The cyber insurance landscape is undergoing a fundamental transformation. What was once considered an optional extra is rapidly becoming a critical component of corporate risk management, driven by escalating attack frequency, regulatory pressure and eye-watering financial losses that are reshaping how businesses approach digital resilience. Insurers are not just paying claims, they are embedding security standards, offering pre-incident services and partnering with clients to actively reduce risk.

How cyber risk has escalated in scale and impact

The numbers tell a sobering story. Global cybercrime costs are estimated to top $15tn by 2029. This represents a staggering increase from the $600bn estimated by McAfee in 2018, highlighting how rapidly the threat landscape has evolved. In the UK the NCSC recorded 204 nationally significant cyber incidents in the year to September 2025, including 18 that were deemed highly significant due to their serious impact on central government, essential services or large parts of the UK economy. This is more than double the 89 nationally significant incidents reported in 2024, of which 12 were highly significant.

Modern attacks are systemic, exploiting shared technologies and cloud dependencies, creating accumulation risk for insurers and cascading failures for businesses. These systemic vulnerabilities make underwriting complex. For businesses and their supply chain, the impact can be immediate and severe. Nearly half of all businesses have suffered some form of cyber event over the past 12 months, with individual incidents in costing millions. Interestingly, the majority of organisations first learn of a compromise from an existing source.

The Marks & Spencer case proved particularly instructive. Following an April cyberattack that shut down its online operations for three weeks, the retailer's share price plunged 18.6% at its low point and failed to recover. The attack extended beyond operational disruption when customers received phishing emails, demonstrating how a single breach can cascade into multiple threats. This high-profile incident has likely provided the catalyst many businesses needed to reassess their cyber insurance coverage.

What makes modern cyber threats particularly dangerous is their systemic nature. These attacks exploit single points of failure in shared technologies, cascading through multiple companies simultaneously. This shared vulnerability stems from interconnected software supply chains and cloud dependencies that link organisations across industries.

In all sectors, third-party and cloud service dependencies create operational fragilities that criminals actively target. A survey found that 29% of global executives now rank cyber risk as their greatest threat, up from 24% previously, reflecting growing awareness of these systemic vulnerabilities.

Adoption of cyber insurance

Standard business interruption claims already average $6.5m, exceeding property damage claims at $4.4m. When cyber risks compound these scenarios, given technology's centrality to modern operations, the potential exposure becomes substantial. This creates both significant accumulation risks for insurers and major premium opportunities, particularly as businesses recognise that operational disruptions increasingly stem from cyberattacks rather than physical incidents.

Despite growing demand, cyber insurance remains a remarkably small market and is often seen a harder sell for insurers and intermediaries. Despite rising awareness, many organisations still hesitate to purchase cyber insurance. For some, the complexity of cyber risk makes it difficult to understand what coverage they actually need or how policies will respond in practice. Others perceive cyber insurance as expensive or believe that existing IT controls alone provide sufficient protection. Uncertainty around exclusions, evolving threats and a lack of internal cyber maturity may also contribute to slow adoption. As a result, many businesses continue to rely on incomplete risk management strategies, leaving a substantial portion of their exposure uninsured.

A study by RUSI in 2021 recommended that insurers embed minimum cybersecurity standards into policies, link premiums to verified security controls and offer bundled resilience services. It also urged insurers to collaborate with managed security providers and cloud vendors to access real-time risk data and create industry-wide data-sharing platforms. Additional recommendations included mandating ransomware prevention measures, such as patching, MFA, and network segmentation, and requiring policyholders to report ransomware incidents to authorities before any payment.

Munich Re estimates that global cyber insurance premiums reached $15.3bn in 2024, representing just 1% of total property and casualty premiums. However, the market is evolving rapidly with 10% annual premium growth projected through 2030. The next phase of market expansion will centre on opening up new risk pools, particularly through deeper penetration in currently underserved regions and sectors. As awareness grows and risk quantification improves, these markets represent a significant opportunity for buyers seeking more tailored protection and for insurers aiming to diversify portfolios and scale sustainably.

Innovation is emerging in risk transfer mechanisms. Beazley recently secured the largest cyber catastrophe bond to date, with PoleStar Re 2026-1 pricing at $300m. These instruments represent a new frontier in managing accumulation risk, allowing insurers to transfer cyber exposure to capital markets. For Beazley, cyber insurance already comprises 25-28% of its insurance service result, demonstrating how significant this line can become for specialist carriers.

Regulatory drivers reshaping cyber insurance demand

The Cyber Security and Resilience Bill, currently progressing through Parliament, is set to modernise the UK’s cyber‑resilience framework later this year. It broadens the regulatory perimeter to include MSPs, data centres and other critical suppliers, creating new obligations for a wider slice of the economy. As organisations prepare for tighter rules and faster incident reporting, insurers may expect heightened interest in cyber cover, echoing the surge in India following amendments to their data protection regime, which led insurers to report a 20-25% increase in cyber insurance demand during 2025. This could present an opportunity for insurers and intermediaries to help clients understand the regulatory shift, close resilience gaps and secure appropriate protection before the Bill comes into force.

The future of cyber insurance: closing the protection gap

The industry faces a challenge in extending protection beyond large enterprises. Historically, cyber insurance penetration has been patchy, even among large corporations with the resources to access expertise and navigate complex insurance solutions. Small and medium enterprises struggle to engage with the market effectively, leaving a protection gap precisely where education and support are most likely needed.

Encouragingly, the reinsurance market now provides a strong foundation for cyber growth. Gallagher Re reports that capacity at the 1 January renewals was more than sufficient, marking a significant shift from the constrained conditions of earlier years. Such capacity abundance not only supports sustainable insurer growth but also enables further innovation in coverage and structure.

Modern cyber threats involve increasingly sophisticated technology, yet their success often depends on unsuspecting employees within targeted organisations. IBM reports that 30% of attacks now use AI to harvest credentials, enabling criminals to use legitimate log-ins. This human element highlights why cyber insurance cannot be purely transactional - insurers and brokers must work collaboratively with clients, providing services before and after incidents to minimise negative outcomes.

Brokers are increasingly central to translating technical cyber risk into accessible solutions for clients, particularly as SMEs seek simpler products and embedded offerings grow. The expansion of MGAs and digital distribution tools is enabling faster underwriting, richer data capture and more tailored solutions, strengthening the role of intermediaries in shaping market growth.

As cyber risk continues its evolution to a boardroom priority, the insurance industry's role extends beyond claims payment. Insurers and intermediaries are becoming partners in education, resilience building and scenario planning, helping clients understand and manage risks that are evolving faster than traditional risk management frameworks can accommodate. The question may no longer be whether businesses need cyber insurance, but whether they can afford to operate without it.

If you would like to discuss cyber insurance, please contact Erin Sims or your usual RSM contact.

Latest related insights