Financial institutions: Key risk themes shaping UK insurance strategies for 2026

Introduction

2025 was a year of evolution and adaptation for UK financial institutions. Across banks, asset managers, insurers, digital assets, and fintech, the industry underwent a significant transformation while confronting an increasingly intricate risk landscape that demanded exceptional agility and resilience. The rapid acceleration of artificial intelligence (AI) and its associated risks, the growing sophistication of cyberattacks, rising crime-related losses, evolving regulatory frameworks, and ongoing geopolitical uncertainty were among the many challenges financial institutions faced last year.

Individual sectors encountered distinct risk profile tests in 2025. Banks capitalised on favourable market conditions to pursue IPOs and increase merger and acquisition (M&A) activity, bringing with it the risks inherent in these strategies. Meanwhile, regulatory changes in the US and Europe accelerated the adoption of digital assets, introducing new risks alongside growth opportunities. Through strategic partnerships and the acquisition of fintech firms, banks modernised their infrastructure, focusing on mobile and internet-based services. While this enhanced accessibility, it also brought new operational and cyber risks that require careful management. Digital assets further entrenched themselves as a core component of financial services, with traditional institutions increasingly expanding their presence in this space. This trend underscored the critical need for robust risk management frameworks tailored to this evolving sector.

For asset managers, environmental, social, and governance (ESG) considerations — once a strong driver of strategy — lost some influence due to political shifts, particularly in the US, prompting firms to recalibrate strategies to better align with regional investor preferences. In fintech, the rapid adoption of agentic AI platforms capable of autonomously handling complex financial tasks has driven strong demand for highly customised, technology-focused insurance solutions addressing emerging risks related to AI, cyber threats, and operational resilience.

Despite these rising risk exposures, market rates continued to fall — a trend that may seem counterintuitive. This decline is partly driven by factors such as capacity and losses that are yet to materialise. In this context, adopting a cautious approach to insurance — such as a two-year buy-in strategy — was a sensible path forward for many clients.

Below, we present a thorough review of the principal themes that shaped the financial institutions sector in 2025.

Risk landscape and claims

Across all sectors, cyber risks, including data breaches, social engineering, and sophisticated fraud, remained crucial components of claims and operational losses in 2025. 

Awareness among banks of their accountability for authorised push payment (APP) fraud — where individuals are deceived into voluntarily transferring money from their own accounts to fraudsters — has increased thanks to enhanced regulation by the Payment Service Regulator (PSR). The increase in APP was exacerbated by economic pressures and social factors, including employee dishonesty. For the first time since 2020, crime-related claims have surpassed directors and officers (D&O) claims in volume, accounting for 23% compared to 20% for D&O claims, while PI claims remain the largest category at 56%.

Asset managers grappled with breach-of-mandate claims, regulatory investigations, and frequent trade errors, alongside a growing incidence of employment practices liability (EPL) claims driven by allegations of poor management and discrimination. While crime-related losses remained rare — primarily because client funds are generally held and transacted through intermediaries, which reduces the risk of direct misappropriation — social engineering fraud emerged as a significant concern.

The digital assets sector recorded total losses exceeding US$3 billion in 2025, up from just under US$2 billion in 2024. These losses were driven by employee infidelity and computer fraud, including high-profile exploits of decentralised finance (DeFi) protocols, driven by vulnerabilities in the smart contracts that implement them. These events have heightened client concerns about coverage scope and exclusions and led insurers to tighten underwriting and emphasise concrete security controls, governance, and compliance.

Fintech firms, despite relatively low claim volumes, faced increasing fraud from account takeover and chargebacks. This raises questions about the adequacy of internal policies amid rapid digital account access and insufficient fraud controls.

In 2025, insurance companies faced a sharp increase in bad-faith claims. These more than doubled in frequency and severity across multiple lines. Bad faith allegations remained diverse and highly case-specific, ranging from coverage disputes and delays in investigation to misdirection in claims handling, all of which contributed to greater unpredictability.

Overall, 2025 underscored the growing intricacy of risk across financial institutions, where operational, cyber, regulatory, and technological threats intersect, demanding adaptive risk management and insurance strategies.

