
Features 15.07.2025
Cyber Insurance: Government Stats Versus Real Facts
According to the UK government’s annual report, cyber insurance take-up has stalled. If that’s the case, who and what’s to blame?
Features 15.07.2025
According to the UK government’s annual report, cyber insurance take-up has stalled. If that’s the case, who and what’s to blame?
Over two-fifths of UK businesses suffered a breach or cyber attack last year, according to the government’s most recent annual report. Although that figure represents a slight decline from the previous year, it’s too early to be celebrating. It could indicate poorer visibility into breaches as opposed to improved cybersecurity on the part of network defenders.
In this context, one other figure in the report is particularly concerning. Just 45% of respondents report being insured against cybersecurity risks, a number virtually unchanged from 2024. In too many businesses, there’s a lack of interest, awareness or budget for cyber insurance. Is the insurance industry to blame, or are attitudes to coverage changing?
Take-up of cyber insurance isn’t uniform. In fact, the government’s report throws up some interesting findings. It states that large businesses (52%) are now less likely to have insurance than small (62%) or medium-sized firms (65%). That’s despite having arguably more resources to fund policies. The share of small businesses with coverage surged significantly from last year (49%).
Experts have various theories. Sydonie Williams, head of international cyber risks at insurer Beazley, says it could be the result of misplaced confidence on the part of larger organisations.
“I do not know of cyber being ‘bolted-on’ to another insurance policy. If those still exist, they will not be fit for purpose and categorically should not be relied upon to provide cover for a cyber incident” Ed Ventham
“Large businesses are more likely to outsource their cybersecurity affairs to dedicated managed service providers (MSPs),” she tells Assured Intelligence. “However, outsourcing can breed complacency, and may make purchasing dedicated cyber insurance less of a priority. That’s despite the fact that supplier vulnerabilities can result in both first and third-party liability for firms.”
Ed Ventham, co-founder of cyber insurance specialist Assured, argues that the disparity between stated take-up of cyber-insurance among large firms vs SMBs may be due to confusion on the part of smaller organisations.
“I think that a lot of the smaller businesses think that they’re covered when they’re not,” he tells Assured Intelligence. “They may think they are covered because they have a professional indemnity policy, for example, but that’s categorically not the case. In fact, almost all other policies exclude cyber.”
That is concerning given another finding from the report: that just 7% of UK firms – rising to 18% of medium and 27% of large businesses – have a dedicated cyber insurance policy. It suggests that most are using general insurance policies to cover cyber risk. If true, this is likely to leave them highly exposed.
“You need to have a standalone policy now. It can’t be treated as part of something else,” argues Ventham. “I do not know of cyber being ‘bolted-on’ to another insurance policy. If those still exist, they will not be fit for purpose and categorically should not be relied upon to provide cover for a cyber incident.”
However, he suggests that these figures may understate the number of firms that have standalone cyber insurance coverage. It’s possible, says Ventham, that a CISO interviewed for the report may not know the specifics of their organisation’s insurance policies if they were purchased by the CFO, for example. In fact, 20% of the information security decision makers polled by the government in this study didn’t even know whether they had a policy or not.
For organisations without cyber insurance, one of the top reasons cited is that it’s simply not a budgetary priority (34%). A further 13% claim it’s too expensive. Indeed, the government notes that those with policies rarely make claims, even when eligible, due to cost concerns.
“Organisations typically felt that claims were not considered worthwhile overall, primarily due to an unfavourable cost-benefit analysis,” it notes. “This was especially apparent when discussing the potential increase in future premiums after making a claim. It was asserted by larger businesses that investing in cyber controls and recovery was more beneficial than investing in insurance itself.”
Ventham claims this is a common refrain among businesses and is, in part, the fault of the insurance industry.
“Outsourcing can breed complacency, and may make purchasing dedicated cyber insurance less of a priority. That’s despite the fact that supplier vulnerabilities can result in both first and third-party liability for firms” Sydonie Williams
“Everyone talks about having amazing products, but they’re products understood by the insurance sector, not clients. General brokers, who do lots of different lines of insurance, are unable to explain in layman’s terms what that coverage and product will do for their [client’s] business,” he argues.
“Customers will think it’s a lot of money and won’t know what it will cover them for. What the brokers fail to explain is that there’s an incredible amount of resources you get with a cyber insurance policy.”
Ventham cites legal counsel, ransomware negotiators, forensics experts, PR professionals and more – all of whom insurers will provide as part of dedicated coverage in the event of a serious incident. Policies could also cover supply chain breaches and non-malicious incidents such as system failure and those stemming from human error, he adds.
Jano Bermudes, COO of cybersecurity consultancy CyXcel, agrees that many organisations may not understand the benefits of coverage.
“Cyber insurance policies provide a valuable financial safety net for organisations as well as access to security resources and specialist incident response practitioners when things go wrong,” he tells Assured Intelligence.
“When an organisation is hit with ransomware, for example, it is likely the first time in most in-house responders’ careers that they’ve experienced such an incident. Having access to an expert third-party team, via an insurance policy, who do this for a living is crucial – bringing a calm professionalism, burst capacity and up-to-date knowledge of current attack methods to what is usually a frantic, frenzied period.”
Few organisations have the in-house technical, legal and regulatory expertise to handle a post-breach crisis in this way, Bermudes adds.
A string of recent high-profile ransomware breaches in the retail sector illustrates the differing approaches some businesses take to cyber insurance. According to reports, the Co-op reportedly invested in threat detection systems rather than insurance. These helped it to spot the attack early and pull the plug before threat actors could do much damage. But data was still exfiltrated, and the breach had a significant operational impact on the firm. By contrast, M&S, which was worse hit, will offset more than £100m of its £300m in gross lost profits through insurance payouts.
The reality is that it doesn’t have to be an either/or choice. Most cyber insurance providers will demand a baseline level of security controls be put in place as a prerequisite for coverage, or to reduce premium costs. Beazley’s Williams says insurers must get better at incentivising good practice, among other things.
“In recent years, pricing has increased to reflect the risk, and the market has come of age. Working with the wider cybersecurity industry to raise awareness, incentivise defence building and share expertise will secure the future of the market in the long term and encourage greater take-up,” she says.
“To help businesses navigate the ever-evolving risk landscape, insurers must continually hone their cyber products, providing solutions that draw upon risk management, underwriting, claims, cybersecurity and risk prevention expertise.”
Assured’s Ventham adds that business leaders may also need to change their outlook. According to the government report, over a quarter (28%) of businesses that aren’t covered by cyber insurance say it’s because their leadership isn’t interested.
“This is negligence,” he argues, citing two businesses that refused to consider the prospect of cyber insurance with Assured before being breached only months later.
“They ended up in the headlines, and in one case it cost that business tens of millions of pounds,” he concludes. “How can leadership not even be interested in covering that loss?”