Key takeaways:
Cyber incidents on the up – Incidents surged to unprecedented levels in 2025, yet premiums fell by an average of 11% and coverage broadened. This marks a rare divergence between underlying risk and insurance pricing.
Increased capacity drives rate reductions – Aggressive growth targets continue to fuel appetite, with new MGAs, a new syndicate, and insurers deploying more net capacity. Further reductions are expected through the first half of 2026.
Claims severity intensifies – Particularly in ransomware, where a small share of notifications drove roughly three‑quarters of payouts. Developing 2023–2024 claims are also trending materially worse.
Cyber security was one of the biggest challenges facing organisations in 2025, with a 129% increase in ‘nationally significant’ cyber security incidents during the 12 months ending August, according to the National Cyber Security Centre (opens a new window) (NCSC). Despite this, the Cyber Insurance market continues to provide favourable conditions for clients: premiums across the Lockton portfolio decreased by an average of 11% in 2025. Even more importantly, carriers have shown willingness to expand coverage into new exposures where the market previously lacked appetite.
This combination – of broader coverage alongside continued price competitiveness – comes despite 2025 witnessing some of the most consequential cyber incidents in recent history, with several major ransomware attacks significantly impacting company earnings. It was also arguably the first time in which a cyber event had a direct, substantial impact on UK consumers, helping to elevate public awareness of cyber security to an unprecedented level.
Large-scale cyber events (such as a coordinated ransomware campaigns) are traditionally defined as 1-in-20-year risks, meaning that events of such magnitude are expected to recur on average every 20 years. The impact of some of the cyber events that occurred in 2025, however, were modelled at the magnitude of a 1-in-100-year event, underlining the growing cost of such incidents. In addition, many of the affected clients were under- or un-insured. While this insulated the insurance market against the bulk of the costs, it did see clients incur direct impacts to their profitability and balance sheet resilience.
Premiums and market drivers
The first half of 2025 saw sharper rate reductions, followed by more moderate decreases in the second half of the year. There is currently no indication that these downward trends will stop, with further reductions expected at least through the first half of 2026.
Year-on-Year Average Premium Per Million Change (2021–2025)
The expected continued competitiveness of the market is mainly driven by three factors:
Aggressive growth targets – Most insurers in the London market are pursuing ambitious expansion plans. While there is a steady influx of new buyers entering the Cyber space for the first time, this demand is still insufficient to satisfy all market participants.
New market entrants – The first quarter of 2026 has already seen two new MGAs and one new syndicate launch portfolios from scratch, adding further capacity and competition.
Reinsurance dynamics – There was no significant upward pressure on reinsurance rates during early 2025. In fact, many insurers reduced their reinsurance purchases at January renewals, restructured programmes, and opted to deploy more capacity on a net basis.
Coverage trends
Insurers continue to differentiate themselves with broader and more tailored coverage solutions. Notable recent coverage improvements include:
Any-one-claim coverage – Several insurers are now able to offer this structure; previously, this option was only available through CFC. An any‑one‑claim basis means the full limit of liability applies to each individual claim, rather than being shared across all claims in the policy period. In practice, this effectively grants unlimited reinstatement of the limit of liability. This structure is only available for firms under £250m in revenue.
Customer Business Interruption – Recent ransomware attacks against retailers have highlighted the dependency of some providers on their customer. If a retailer is unable to receive and sell goods, the manufacturer of those goods may have to limit or shutdown their production, hence causing their own business interruption loss. This is a particular risk where there is an exclusive relationship. To address this gap in coverage, Customer Business Interruption (BI) is available on a sub-limited basis. Initially available via QBE, CFC and other insurers have since followed.
Reinstatements – For larger clients that purchase a substantial Cyber Insurance programme (£50m or above), insurers are willing to quote reinstatement of limits for pre-agreed additional premiums. A reinstatement restores a policy’s limit after it has been eroded by a loss, allowing the insured to effectively “top up” their protection and retain full coverage for subsequent events. Both pre-inception and post-loss reinstatement options are available.
Claims and notifications
Compared to the prior year, 2025 saw an approximate 20% increase in the volume of claims notifications across our portfolio. Most of the notified claims were for data breaches, some of which are likely to be extremely severe once litigation has concluded and liability is established.
Notably, although ransomware attacks accounted for only 16% of notifications, they represented approximately 75% of total insurer payouts. This indicates that while the frequency of ransomware attacks has declined compared to previous years, the severity of incidents has significantly increased, as demonstrated by several recent high-profile cases in the UK. In cases involving sophisticated threat actors, such as the Scattered Spider group, recovery times were far longer than anticipated. Some organisations were unable to resume operations for several months.
The last 12 months did not see widespread adoption of new infiltration techniques among cyber criminals. Instead, attackers have exploited unpatched critical vulnerabilities and deployed increasingly sophisticated phishing campaigns to gain access to corporate systems – either through employees, or through functions outsourced to managed service providers (MSPs).
Major insurers in the market have indicated that claims from the 2023 and 2024 underwriting years, which are still developing, are trending significantly higher than anticipated. This is particularly true for those underwriting US risks. There is growing concern that these years may ultimately prove unprofitable once all claims are fully settled.
Given the current threat landscape, many organisations are looking to strengthen internal governance around cyber risk. This includes ensuring the board is confident in the way Cyber Insurance is purchased, confirming that the policy structure and scope accurately reflect the organisation’s real exposures, and validating that organisation’s limits remain aligned with their risk appetite and total cost of risk.
Inflexion point approaching?
The dominant trends of 2025 will continue in the first half of 2026. Market capacity remains abundant, and insurer growth targets will continue to drive competition for existing Cyber Insurance buyers. Having said that, insurers believe that rates are hovering near the lower end of what is sustainable, while claims activity is more pronounced than ever. This suggests that a market shift may not be far off.
The Cyber Insurance market is now more mature than it was in 2020/2021, when rates doubled overnight. The evolution is largely due to the increase in the number of insurers underwriting Cyber in the London market – from approximately 25 in 2020, to 45 in 2025 – providing clients with greater choice and flexibility. For this reason, any future market correction is unlikely to be as drastic as experienced in 2021.
Now remains an opportune time to purchase Cyber Insurance. First-time buyers should be able to negotiate strong terms and conditions, including long-term agreements which protect against potential future volatility. For existing buyers, it is a sensible moment to review and stress-test limits of liability, especially considering the catastrophic impact caused by recent cyber events.
Talk to us
We pride ourselves on our collaborative approach, working closely with our clients to provide comprehensive risk transfer solutions. We utilise our extensive network of insurance providers to match you with the right terms and protection layers for your risk, ensuring your coverage is comprehensive across product lines. In the unfortunate event of cyber-attack against your organisation, our experts are on hand to guide you towards a prompt and complete recovery.
For more information, or for support to quantify your risk and procure insurance, reach out to a member of our Cyber & Technology team.