Pricing and capacity

The insurance market for financial institutions in 2025 demonstrated broadly favourable pricing conditions and expanding capacity across banks, asset managers, digital assets, fintechs, and insurance companies, albeit with sector-specific nuances. While all sectors benefited from competitive pressures that reduced rates and encouraged capacity growth, the pace and nature of these changes varied (see Figures 1 and 2). This pattern might seem surprising amid rising risks, but it can partly be explained by an influx of insurers entering the market and by the fact that many losses are not yet apparent.

Banks and insurance companies saw modest, relatively stable premium reductions, focusing on sustainable pricing adjustments alongside steady capacity increases. Asset managers and fintech companies experienced more pronounced price declines, driven by intensified competition and increased underwriting sophistication, which enabled clients to enhance coverage limits without proportionate budget increases. The digital asset sector continued its evolution, with pricing declines accompanied by capacity growth in line with other FI sectors. Capacity for crime coverage remained concentrated in higher excess layers. Across all sectors, insurers struck a balance between competitive pricing and cautious underwriting, reflecting the unique risk profiles and emerging challenges inherent to each market segment. Overall, 2025 underscored a market environment where competitive pricing and capacity growth coexisted with far-sighted underwriting, tailored to the distinct risk landscapes and maturity levels of each financial institution sector (see below).

Buying habits and terms and conditions

In response to the evolving risk environment, buying behaviours and policy terms across financial sectors in 2025 reflected a trend towards more targeted, risk-aligned insurance purchasing and broader coverage enhancements, driven by better benchmarking practices that enabled more strategic decisions about limit purchases to optimise risk management and cost efficiency.

Banks increasingly recognised the necessity of comprehensive cyber insurance alongside crime and PI coverage, often aligning primary insurers across these lines to streamline claims management and wordings. Clients sought higher D&O limits, particularly Side A coverage, as a cost-effective means to protect personal assets amid rising claim costs driven by stricter regulation. Policy terms for banks moved towards restoring pre-pandemic standards, with adjustments and discounts reflecting true client risk amid softer market conditions.

Asset managers capitalised on favourable market conditions to expand coverage and improve policy wordings, notably incorporating social engineering and EPL cover on more favourable terms. Retention levels generally remained stable or decreased. Cyber insurance purchases doubled in 2024 and 2025, driven more by media attention (particularly high-profile cyberattacks in the UK) and investor demand than by direct exposure, while about 20% of asset managers increased their PI and D&O limits, leveraging competitive pricing.

Digital asset clients maximised benefits from updated Marsh proprietary crime wordings, pushing policy language in a highly competitive environment. Traditional financial institutions showed growing interest in digital asset custody insurance, signalling further progress towards the institutionalisation of digital assets. Fintech policies evolved rapidly to address heightened regulatory scrutiny of AI, stricter cybersecurity and data protection requirements, and complex pre-contractual disclosure obligations. Clients demanded, and Marsh continued to deliver, highly personalised, technology-centric insurance solutions tailored to their unique operational risks, rigorously evaluating “fintech-friendly” policies and pressuring insurers to adapt swiftly.

Insurance companies leveraged the soft market to ease restrictions imposed during the hard market years of 2020-2022, securing broader terms, including reinstatements, and pursuing long-term agreements where pricing flexibility had previously been limited. While most maintained stable buying patterns, a clear shift emerged: policyholders increased PI limits in response to higher claims activity and social inflation, driven by rising legal costs and expanding damage expectations.

Across all sectors, insurers balanced enhanced coverage breadth and favourable terms with the need to address emerging operational and regulatory complexities. This buyer-friendly environment, coupled with competitive pricing and expanding capacity, enabled clients to strengthen protection while managing costs effectively.

Emerging risks in the FI sector

Risks facing financial institutions related to AI and digital assets introduced new challenges across all sectors last year. The rapid adoption of generative AI raised concerns about bias, misinformation, and autonomous decision-making, which, in turn, impacted D&O and PI exposures. Additionally, financial institution firms developing and implementing their own AI, digital assets, and new technologies faced errors and omissions (E&O) risks that fall outside traditional financial institution exposures. These risks may not typically fall under standard cyber or PI policies and require distinct recognition and management.

