Skip to main content
Marsh logo

Report

The quiet crisis in cyber insurance: Many companies carry more risk than they realise

Contact us

Businesses can spend years investing in cybersecurity — yet still suffer one of their largest ever financial losses from a single cyber event. That is the uncomfortable reality facing many organisations today.

While technical preparedness remains a key priority, a business’s viability is also strongly linked to its financial exposure to a cyber event. Marsh analysis finds that 67% of UK clients purchase cyber limits that would be insufficient for a 1-in-100-year loss scenario. That matters because a 1-in-100 event is no longer an unrealistic scenario. Today, this scale of event is considered a realistic stress test for businesses that operate in an interconnected environment, and failure to purchase adequate protection may leave firms more exposed to catastrophic balance sheet impacts, even when their security defences appear robust.

The nature of cyber loss has evolved

Recent cyber events involving major UK organisations highlight the scale of the problem. In one high-profile retail case, a ransomware attack triggered extended disruption to payments, e‑commerce, and customer operations. Public disclosures later revealed the financial impact ran into the hundreds of millions of pounds, with insurance covering only a portion of the overall economic loss.

Today’s businesses are tightly interconnected — both physically and digitally — so a single cyber event can trigger widespread operational and financial disruption across multiple partners and sectors.

For years, many businesses have viewed cyber exposure primarily through the immediate impact of a data or security breach — substantial first-party costs (for example, notification costs and breach counsel), ensuing third-party liability (such as regulatory scrutiny and customer remediation), and a duty to report within 72 hours of becoming aware of the breach, where feasible. These exposures still exist, but for many organisations, the greatest financial concern now comes from operational paralysis.

A serious ransomware incident can halt trading, delay production, disrupt logistics, lock employees out of systems, and create weeks of lost income and additional expenses to mitigate the impact. Even after systems are restored, secondary effects often continue: customer attrition, reputational repair, management distraction, and delayed strategic activity.

This matters because these attacks are not exceptional but highlight a broader reality: the largest cyber losses are exacerbated by downtime and business interruption, not simply by data theft or ransom demands. They are also often systemic in nature, and this changes the way organisations should consider cyber insurance.

Common pitfalls

Businesses often grapple with a choice between investing in cybersecurity or purchasing cyber insurance. Some believe that they have sufficient controls in place and therefore do not need insurance. The reality is, and as events in recent years have shown, cybersecurity and cyber insurance shouldn’t be seen as mutually exclusive — they’re complementary.

When choosing what limit to purchase, companies can leave themselves more exposed owing to default and potentially regrettable choices. For example:

  • Renewing the same amount as last year.
  • Purchasing similar to the peer group without reviewing the control gaps and different exposures.
  • Selecting a figure that feels commercially tolerable from a premium spend perspective.

None of these approaches necessarily reflects accurate financial exposure. A £5 million limit may sound substantial in isolation. But for a business generating £50 million in annual revenue and with a large customer or supplier base, several weeks of disruption could consume that amount surprisingly quickly.

Reviewing your cyber limit

To ensure your company’s cyber limit is accurate, it is advisable to take a comprehensive view of the financial consequences of a severe cyber event. When planning with your broker, the following points may need to be reviewed:

  • Lost revenue during outage periods, modelled across multiple time horizons (hours, days, and weeks).
  • The speed and resources needed to restore core systems under operational pressure — not in theory, but in practice.
  • Contingent exposure: what happens if a key technology provider, outsourcer, or logistics partner suffers an outage first?
  • The cost to rebuild confidence, retain customers, and stabilise operations after a public incident.
  • Additional staffing and manual workarounds required to maintain critical functions.
  • Incident response and investigation costs, including forensic investigation, crisis consultants, and breach counsel.
  • System rebuild and restoration — in particular, identification of critical systems and assets and prioritisation of restoration of these.
  • The potential impact of regulatory fines and penalties or claims arising following a cyber event.
  • Contractual liabilities and the company’s position on customer compensation and goodwill gestures.
  • Reputational recovery and retention spend.

In many cases, the insured limit is exhausted long before the total economic damage is established. The insurer does not absorb that shortfall — it falls to the organisation’s balance sheet. Ensure your risk transfer strategy reflects the true cost of operational disruption, not just headline breach expenses.

Market conditions remain favourable for buyers

Despite ongoing claims activity, the cost of cyber insurance has fallen materially from its recent peak. Primary cyber pricing is down approximately 42% from 2022 levels, driven by stronger insurer competition, broader capacity, and coverage for well-managed risks.

That decline creates a welcome opportunity for companies to capitalise on market dynamics. Organisations that reduced cover in the past to manage costs may now be able to secure higher limits today for a similar — or, in some cases, lower — premium than in recent renewal cycles. However, the market cycle may not stay favourable for insureds forever: as severe claims continue to develop, pricing and underwriting discipline can tighten again.

Cyber limit is a board-level decision

Cyber insurance is a critical part of a company's cyber defence ecosystem, providing balance sheet protection against one of the fastest-moving risks facing modern organisations. Cybersecurity is a relentless arms race in which it is difficult to stay ahead. There is a time lag between building defences high enough and fast enough to counter cyber threats and the pace at which threat actors evolve. Insurance plays an important role in minimising that exposure lag.

As such, it should not be viewed as a procurement line item or a compliance purchase, but as a strategic decision for the board.

The organisations that will respond best to the next major event are unlikely to be those that simply bought a policy — they will be the ones that understood their exposure, challenged old assumptions, and sized protection accordingly.

The central question is simple: if a major cyber event hit tomorrow, would your company’s current programme absorb a meaningful share of the loss, or would the business be funding most of it itself? In cyber risk, the most expensive mistakes are discovered only after an incident occurs, often because of a lack of preparation and consideration of the insurance limits outlined above.

Marsh cyber specialists will be at the Airmic Annual Conference 2026, 15-17 June, at The ICC, Birmingham, UK. To discuss your cyber risk and insurance strategy, please visit our stand or contact your Marsh representative.

Our people

Serena France-Hayhurst

Serena France-Hayhurst

UK Cyber Placement Leader, Cyber Risk

  • United Kingdom

Placeholder Image

Shrey Grover

UK Cyber Strategy Leader, Senior Vice President, Marsh

  • United Kingdom

Kaan Yardimci

Kaan Yardimci

Cyber Growth Leader

  • United Kingdom

Related insights

Colorful car lights trail in motion on freeway

Event

SMMT International Automotive Summit 2026

30/06/2026
Code writing in laptop

Report

UK Cyber Claims 2025

09/06/2026
Group of people in meeting at modern office

Podcast

Using AI to enhance benefits insights: The science behind personalisation

29/05/2026
Rows of data storage units are present in a large facility at night. The lights from the units create a blue glow, showing the technology in use. The setting highlights the scale of storage.

Article

Service level agreement parametric insurance for data centres

28/05/2026
View more