Market Overview
During the first half of 2025, the UK cyber insurance market has remained positive for clients. In the past quarter, premiums across our portfolio have decreased by an average of 12% year over-year.
Meanwhile, insurers continue to compete in their efforts to broaden coverage, notably in the following areas:
Non-IT Business Interruption coverage: Most cyber policies cover financial losses caused by outages in the IT supply chain (SaaS, Cloud Providers, Software developers, etc.). In the current market, insurers are often willing to extend this coverage to non-IT supply chain disruptions caused by cyber incidents. For example: a cyber outage affecting a supplier of raw materials, which prevents their client (the insured) from producing and selling their goods.
Cyber Crime coverage: Cyber policies have historically excluded coverage for theft of funds and securities. A notable development in the current market is the willingness of some insurers to offer a sub-limit for the theft of money (or equivalent) resulting from a cyber-attack, invoice manipulation, and social engineering.
Long-term agreements (LTAs): These agreements can offer budgetary certainty by allowing insureds to lock in a certain rate. Some clients are taking advantage of the current soft market conditions by signing up to a two- or three-year LTA. These positive trends provide an opportunity for clients to re-evaluate their limits, and to ensure they have an appropriate level of coverage that aligns with their risk profile and exposures. In the absence of any market changing event, these conditions will continue throughout the remainder of 2025.
Retail sector under siege
Recent months have seen a significant surge in cyber-attacks targeting major UK retailers, including Marks & Spencer, Co-op and Harrods.
M&S suffered a particularly severe ransomware attack (opens a new window) that impacted online sales, contactless payments and led to a substantial drop in market capitalisation.
Reports suggest that a collective of hackers (opens a new window) known as Scattered Spider were behind the attacks. To compromise their targets, the group deploy social engineering tactics, often using targeted phishing and voice calls to IT helpdesks to gain access to internal systems. In recent weeks, Scattered Spider appear to have expanded their scope beyond the retail sector, with the theft of 5.7 million customer records (opens a new window) from Australian airline Quantas. This shift has prompted urgent warnings from major cybersecurity entities.
Despite grabbing headlines, the attacks on the UK retail sector are unlikely to change market conditions, for two reasons. Firstly, most of the impacted organisations were either not insured, or they were underinsured. Secondly, the London market for cyber insurance (and its global counterpart) is vast enough to withstand and absorb losses of this size. Nevertheless, the attacks have – possibly for the first time – transformed the concept of a cyberattack from an abstract notion into a tangible reality, with direct consequences for consumers and organisations alike.
You can read more information around the retail attacks including tips for how organisations can protect themselves in our UK Retail Ransomware Threat Paper (opens a new window).
For more information on how to navigate a cyber incident, watch our Navigating Cyber Incidents webinar (opens a new window). Together with law firm Kennedys and corporate intelligence consultancy S-RM, we explore cyber-attack tactics and how organisations can mitigate damage and initiate recovery following an incident.
In depth: UK Government enquiry into M&S cyber-attack
On the 8th of July (opens a new window), the Business and Trade sub-committee questioned Marks and Spencer Chairman, Archie Norman on the crippling cyber-attack that caused months of operational disruption to the retailer.
Here we summarise some of the key points from his testimony that provide insight into the severity of the attack:
Norman described the attack as “very costly” with an estimated hit to profits of £300 million. He acknowledged that the impact on staff has been “traumatic.”
For each week the company was not trading, M&S lost £10 million in profit.
Full system restoration is expected to take several more months.
The initial breach on 17th April occurred through “sophisticated social engineering,” targeting a third-party provider to reset an internal user’s password. M&S was not directly contacted by the threat actor for about a week after the initial penetration.
Norman declined to confirm whether a ransom was paid, citing ongoing law enforcement involvement and the sensitive nature of the incident.
Noman confirmed that M&S doubled its cyber insurance coverage last year before the attack occurred. He said: “A year previously, we looked at how the market was pricing, and we realised that we were insuring for the trivial and not for the catastrophic. So, we flipped that: we effectively said, we’ll take the first amount of exposure ourselves, and then we will insure for the worst-case scenario.”
With respect to his experience with cyber insurers during the attack he commented “As far as our interaction with our insurers is concerned, as you would expect, it has been a very engaged conversation right from day one […] We are in an almost daily dialogue with them. They are being very supportive.”
While acknowledging that “a thousand things” could have been done differently, Norman stated that M&S will conduct an in-depth, third party-facilitated review of the incident. He expressed willingness to share the learnings.
End-of-year outlook
Looking ahead for the remainder of 2025, the trend of competitive pricing for clients is likely to persist, although the extent of the rate decreases may reduce as insurers assess the evolving threat landscape.
We expect to see further product innovation as insurers strive to differentiate with broader and more tailored coverage solutions; and we anticipate that insurers will continue to develop their pre-loss risk management services and security tools to strengthen their offering and contribute to the overall resilience of clients.
Furthermore, the market will be closely monitoring the impact of emerging technologies like AI both on the threat landscape and potential insurance claims.
Contact the UK Cyber Risk Advisory team
There are many ways to build cyber resilience. Our in-house cyber experts work in collaboration with external partners to help you prepare for and respond to cyber-attacks. To learn more about our tailored cyber and technology risk solutions, read our brochure (opens a new window).
For further insights, visit our Cyber and Technology (opens a new window) page.