Emerging risks across the financial sector also highlighted the growing influence of regulatory complexity and geopolitical factors. Below is a summary of key risks confronting various financial institution sectors.

Banks

In the banking industry, AI and digital asset risks are expected to develop and unfold further in 2026. Meanwhile, supply chain risk is poised to become a major concern for banks as deglobalisation accelerates, driven by dramatic tariff changes, geopolitical conflicts, and growing national independence. These factors create greater vulnerabilities and inconsistencies in workforce management, operational protocols, and risk strategies within multinational banks, prompting a need for comprehensive risk reviews.

At the same time, third-party risk management will remain critical. Banks are required to conduct stringent evaluations of cyber vendors and AI partners, encompassing comprehensive background screenings of personnel who have access to critical banking systems and sensitive data.

Additionally, the shifting geopolitical landscape has increased government pressure on banks to provide loans to the defence sector, including institutions that were previously reluctant to support military funding. This change may expose banks to reputational damage, such as accusations of “social washing” — claiming social responsibility without meaningful action.

Looking ahead, the Internal Capital Adequacy Assessment Process (ICAAP) review in the UK, scheduled for 2027, will require banks to align their insurance strategies with key loss scenarios. Banks must ensure their insurance coverage effectively mitigates exposures identified in their ICAAP assessments.

Marsh is assisting clients by mapping potential loss events to existing insurance products and helping develop clear blueprints for expected losses across various time horizons. This ongoing process empowers clients to make informed decisions about coverage types, limits, and expected losses, while continuously updating risk assessments to keep pace with top risks and emerging trends.

Asset management

AI risk has become a key focus for both insurers and asset managers, as clients increasingly use AI as a research and decision-support tool, though typically not for final trading decisions. Insurers are closely scrutinising how AI is integrated into the investment process and the effectiveness of controls designed to manage associated risks. These risks primarily centre on data reliability and the potential for flawed decision-making if oversight is insufficient. Consequently, asset managers are encouraged to maintain rigorous human intervention and validation of AI-generated insights to ensure the accuracy and reliability of their decisions.

Social engineering fraud continues to grow as a concern, often ranking just behind cyber risks in client queries. Education efforts are currently underway to clarify that cyber insurance covers not only malicious attacks but also non-malicious cyber events that can disrupt business continuity.

Digital assets and fintech

As the DeFi industry continues to expand, the risk of smart contract exploits and computer fraud remains significant, potentially leading to substantial asset losses, as witnessed in 2025. Similarly, fintech companies face emerging risks related to application programming interface (API) vulnerabilities and smart contract exposures, necessitating the development of new risk models tailored to these specific challenges.

While regulatory clarity is expected to improve in 2026, it will also bring closer scrutiny of firms’ operational controls, governance, and risk management frameworks. For globally operating firms, regulatory fragmentation and differing regulatory philosophies create complex compliance challenges. This is particularly acute for digital asset firms and fintech’s, where regulatory scrutiny around AI, data use, and cyber risk is intensifying. Fintech companies must also address data and AI risks, such as algorithmic bias, data quality issues, and errors in AI-driven decision-making, while anticipating an increase in cybersecurity threats as digital attack surfaces expand.

Additionally, systemic aggregation risk has become more pronounced given the ecosystem’s reliance on a limited number of providers. Failures or breaches at major digital asset custodians or custodial exchanges could trigger cascading effects across both traditional financial institutions and digital asset firms. This risk is heightened as many US banks and other financial institutions increasingly depend on the same providers, expanding the potential impact beyond crypto-native companies. The 2025 Balancer Protocol incident, where a sophisticated exploit of a rounding error in a smart contract drained over US$128 million from liquidity pools across multiple blockchains, served as a reminder of how interconnected vulnerabilities can rapidly propagate across platforms.

