two reports together. Three reasons to read it:

  1. You'll see how fast D&O and cyber exposures are converging, and the specific data from both reports that proves the collision is already underway.
  2. You'll learn the four governance issues that convert a cyber event into a D&O claim, and why plaintiff firms target board minutes before they target firewalls.
  3. You'll walk away with the documentation checklist that defends against both a failure-of-oversight argument and your next D&O and cyber renewals.

We built it around three frameworks to answer those questions: the stats that prove the collision, the mistakes that create the exposure, and the steps that close it. One read your GC should see before Q4.

Read the full essay →

Source: LION Deep Research

So what?

Here's what the essay delivers:

The stats: D&O premium dropped by a third in four years. Loss ratios jumped 5 points. Third-party liability claims surged 70%. Ransomware severity hit $731K for finance and insurance companies. These are different data sets pointing at the same reserves.

The mistakes: Four governance issues show up repeatedly when a cyber event becomes a D&O claim. Separate program reviews with no board-level coordination. Incident response plans that never reach meeting minutes. VPN inventories the audit committee has never seen. Vendor risk mapped in operations but absent from board records. Each one creates potential exposure under the Caremark oversight framework.

The steps: Get the incident response plan on the board agenda and minute it. Map the VPN inventory and present it to the audit committee. Put vendor data exposure on the board record. Confirm the D&O form covers oversight claims arising from a cyber event. Walk into both renewals with the same documentation package.

The institutions that do this work before the event get different terms at renewal. The ones that don't are pricing a risk they haven't measured.

Read the full essay →

The Bottom Line

D&O carriers are competing on price. AM Best just flagged the reserves behind that pricing as potentially inadequate. Cyber claims hit all-time highs in frequency and severity. Remote access infrastructure is now the dominant attack vector. And the litigation that follows a cyber event is landing in the D&O tower, on reserves that were set before the third-party liability surge showed up in the data.

For directors: if cyber risk oversight isn't documented in board minutes and a ransomware event triggers a class action, the question shifts from "did the company have adequate controls" to "did the board exercise adequate oversight." That question draws on the Caremark framework, and the answer lives in your board records.

What this means at your next renewal.

Walk into both renewals with the same documentation package. A board-minuted incident response plan review, a VPN and remote access inventory on the audit committee record, vendor data exposure mapped at the board level, and confirmation that the D&O form covers cyber-originated oversight claims. The institutions that bring this to the table get different terms on both programs. The ones that don't are pricing a risk they haven't measured.

In Case You Missed It!

This week's Wednesday Intelligence, Same Waterfall, Two Reads, walks through five layers of MGA economics and reads each one through the lens of a D&O underwriter. The fronting fee, the reinsurance underneath it, the delegated authority, the underwriting data, and the profit commission. At every layer, the same question: how much of this structure does the management team actually control? If you're an MGA operator or you sit on an MGA board, this one was built for your next risk committee meeting.

Read it here, or listen to the audio version here.

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

https://lionspecialty.kit.com/posts/a-third-of-d-o-premium-gone-in-four-years-cyber-claims-at-record-highs-and-6-now-land-in-the-same-tower

And if this briefing was forwarded to you, subscribe directly here.

Thank you for reading today's edition!

Stay Covered Out There Y'all,

FLIP

Founder and Managing Partner
LION Specialty

P.S. D&O reserve deterioration, record cyber claims, and expanding board liability for cyber oversight are converging into the kind of multi-front exposure most institutions never stress-test until a claim forces the question. Comment BLUEPRINT and we'll send you our D&O Contract Vigilance Blueprint, a 5-day email course on the policy gaps that only show up after a claim is filed.

P.S.S. Nothing in this briefing constitutes legal advice. These are the opinions of the founder. It's market intelligence designed to help you ask better questions of your advisors and make sharper decisions at your next insurance renewal.

​Thanks for reading! If you loved it, consider telling your colleagues (and/or) friends to subscribe.

If you didn't enjoy the email you can unsubscribe here.

LION Specialty

Subscribe to the LION Specialty Weekly Boardroom Briefings

Everything you need to know to navigate the financial institution insurance market in ≈ 5 minutes per week. Delivered on Fridays.

Read more from LION Specialty
How elite MGA operators read their own D&O waterfall: five layers, and the two the carrier was always going to keep.

Reading time: 7 minutesListening time: 7 minutes Your Wednesday Intelligence Same Waterfall, Two Reads An MGA management team walked us through their economic waterfall last quarter. Clean controls over all five layers, by their read. The D&O underwriter across the table saw something different at every one. Five layers: the fronting fee, the reinsurance placement, the delegated authority, the underwriting data, and the profit commission. From the management seat, they read as a growth story....

2 days ago • 8 min read
69% of MGA capacity sits with 10 carriers. Public brokers down a third while private MGAs hit records. And the D&O desk just mapped the full waterfall.

Reading time: 5 minutesListening time: 4 minutes Here's Your Friday Five: Almost everything published about the MGA boom is written from the dealmaker's seat, the CEO or management team's perspective, or the analyst's seat. Today we show you the other side. From a broker team that's placed E&O and D&O for hundreds of MGA clients and currently works with some of the largest platforms in the world. Three developments caught our attention this week: The carrier gets paid first on every MGA...

7 days ago • 7 min read
An excess insurer can now stand in the shoes of the insured and bring a bad faith claim directly against the primary carrier!

Reading time: 8 minutesListening time: 6 minutes Your Wednesday Intelligence State of Play: US Bad Faith A Massachusetts judge turned a $26.6 million verdict into a $90,971,612 bad faith judgment. The policy limit was irrelevant. In the same 12 months, three states made bad faith harder to prove, a federal court let plaintiffs argue that no human ever reviewed an AI-driven denial, and a Nevada ruling cracked the math on every layered D&O and cyber tower in the country. Three reasons to read...

10 days ago • 8 min read