Cyber insurance is considered a no-brainer for most businesses. Yet half of all UK firms don’t have any, according to the government’s Cyber Security Breaches survey.
It seems strange when attacks such as the Jaguar Land Rover (JLR) breach cost the UK economy nearly £2 billion. At the time of the devastating breach, JLR reportedly did not have cyber insurance, so the company had to absorb the full cost of the damage itself.
Even when firms do have cyber insurance, it doesn’t always cover incidents. The NotPetya destructive wiper malware attack was a cautionary tale, because insurers Zurich and Ace initially denied covering their clients’ losses to the attack, based on a war exclusion clause. Both parties eventually settled with their insurers.
“All policies can have limits or conditions that significantly affect payouts,” Daryl Flack, partner at Avella Security tells ITPro. “This can be very nuanced and will only become more so over time.”
Cyber insurance evolution
With its origins in the late 1990s, cyber insurance was originally designed to address the risk of data breaches faced by organizations handling large amounts of sensitive personal information. “These breaches could give rise to regulatory consequences and third-party claims, which were deemed suitable for coverage under a fairly traditional third-party liability policy,” says Aaron Le Marquer, head of policyholder disputes at Stewarts.
Back then, the cover was narrow and viewed as “a niche product for operators in particularly exposed sectors”, he says.
Now, things have changed drastically. Both the risks and the insurance products themselves have “transformed beyond recognition”, according to Le Marquer. “Technology and data now underpins all industries, and it is hard to identify a sector that is not exposed to some form of cyber risk.”
The JLR shutdown is just one example. It lasted several weeks, with each week estimated to cost around £50 million, resulting in a financial impact of hundreds of millions of pounds.
But this is only one side of the coin, points out Boris Cipot, senior security engineer at Black Duck. “The disruption also affected thousands of suppliers, and the overall economic impact on the UK is estimated at approximately £1.9 billion.”
JLR couldn’t have accurately predicted the total cost, or the time it would take to recover from the attack, which ultimately required a government bailout for its supply chain. Insurers are constantly adjusting policies to reflect these realities, says Flack.
With increasingly large premiums for cyber insurance policies, this is leading some companies to set money aside for cyber improvements and incident response, rather than buying a policy they may never use, he says.
However, experts warn this is a flawed strategy. Without an accurate assessment of the business impacts, it’s “almost impossible” to know how much money to reserve, Flack says.
ITPro spoke to some who said the only viable option for nearly all businesses is to purchase cyber insurance.
Geoff Leeming, vCISO associate at Cyberhash, has worked on incident response for insurers. “I’ve seen both sides of it,” he tells ITPro. “To me cyber insurance is an absolute no-brainer: if you think your day to day job as a CISO is hard, wait until you’re dealing with a major breach. Everything becomes faster and more critical, and the pressure from management, clients, press and staff all becomes intense.”
Tight requirements
In recent years, cyber insurers have tightened their requirements. “Companies must now demonstrate that essential cybersecurity controls, such as multi factor authentication (MFA) regular patching, reliable backups, and security awareness training are in place before they are even eligible for a cyber insurance policy,” says Cipot.
Another area that has changed significantly is cost. Cyber insurance premiums are expected to rise by up to 20% in 2026, driven by the increasing frequency and severity of cyberattacks, says Cipot. “Insurers have also become more aware of supply chain dependencies. As a result, assessing the potential impact of supply chain disruptions on the insured company is now a key part of the screening process.”
Coverage is now available for regulatory risk and third-party claims, as well as for costs of responding to and shutting down an attack, says Le Marquer. It also often covers rebuilding systems following an attack, extortion and ransomware payments and business interruption loss, he explains.
But as with any insurance policy, there are important limitations to be aware of, Cipot adds. “Incidents resulting from unpatched vulnerabilities or poor security hygiene may not be covered, which is generally understandable from an insurer’s perspective. Many policies also include exclusions for cyber attacks linked to war, terrorism, or state-backed actors, as these events can be too large for insurers to absorb.”
Physical damage, bodily injury, and certain types of regulatory fines may also fall outside the scope of coverage. In addition, insurers may exclude coverage for artificial intelligence (AI) related failures or large, zero day vulnerabilities, as these risks are particularly difficult to predict and model, Cipot explains.
Selecting a policy
If selecting a policy seems overwhelming, there are also cyber insurance brokers that can help. To ensure you get the best deal for your business, working with the right broker is “crucial”, advises Daniel Woods, a lecturer in cybersecurity at the University of Edinburgh. “Only specialist cyber brokers understand the nuances of coverage, which is not yet standardized due to all of the innovation. In particular, they can explain what losses look like for a particular industry or revenue band. The real danger is relying on a generalist broker who may place a policy with a heavy sublimit or exclusion.”
Good cyber insurers cover your costs and also come with a panel of vetted specialists with pre-agreed rates, says Leeming. “And you know that the insurer has exactly the same motivation as you: to get this sorted as quickly and cost-effectively as possible, because they’re paying the bill and the longer your outage drags on, the more they pay.”
Paying attention to the insurer’s proposal form can also help firms to boost security, says Leeming. “Firstly, they’ve analysed the thousands of cases they’ve paid out on, and they’re asking about the things that they know will save them money by preventing you having a breach. Forget ISO or SOC2, a good cyber insurer’s proposal form is the most practical list of how to secure your firm.”
Don’t ever lie on the form, he warns. “Tell the whole truth. If you try to make yourself look good on the proposal form, you risk ending up in the worst of both worlds where you’ve paid the premium, thought you were covered, and find out at the worst possible time that the insurance isn’t valid.”
