Skip to main content

Report

Five trends in UK cyber insurance in the first quarter of 2025

Unprecedented cyberattacks on major UK retailers have brought cyber risk into sharp focus, raising urgent questions about cybersecurity, including in organisations that may never have considered it before. The frequency and severity of cyberattacks continue to rise as threat actors innovate at an increasing pace. Against this backdrop, we summarise below five trends that shaped the market in the first quarter of 2025, and outline strategies for risk managers to effectively handle crises similar to those faced in the retail sector. 

2. Limit: Organisations reevaluate cyber programmes, even mid-term

Many organisations have sought higher limits this year, with 16% of Marsh clients extending their limit in the first quarter of 2025 (see Figure 2). The UK retail cyberattacks have reignited many conversations with insureds, even those halfway through a programme they renewed previously, who want to reevaluate their limits and consider additional options. Board members increasingly have questions about whether sufficient coverage is being acquired and regarding the due diligence in determining limits. 

02 | 16% of Marsh clients upped their limit in Q1 2025

3. Underwriting: Buyer-friendly market draws in new industries

The UK cyber insurance market has become increasingly buyer-friendly in 2025, with a surplus of capacity ready to be deployed across an ever-expanding range of sectors. Insurers generally are agreeing to provide coverage based on proprietary broker wordings, which are typically broader than insurer wordings, especially regarding notification requirements. During less buyer-friendly markets, there was a notable shift towards insurer wordings that were generally more restrictive.

Additionally, insurers are competing in the range of risk management services they provide, aiming to help clients improve their risk profiles and prepare for potential events. For instance, insurers may conduct cyber tabletop exercises simulating a ransomware scenario with the board of directors to ensure that major internal stakeholders are ready for such incidents. Insurers and brokers are keen to highlight that cyber insurance encompasses more than just risk transfer. The cover includes threat analysis and assistance with risk management, creating a holistic approach designed to help clients strengthen their controls to mitigate risks, potentially reducing risk transfer costs.

There is also growing interest in cyber insurance from industries such as aviation, gambling, and hospitality that have not previously invested heavily in this area. Meanwhile, insurers are expanding their appetite to cover cyber risk in these sectors.

4. Claims: As claims rise, retail attacks show the need for vigilance among organisations with a broad attack surface

According to Marsh data, ransomware claims in the first quarter of 2025 were up by one-third compared to the fourth quarter of 2024 (see Figure 3).

In addition to ransomware attacks, there has been an uptick in distributed denial of service (DDoS) cyberattacks combined with extortion demands, where multiple compromised systems are used to flood a target, such as a server or network, with excessive traffic, causing it to become unavailable to legitimate users. These attacks seem to be scattershot attempts to generate revenue but typically lack sophistication and success. Data breaches are also occurring frequently and generating substantial cyber claims.

The retail cyberattacks in the UK, believed to have been carried out by the threat actor Scattered Spider, demonstrate that ransomware and cyber extortion remain significant risks. The threat actors thought to be behind the attacks are noteworthy due to their age — some are teenagers — and because they are native English speakers from the US, Canada, and the UK, differing from many other criminal groups that tend to come from Russia and North Korea. Unlike other threat actors, they also appear to seek notoriety rather than financial gain.

While these events received huge media attention due to the targeting of well-known brands, Scattered Spider has also attacked other non-retail organisations, underscoring the need for other industries to avoid complacency. In this wave of attacks, they likely chose the retail sector due to its relatively open access points. Scattered Spider’s modus operandi relies heavily on social engineering, where customer service or IT help desk agents are manipulated into believing threat actors are someone trustworthy, allowing them to reset passwords or gain unauthorised access to systems. With large customer service and IT teams, retailers are particularly susceptible to such tactics.

Other industries that have historically underinvested in cybersecurity, possess extensive data, and present a broad attack surface face similar exposures. As any organisation is vulnerable to social engineering attacks, it is crucial for all employees, from the CEO to interns, and especially those on the front line of customer interactions, to be trained to recognise and respond to threats.

