Navigating the complexities of cyber insurance: a guide for policyholders

Evolving Cyber Threat Landscape and Frequency of Incidents

The cyber threat landscape is in a state of constant evolution, with new vulnerabilities and attack vectors appearing all the time. In recent years, we've seen a marked increase in both the frequency and sophistication of cyber incidents, making it clear that the stakes are higher than ever. Compounding this issue is the rise of AI-driven attacks and the complex interplay between geopolitics and cyber risk, which together add layers of difficulty to an already challenging environment.

New Risks: AI-Driven Incidents, Geopolitics, and Ransomware

Artificial Intelligence has revolutionised many industries, but it has also introduced new risks. AI-driven cyber incidents, such as deepfake and AI-powered phishing, are becoming more prevalent. According to Entrust's 2025 Identity Fraud Report¹, deepfake attempts occur every five minutes on average, and experts predict that by 2026, an incredible 90% of online content could be generated synthetically.

In addition, the integration of AI-related processes within an organisation can increase the risk of a cyber incident. For example, the integration of AI might involve a number of connected devices and platforms, which can significantly increase the potential entry points into the business for a cyber-attack.

These new risks will have a significant impact on businesses directly, as well as on all components in their supply chains. As companies increasingly rely on AI technologies, they must remain vigilant and proactive in addressing these emerging threats.

AI is also shaping the insurance underwriting process, with underwriters scrutinising how companies both develop and use AI tools to ensure they have the right compliance controls and tools to manage risk.

Furthermore, the geopolitical landscape has a direct impact on cyber risk, with state-sponsored attacks and cyber espionage posing significant threats to businesses. Heightened geopolitical tensions, such as those involving the US, Europe and Russia are likely to spill over into cyberspace, leading to an increase in cyber-related incidents.

State-sponsored ransomware attacks are becoming more prevalent, with countries like North Korea professionalising these attacks as a source of income. Ransomware attacks, in particular, have seen a dramatic increase, with cybercriminals targeting critical infrastructure and demanding exorbitant ransoms. According to Barracuda, a global cybersecurity company, ransomware attacks increased fourfold during 2024², with cybercriminals employing more advanced tactics to exploit weaknesses in organisational defences. In due course, businesses may find their options limited in responding to such attacks, as for example, the UK Government has recently initiated a consultation³ on the potential ban of ransom payments demanded following a cyber-attack. This proposal also includes a requirement for victims to report ransomware incidents, mandating that they disclose details of the attacks and the recovery measures they have implemented within a specified timeframe after the incident.

Available insurance and considerations for corporate policyholders

There is growing awareness of the reputational and business interruption implications of cyber incidents, leading to more cooperation between insurers and policyholders on loss control and prevention measures. For example, some cyber insurers are now offering complimentary loss prevention measures such as cyber threat modelling, security assessments and cybersecurity training sessions run by consulting teams.

Cyber insurance can play a crucial role in mitigating these risks by providing financial protection and support in the event of an attack; however, not all businesses opt for such measures, resulting in a 'cyber protection gap' that leaves many vulnerable to significant losses.

This gap, i.e. the difference between insured and uninsured cyber risks, remains a critical issue for many organisations. Many in the cyber insurance industry, as well as governments in countries highly likely to be targeted by cyber-attacks such as the UK, feel this gap is becoming increasingly worrying.

The Home Office's 2024 Cyber Security Breaches Survey⁴ reveals that half of businesses in the UK (50%) report having experienced some form of cybersecurity breach or attack in the last 12 months; however, only around four in ten (43%) report being insured against cyber security risks. This protection gap is particularly evident among medium and large businesses, which are often more attractive targets for cybercriminals. In fact, nearly three quarters (74%) of large businesses reported suffering a cybersecurity breach or attack in 2023/24, yet only just over half (54%) reported that they had appropriate insurance in place; highlighting the urgent need for better protection measures in these larger organisations. Furthermore, the Association of British Insurers has recently produced a report exploring the gap specifically in the context of SMEs, calling the findings "severe"⁵, with a significant number of businesses lacking insurance protection against cyber-attacks.

Availability of cover

Many businesses mistakenly believe that their existing insurance policies adequately cover cyber risks. However, this is often not true. Traditional insurance policies may cover various risks that arise from a cyber incident, such as physical damage or business interruptions at a factory affected by a cyber-attack. However, this coverage only applies if the relevant policies for property damage and business interruption do not include specific cyber exclusions. Unfortunately, many of these policies do contain broad cyber exclusions, leaving businesses exposed to significant financial losses. This gap in coverage can create a false sense of security, meaning some businesses may not even have considered the potential implications of cyber risks on their operations.