Insurance companies

The big question for the insurance sector is whether the spike in bad faith claims in 2025 is an anomaly or the start of a new normal. Historically, spikes in bad faith claims have followed major weather events, other natural disasters, and large-scale insured losses that prompt allegations of misconduct. However, the 2025 uptick is not tied to a single event. It appears to reflect broader demographic and claims-inflation dynamics, including rising litigation costs and the increasing trend of “nuclear verdicts.” The industry will continue to monitor whether this is a temporary blip or a structural shift.

Collectively, these emerging risks underscore the need for dynamic risk management and insurance strategies tailored to the evolving landscape across financial sectors.

Key steps for insureds

Across financial sectors, insureds share common priorities such as enhancing regulatory compliance, strengthening cybersecurity, and maintaining proactive communication with insurers to manage evolving risks. However, each sector faces unique challenges that require tailored risk management and insurance strategies suited to its specific operational and regulatory environments.

For banks, critical measures include prioritising clear communication and thorough preparation around regulatory compliance, with a strong focus on data privacy and rigorously assessing partner security standards to safeguard reputation. Monitoring claims related to APP fraud and improving education for customers and employees on this risk are essential. Additionally, banks should update their risk taxonomies and loss scenarios to incorporate emerging technologies such as AI, blockchain, and digital assets, while also considering longer-term threats, including quantum computing and geopolitical shifts. Adopting a multi-year risk strategy that actively involves insurers throughout the cycle can stabilise premiums and strengthen partnerships.

Asset managers should continue to enhance cybersecurity as risks evolve by benchmarking their existing controls against industry standards and implementing rigorous AI measures with meticulous human oversight. Transparency with investors regarding AI’s role in investment research is also important for maintaining trust and regulatory compliance. Furthermore, asset managers should strengthen internal AI governance, focusing on compliance with employment law and employee relations to mitigate rising EPL risks, particularly as the Employment Rights Act 2025 comes into force from February 2026.

Organisations engaging with digital assets should adopt a holistic risk management framework that balances prevention, mitigation, and recovery strategies, underpinned by tailored risk transfer. By embedding layered technical controls, robust operational governance, coordinated incident response plans, and strategic insurance programmes, organisations can significantly reduce loss exposure and improve recovery outcomes. Maintaining agility and preparedness is key to managing these complex risks effectively as the digital asset ecosystem develops.

Fintech companies must rigorously review their insurance annually or whenever their business models or critical processes change, given their rapid growth and evolving risk profiles. Special attention should be paid to whether chargebacks are covered under policies, due to the atypical way in which the fraud is realised — the fintech essentially refunds the legitimate customer for losses suffered. Navigating the market requires specialised advice and data-driven insurer selection to avoid coverage gaps, prolonged claims, and inconsistent underwriting outcomes.

For insurance companies, ensuring robust claims practices, including training, oversight, and appropriate escalation processes, will be crucial for both managing that exposure and giving confidence to carriers writing insurance company PI risk.

Balancing innovation with risk mitigation strategies to support growth

In 2025, the financial institutions sector demonstrated remarkable resilience and adaptability amid rapid technological innovation, shifting regulatory landscapes, and increasingly complex risk profiles. A key development was the widespread integration of AI across financial services, which significantly heightened operational complexity and risk. While some insurers have proposed AI exclusions, such measures currently seem unlikely in today’s market.

Cyber risk remains a dominant and evolving threat across all financial sectors, fuelled by rising incidents of data breaches, social engineering, and sophisticated fraud schemes. The rapid pace of digital transformation and broad adoption of AI have further amplified operational vulnerabilities, underscoring the need for robust cybersecurity measures and vigilant risk management. As cyber threats grow in both complexity and scale, financial institutions must prioritise incorporating comprehensive cyber coverage into their insurance arrangements, alongside proactive governance to mitigate potential losses and protect their operations in an increasingly interconnected environment.

In 2026 and beyond, financial institutions must focus on dynamic, multi-year risk strategies that address evolving technologies, geopolitical volatility, and regulatory pressure. Early engagement with insurers and brokers, rigorous internal controls, and continuous risk monitoring will be critical to securing comprehensive coverage and managing costs effectively.

Ultimately, success in this complex environment amid economic uncertainty will depend on the sector’s ability to balance innovation with prudent risk management, fostering partnerships that support sustainable growth and resilience amid ongoing change.