03 | UK ransomware notifications increase by one-third

5. Impacts: Cyber events increasingly have a human cost

Ransomware also has a human impact. During a cyber crisis, response teams often work around the clock to combat and contain the threat. They face making high-stakes decisions on a minute-by-minute basis, such as whether to shut down certain systems to stop the infection or keep them online and risk worsening the situation.

In major ransomware events, it’s common for incident response teams to go without sleep for days during the critical initial window. Many have holidays cancelled, weekends shelved, and may not be compensated adequately for the long hours they are expected to put in. Meanwhile, customer service representatives face frustration from customers.

However, the impact of cyber incidents extends beyond the immediate response team, affecting organisations, the UK economy, national security, and society at large. A recent report states that ransomware can ruin lives. Cyber incidents have led to job losses, feelings of shame and self-blame, disruptions in personal and family life, and serious health issues, the report adds. The cumulative effects of ransomware attacks have also reduced confidence in public services and law enforcement and led to the normalisation of cybercrime. Additionally, ransomware provides a strategic advantage to hostile states harbouring the cybercriminals responsible for these operations.

How risk managers can excel in a crisis

In an ever-complex cyber risk landscape, risk managers have a critical role to play. Smooth incident responses feature risk managers who are front and centre in the incident response team, pushing for the best possible vendor and insurer engagement and insurance recoveries. Responses can falter when risk managers are kept at arm's length during a cyber incident and only updated about insurance matters.

The key to being an exceptional risk manager during a crisis lies in effective internal stakeholder management and an understanding of the concerns of parties involved, including the chief security advisor (CSA), the chief information security officer (CISO), the board, and non-executive members. An effective risk manager acts as a translator among these groups, ensuring alignment and clear communication.

Before a crisis, a risk manager should proactively collaborate with the CISO to assess the organisation's risk profile, recommend appropriate insurance limits, and create a continuous risk improvement plan. Insurance policies should no longer be seen as static documents to be shelved for a year; instead, they should be integrated into an active risk management programme. The risk manager can access free or discounted services offered by insurers, such as tabletop exercises, and implement them across the organisation. Ultimately, it’s essential to view cyber risk not as an isolated issue, but as a critical component of every business's infrastructure that requires ongoing attention.

The need for a dynamic incident response plan

The recent retail cyberattacks also highlight the need for risk managers to ensure incident response plans address events lasting not days, but months. Testing these plans through crisis simulations is essential. Organisations should consider how decisions would be made if key stakeholders haven’t slept for days. Clearly defining roles and responsibilities, including identifying a deputy, is crucial.

Risk managers also need to ensure that the response team can operate offline in a secure location. Scattered Spider threat actors, in particular, tend to monitor calls and may join incident response discussions to listen to an organisation’s plans. Therefore, it's crucial to eliminate that access from your network, using solutions such as Cygnvs.

How Marsh can help you understand, measure, and manage cyber risk

Cyber risk management is an ongoing endeavour, and organisations need to adopt a proactive approach. As your cyber risk advisor, Marsh can help you in several ways:

  1. Incident management: Our cyber incident management team can help formulate your cyber incident response and support you during and after an incident. 
  2. Risk advisory:  Our advisory team can partner with you to enhance cybersecurity resilience, given technology advancements and the ever-evolving threat landscape.
  3. Risk intelligence: Our economic modelling and quantification tools, such as Blue[i], can inform risk transfer and cybersecurity decision-making.
  4. Insurance: Our proprietary insurance programmes enable efficient cyber risk transfer.

For more information, please contact your Marsh advisor.

Our people

Helen Nuttall

Helen Nuttall

Head of Cyber Incident Management

  • United Kingdom

Serena France-Hayhurst

Serena France-Hayhurst

UK Cyber Placement Leader, Cyber Risk

  • United Kingdom

Will Vernon

Will Vernon

Vice President, Cyber Risk

  • United Kingdom

Related insights