Given the existing protection gap, businesses might be wondering about the current state of the cyber insurance market and whether now is a good time to seek specific cyber coverage. The market is currently experiencing a period of stabilisation, characterised by soft pricing trends and a slowdown in rate increases, indicating that it may be entering a more stable phase. Additionally, the cyclical nature of the market has spurred increased competition, particularly from startups that have secured significant capital, which is influencing pricing and overall market dynamics. To the extent that high premiums remain of concern, co-insurance arrangements (involving sharing of risk between insurer and policyholder) are becoming more commonplace for policyholders with large exposures.

Cyber insurance has become an essential component of risk management strategies for businesses of all sizes. Generally cyber coverage will include the following:

• First-party liability – direct losses from cyber-related incidents, commonly including: business interruption costs, cyber extortion and ransomware payments, breach notification and credit monitoring, forensic investigations and crisis management, and data restoration/system repair.
• Third-party liability – liabilities that a policyholder may face from external parties as a result of a cyber incident, including: legal defence costs, payments by way of settlement, costs associated with regulatory investigations and expenses for notifying affected third parties and providing credit monitoring.

However, despite the increasing availability of competitively priced and broad cyber cover, navigating the complexities of cyber insurance policies can be challenging. For example, some cyber policies will implement conditions to payouts upon cyber extortion, e.g. that there must have been a data breach, or that the policyholder must report the incident to relevant authorities. Policyholders should be mindful of whether any conditions imposed are appropriate, or in their control.

Silent cyber

Businesses should also be aware of the concept of silent cyber, where cyber risks are not explicitly covered or excluded in traditional insurance policies, leading to coverage uncertainty and potential for costly legal disputes later down the line. Despite the insurance industry having largely united over the past decade to move away from the "silent cyber" approach through inclusion of cyber exclusions in non-cyber policies, the ideal position is never for policyholders to have to rely on this approach. The preferable approach should always be to address cyber risks explicitly in any policy where coverage is expected.

Exclusions and “writebacks”

Businesses must also be aware of exclusions and "writebacks", as these elements can significantly affect their insurance coverage. Exclusions are specific conditions or circumstances that are not covered by the policy, meaning that if a loss occurs under those conditions, the insurer will not provide compensation. On the other hand, "writing back" a risk refers to the process of amending an exclusion clause to reinstate coverage for certain risks that were previously excluded. This means that businesses can negotiate to have specific risks included in their policy, thereby enhancing their overall protection.

The subject matter of an exclusion or writeback can range from having a minor impact on an overall policy, to removing fundamental cover – for example, a 2023 report by US-based IT company Veeam Software found that 21% of policies had a blanket exclusion in place for ransomware⁶. The 2024 Crowdstrike Outage revealed a significant divide between policyholders which had bought policies covering “non-malicious” incidents, and those which had not.

Cyber insurance can also contain exclusions which can seem innocuous but become extremely important in practice, such as those for state-backed cyber operations. In the wake of the 2017 Ukraine ransomware attacks, the precise scope of such exclusions proved instrumental in deciding whether up to an estimated $10 billion in damage was recoverable by corporate policyholders. Attempts by insurers to separate “War” and “Non-war” cyber risks are continuing, and it is likely that in the near future separate markets will emerge for each.

Evolving threats

The fast pace of evolution in cyber threats also requires adaptation in coverage. For example, AI’s evolving landscape also creates new challenges, such as algorithmic biases, unpredictable outputs, and the potential for “black box errors". AI errors with unclear causes may result in uninsured exposure if not properly accounted for in insurance policies. Corporate policyholders who use AI in their daily operations should be mindful for exclusions related to AI, such as liability for black box errors, biased algorithms, or failures caused by poorly trained AI models.

Practical Recommendations for Businesses

For corporate policyholders, it is crucial to adopt a proactive approach to cyber risk management. Here are some practical recommendations:

1. Conduct regular risk assessments: Identify vulnerabilities and assess the potential impact of cyber incidents on your organisation.
2. Invest in employee training: Educate employees on cybersecurity best practices and the latest threat vectors.
3. Implement advanced security measures: Utilise up-to-date security tools and frameworks to detect and mitigate threats in real-time. For example, the UK Government's new AI Cyber Security Code of Practice sets out a set of baseline cyber security principles to help secure AI systems. Businesses may also find their relevant industry body or regulator has published sector-specific cyber security guidelines, such as UK Finance's "best practices in cyber risk exposure management"⁷ or the National Cyber Security Centre's specific guidance "Cyber security for construction businesses"⁸.
4. Review and update insurance policies: Ensure that your cyber insurance policies are up-to-date and provide adequate coverage for emerging risks.
5. Develop an incident response plan: Prepare for potential cyber incidents by establishing a comprehensive incident response plan, which includes processes for making insurance claims.

Authored by Sara Bradstock, Charlie Shute; Bethan Savage