A Year in Cyber Insurance: The Trends That Defined 2025

The UK’s cyber insurance sector paid out nearly £200m to policyholders last year, according to recently revealed figures from the ABI. Could this sum increase further in 2025?

It’s quite likely, as big-ticket breaches persuade more organisations to purchase coverage, and buyer-friendly policies proliferate. Assured has been watching the market closely over the past 12 months to understand what might happen next.

Despite surging threat levels and stalling cybersecurity budgets, CISOs have been generally comforted by a soft cyber insurance market in the UK and Europe this year. But change could be coming. Here are our five takeaways from 2025.

Rate reductions hit 5-10% across the board

The insurance market is ultimately dictated by the reinsurance market. As businesses transfer risk to insurers, the latter do the same to reinsurers. What does this mean for rates? Over the past 12 months, several reinsurers have entered the UK market, driving down premiums for insurance companies, which have, in turn, passed the savings on to their customers. Assured has seen a 5-10% reduction in rates across the board this year, and sometimes more.

Several reinsurers have entered the UK market, driving down premiums for insurance companies

Increased competition among insurers has also helped to keep rates low. This is good news, but with the caveat that things could change next year. The cyber insurance market is unpredictable, and at some point in the future, there will be a hardening.

Coverage creep continues as inner limits disappear

Another impact of increased competition and lower rates has been coverage creep. In today’s fiercely competitive market, carriers are making their offerings more attractive by broadening coverage and reducing internal (or sub) limits, which typically cap payouts in high-risk areas.

To attract potential customers, insurers have also been including non-IT-dependent business interruption clauses as standard. These are designed to cover financial losses when businesses are disrupted due to no fault of their own, but rather a problem with one of their (non-IT) suppliers or partners.

Another trend we’ve seen this year is of affirmative AI endorsements – policy additions which explicitly state coverage for losses related to AI-driven attacks. It could be anything from deepfake fraud to jailbroken LLMs used in social engineering or for vulnerability exploitation. It’s another sign of insurer competition heating up as carriers try to differentiate.

Ransomware and insider threats on the rise

We saw an increase in ransomware breach victims of 20-30% annually in 2025. And many of those organisations were hit by data theft extortion – that is, the ransomware payload was never even deployed. Why is this happening? Because threat actors often pursue the quickest, easiest ROI. They gain unauthorised access into a corporate network via compromised credentials. They steal as much sensitive information as they can. And then they contact the victim with a ransom demand. With many organisations backing up anyway, the threat of that data being published or monetised in other ways is often enough to force payment.

Employees are approached by cyber criminals, offering anything between 10-30% of a ransom demand in return for privileged network access

This development is being driven by an infostealer epidemic that has seen the cybercrime underground flooded with stolen credentials. But it’s not the only way digital extortionists have been profiting this year. We’ve also seen a surge in cases where employees are approached by cyber criminals, offering anything between 10-30% of a ransom demand in return for privileged network access.

Other insurer losses this year have come from breaches enabled via so-called “authorisation sprawl” – the compromise of centralised identity platforms and single sign-on to reach sensitive resources. It’s believed that the M&S hackers used this technique, as did those behind the Salesloft Drift campaign.

On the latter note, supply chain compromise has been an ever-present headache for insureds this year. We’ve observed a huge range of tactics, techniques and procedures (TTPs) under this catch-all banner. Some involve simple software vulnerabilities that have been exploited. Some are third-party businesses like MSPs that are targeted in “stepping stone” attacks. Some are open-source software components infected with malware. Other payouts may stem from the compromise of a business with significant downstream impact, such as the JLR breach.

Insurers adjust requirements for controls

Another impact of the buyer’s market for insurance that we’re currently experiencing, is that carriers are becoming less prescriptive about the controls policyholders must put in place. In fact, many are so keen to grow their books that they’ve been willing to overlook potentially important controls, as long as the business has multifactor authentication (MFA), some form of EDR/XDR, and immutable/offline backups.

This shouldn’t be a green light to divert important funding from other security projects and controls in the organisation, of course. Once the cyber insurance market starts to harden, we’re likely to see tighter requirements for what policyholders are required to put in place to qualify for coverage.

Resilience improves as regulatory scrutiny mounts

It’s also been a big year for regulation, which can drive greater investment in both cybersecurity controls and insurance policies. Regulators across Europe have been cracking down on GDPR infringements, with TikTok (€530m/£463m), Meta (€479m/£418m) and Google (€200m/£175m) leading the pack. Even the UK’s Information Commissioner’s Office (ICO) has been more proactive this year, handing big fines to the likes of Capita (£14m), Advanced Computer Software Group (£3.1m) and 23andMe (£2.3m). For businesses storing sensitive data, there’s increasingly no room to hide if cybersecurity posture is not up to scratch.

Once the cyber insurance market starts to harden, we’re likely to see tighter requirements for what policyholders are required to put in place

On a more positive note, we’re also seeing headline-grabbing incidents starting to filter down to Boards. Despite financial constraints across many UK organisations right now, business leaders are increasingly prioritising cyber resilience. To put it bluntly, nobody wants to be the next JLR or M&S. The eye-watering sums lost by these companies are at least focusing minds on the task.

A hardening is coming

And they would be well advised to do so, not only because it will improve their ability to continue operating even when rocked by significant breaches. At some point, a hardening is coming in the UK’s cyber insurance market. But when it comes, it will happen rapidly and have a significant impact on policyholders. Expect rates to harden, coverage creep to reverse, control requirements to tighten, and sub-limits to potentially sneak back into policies where controls aren’t deemed adequate for the exposure.

All of which means that those organisations already following best practices and information security standards will be best placed to adapt to new market conditions. The cyber insurance sector has been on a rollercoaster ride over the past few years. That’s partly because the industry is still nascent. But it’s also down to the nature of the risk we’re insuring. Unlike property insurance, where we see the same perils year after year, cyber threats are changing at an astonishing pace.

Will we see the same threats still causing sleepless nights for CISOs this time next year? It’s possible. But expect the unexpected.

 Stay tuned for our look ahead at what to expect in 2026, set to land on Friday January 2.