Tools + Intel | CRC Specialty

Tools + Intel.

CRC Specialty's Tools + Intel spans a diverse spectrum of industry issues to keep you and your clients informed. This is truly news you can use, coupled with the latest exclusive programs, featured tools, links to compelling news stories, and more.

Subscribe +
REDY Index Claims Advocacy Property Casualty ExecPro Transportation Healthcare

Cyber’s Healthcare Divide: Abundant Capacity, Rising Discipline

June 17, 2026

cyber

execpro

healthcare

professional

The healthcare cyber market is not collapsing, but it is tightening in ways that matter.

Unlike the broader cyber marketplace, where capacity remains abundant and pricing pressure has stabilized, healthcare risks, particularly large hospitals and health systems, are facing increased underwriting scrutiny and less flexibility at renewal.

Rate increases are not uncommon for larger healthcare systems. Excess pricing for healthcare has risen disproportionately, and it is common for carriers to seek higher Increased Limit Factors (ILFs) than non-healthcare cyber placements. At the same time, middle-market healthcare, including physician groups, miscellaneous medical facilities, and smaller entities, remains competitive, assuming strong controls are in place.

The divergence is real. And retail agents need to understand it.

WHY HEALTHCARE IS STRUCTURALLY DIFFERENT

Healthcare is uniquely exposed for three reasons:

  1. Ransomware Severity + Business Interruption: Hospitals cannot shut down. The operational disruption from ransomware is immediate and often life-critical. This elevates both business interruption exposure and reputational risk.
  2. PHI + Regulatory Exposure: Healthcare entities hold large volumes of protected health information (PHI) and personally identifiable information (PII). The notification costs alone in a breach can be catastrophic.
  3. Pixel Tracking + Wrongful Collection: A growing underwriting flashpoint is wrongful collection and pixel tracking exposure. Healthcare entities often use third-party tracking technology on websites or patient portals. In some cases, these tools collect patient data without adequate consent, leading to class action lawsuits. This is less a cyber control issue and more a compliance issue, but underwriters are now scrutinizing it heavily. Many carriers are adding exclusions or offering sublimits unless detailed questionnaires are completed.

PRICING, CAPACITY + COVERAGE SHIFTS

Healthcare cyber capacity still exists. But the terms are shifting.

Primary Market: Renewal flexibility has declined. In prior years, brokers could negotiate flat or reduced pricing. Today, carriers are more likely to hold firm at flat or modest increases.

Excess Market: Excess pricing for healthcare is running materially higher relative to primary when compared to other industries.

Excess underwriters are also scrutinizing who controls the primary, primary pricing adequacy, and claims handling discipline. Legacy carriers are walking away from underpriced risks rather than chasing market share.

Coverage Adjustments:

Watch out for:

  • New restrictive language around wrongful collection
  • Pixel tracking exclusions
  • Contingent bodily injury limitations
  • Higher retentions on ransomware

Some newer carriers are willing to compete on solid risks, especially smaller healthcare entities with limited PHI exposure. But on large systems, underwriting discipline is tightening.

UNDERWRITING SCRUTINY: WHAT IS NON-NEGOTIABLE

Healthcare cyber underwriting increasingly mirrors the tiered control expectations outlined in broader cyber frameworks. Across account sizes, several controls are effectively mandatory:

  • Multi-Factor Authentication (MFA) for remote and email access
  • Endpoint Detection and Response (EDR)
  • Secure, immutable, or air-gapped backups
  • Formal incident response plans

For healthcare specifically, data protection and recovery capability are paramount. Underwriters want to know:

  • How much PHI is stored?
  • How is it collected?
  • How quickly can it be restored?
  • Are backups isolated and tested?

Wrongful collection exposure is now routinely underwritten through supplemental questionnaires. Healthcare insureds who cannot clearly articulate privacy controls will struggle to secure optimal terms.

RETAIL AGENT STRATEGY: HOW TO NAVIGATE THE MARKET

The marketplace tightening is manageable if approached correctly.

Start early. Engage 90-120 days in advance. Some carriers will not provide indications outside 60-90 days, but early preparation is critical.

Renewal conversations that were flat at 120 days may have shifted inside 45 days due to carrier loss activity. Managing expectations is key.

Use a full renewal application. Even if an incumbent suggests a streamlined renewal, obtain a comprehensive application upfront. If pricing shifts late in the process, you must be ready to market immediately.

Manage market fatigue. Over-marketing accounts annually can create carrier fatigue. Some carriers will decline to quote risks they’ve seen repeatedly. Strategic marketing, not reflexive marketing, wins.

Position controls clearly. Healthcare clients should be prepared to:

  • Document data governance policies
  • Provide detailed pixel tracking disclosures
  • Demonstrate backup architecture
  • Show evidence of testing and incident response exercises

The difference between “questionable” and “preferred” healthcare risks often comes down to documentation discipline.

WHAT TO EXPECT NEXT

Is a cyber “day of reckoning” coming? Perhaps, but not abruptly.

Absent a catastrophic systemic event, pricing pressure in healthcare cyber is more likely to increase gradually than spike suddenly. Market fatigue is visible on both the carrier and broker sides. Some legacy carriers are drawing lines on adequacy rather than chasing underpriced business. Capacity remains strong in middle-market healthcare. Large systems will continue to feel the pressure first.

The message is not alarm; it is discipline.

BOTTOM LINE

Healthcare is tightening where exposure is highest. Large hospitals and health systems are facing higher excess pricing, less renewal flexibility, and increased scrutiny around data governance and wrongful collection. Middle-market healthcare remains competitive, but only with strong controls and proactive preparation.

Early engagement, comprehensive underwriting data, and disciplined market strategy are critical. When placements become complex due to layered towers, large PHI exposure, pixel tracking scrutiny, or carrier withdrawal, reach out to your CRC Specialty producer. We are the go-to partner for challenging healthcare cyber placements, with the market relationships and technical knowledge to navigate tightening conditions and deliver results. Reach out today.

CONTRIBUTORS

  • Paul Burge is a Senior Broker with CRC’s Birmingham, Alabama office, focused on complex cyber placements across healthcare, technology, and large middle-market risks.
  • Ross Robertson, also based in Birmingham, is a Broker with CRC Specialty, specializing in healthcare professional and complex cyber placements.

END NOTES

  1. Report: Healthcare had Most Reported Cyberthreats in 2024, American Hospital Association, May 2025. https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024
  2. Ransomware on the Rise: Healthcare Industry Attack Trends 2024, IBM. https://www.ibm.com/think/insights/healthcare-industry-attack-trends-2024
  3. Healthcare Cybersecurity Statistics 2024, ISPartners, November 2024. https://www.ispartnersllc.com/blog/healthcare-cybersecurity-statistics/

cyber execpro healthcare professional

Gain the latest
announcements,
news + insights.

© 2026 CRC Insurance Services, LLC, CRC of California Insurance Services, CA LIC No. 0778135. No claim to any government works or material copyrighted by third parties. Nothing on this website constitutes an offer, inducement, or contract of insurance. Financial strength and size ratings can change and should be reevaluated before coverage is bound. This material is intended for licensed insurance agency use only. This is not intended for business owner or insured use. If you are not a licensed agent please disregard this communication, CRC supports a diverse workforce and is an Equal Opportunity Employer who does not discriminate against individuals based on their race, gender, color, religion, national origin, age, sexual orientation, gender identity, disability, veteran status, or other classification protected by law. Drug Free Workplace.

Privacy Statement