
Helen Nuttall
Head of Cyber Incident Management
-
United Kingdom
Unprecedented cyberattacks on major UK retailers have brought cyber risk into sharp focus, raising urgent questions about cybersecurity, including in organisations that may never have considered it before. The frequency and severity of cyberattacks continue to rise as threat actors innovate at an increasing pace. Against this backdrop, we summarise below five trends that shaped the market in the first quarter of 2025, and outline strategies for risk managers to effectively handle crises similar to those faced in the retail sector.
In the first half of 2025, insurers have been aggressive on cyber insurance pricing, especially in the UK, where competition is intense. In the first quarter of 2025, prices dropped 7% on primary layers (see Figure 1), consistent with pricing in Europe. In contrast, the US experienced smaller declines, closer to 3%, despite a highly competitive market
While some industries, such as retail, have been more exposed to cyberattacks than others, insurers typically have been agnostic on rates. There has been an increased focus on cyber controls in specific sectors — such as healthcare; financial institutions; and communication, media, and technology — that typically experience high claims volumes. Nonetheless, rates have generally decreased across the board.
Many organisations have sought higher limits this year, with 16% of Marsh clients extending their limit in the first quarter of 2025 (see Figure 2). The UK retail cyberattacks have reignited many conversations with insureds, even those halfway through a programme they renewed previously, who want to reevaluate their limits and consider additional options. Board members increasingly have questions about whether sufficient coverage is being acquired and regarding the due diligence in determining limits.
The UK cyber insurance market has become increasingly buyer-friendly in 2025, with a surplus of capacity ready to be deployed across an ever-expanding range of sectors. Insurers generally are agreeing to provide coverage based on proprietary broker wordings, which are typically broader than insurer wordings, especially regarding notification requirements. During less buyer-friendly markets, there was a notable shift towards insurer wordings that were generally more restrictive.
Additionally, insurers are competing in the range of risk management services they provide, aiming to help clients improve their risk profiles and prepare for potential events. For instance, insurers may conduct cyber tabletop exercises simulating a ransomware scenario with the board of directors to ensure that major internal stakeholders are ready for such incidents. Insurers and brokers are keen to highlight that cyber insurance encompasses more than just risk transfer. The cover includes threat analysis and assistance with risk management, creating a holistic approach designed to help clients strengthen their controls to mitigate risks, potentially reducing risk transfer costs.
There is also growing interest in cyber insurance from industries such as aviation, gambling, and hospitality that have not previously invested heavily in this area. Meanwhile, insurers are expanding their appetite to cover cyber risk in these sectors.
According to Marsh data, ransomware claims in the first quarter of 2025 were up by one-third compared to the fourth quarter of 2024 (see Figure 3).
In addition to ransomware attacks, there has been an uptick in distributed denial of service (DDoS) cyberattacks combined with extortion demands, where multiple compromised systems are used to flood a target, such as a server or network, with excessive traffic, causing it to become unavailable to legitimate users. These attacks seem to be scattershot attempts to generate revenue but typically lack sophistication and success. Data breaches are also occurring frequently and generating substantial cyber claims.
The retail cyberattacks in the UK, believed to have been carried out by the threat actor Scattered Spider, demonstrate that ransomware and cyber extortion remain significant risks. The threat actors thought to be behind the attacks are noteworthy due to their age — some are teenagers — and because they are native English speakers from the US, Canada, and the UK, differing from many other criminal groups that tend to come from Russia and North Korea. Unlike other threat actors, they also appear to seek notoriety rather than financial gain.
While these events received huge media attention due to the targeting of well-known brands, Scattered Spider has also attacked other non-retail organisations, underscoring the need for other industries to avoid complacency. In this wave of attacks, they likely chose the retail sector due to its relatively open access points. Scattered Spider’s modus operandi relies heavily on social engineering, where customer service or IT help desk agents are manipulated into believing threat actors are someone trustworthy, allowing them to reset passwords or gain unauthorised access to systems. With large customer service and IT teams, retailers are particularly susceptible to such tactics.
Other industries that have historically underinvested in cybersecurity, possess extensive data, and present a broad attack surface face similar exposures. As any organisation is vulnerable to social engineering attacks, it is crucial for all employees, from the CEO to interns, and especially those on the front line of customer interactions, to be trained to recognise and respond to threats.
Ransomware also has a human impact. During a cyber crisis, response teams often work around the clock to combat and contain the threat. They face making high-stakes decisions on a minute-by-minute basis, such as whether to shut down certain systems to stop the infection or keep them online and risk worsening the situation.
In major ransomware events, it’s common for incident response teams to go without sleep for days during the critical initial window. Many have holidays cancelled, weekends shelved, and may not be compensated adequately for the long hours they are expected to put in. Meanwhile, customer service representatives face frustration from customers.
However, the impact of cyber incidents extends beyond the immediate response team, affecting organisations, the UK economy, national security, and society at large. A recent report states that ransomware can ruin lives. Cyber incidents have led to job losses, feelings of shame and self-blame, disruptions in personal and family life, and serious health issues, the report adds. The cumulative effects of ransomware attacks have also reduced confidence in public services and law enforcement and led to the normalisation of cybercrime. Additionally, ransomware provides a strategic advantage to hostile states harbouring the cybercriminals responsible for these operations.
In an ever-complex cyber risk landscape, risk managers have a critical role to play. Smooth incident responses feature risk managers who are front and centre in the incident response team, pushing for the best possible vendor and insurer engagement and insurance recoveries. Responses can falter when risk managers are kept at arm's length during a cyber incident and only updated about insurance matters.
The key to being an exceptional risk manager during a crisis lies in effective internal stakeholder management and an understanding of the concerns of parties involved, including the chief security advisor (CSA), the chief information security officer (CISO), the board, and non-executive members. An effective risk manager acts as a translator among these groups, ensuring alignment and clear communication.
Before a crisis, a risk manager should proactively collaborate with the CISO to assess the organisation's risk profile, recommend appropriate insurance limits, and create a continuous risk improvement plan. Insurance policies should no longer be seen as static documents to be shelved for a year; instead, they should be integrated into an active risk management programme. The risk manager can access free or discounted services offered by insurers, such as tabletop exercises, and implement them across the organisation. Ultimately, it’s essential to view cyber risk not as an isolated issue, but as a critical component of every business's infrastructure that requires ongoing attention.
The recent retail cyberattacks also highlight the need for risk managers to ensure incident response plans address events lasting not days, but months. Testing these plans through crisis simulations is essential. Organisations should consider how decisions would be made if key stakeholders haven’t slept for days. Clearly defining roles and responsibilities, including identifying a deputy, is crucial.
Risk managers also need to ensure that the response team can operate offline in a secure location. Scattered Spider threat actors, in particular, tend to monitor calls and may join incident response discussions to listen to an organisation’s plans. Therefore, it's crucial to eliminate that access from your network, using solutions such as Cygnvs.
Cyber risk management is an ongoing endeavour, and organisations need to adopt a proactive approach. As your cyber risk advisor, Marsh can help you in several ways:
For more information, please contact your Marsh advisor.
Head of Cyber Incident Management
United Kingdom
UK Cyber Placement Leader, Cyber Risk
United Kingdom
Vice President, Cyber Risk
United Kingdom
Webcast,Featured insight
05/05/2025