Skip to main content
Marsh logo

Report

UK Cyber Claims 2025

UK cyber claims 2025 — analysis of rising claims, ransomware and social engineering trends, plus practical incident response recommendations.

Key highlights

  • Cyber continues to persist as a significant threat to UK organisations in today’s digital world. This is demonstrated by the fact that 2025 maintained a high claims volume, consistent with 2024’s elevated levels.
  • Annual data trends indicate an increase in claim metrics in 2025, suggesting a rise in claim frequency or severity of cyber incidents.
  • 2025 presented the highest number of claims notifications to date for Marsh UK clients, totalling 668 notifications (an increase of 8% in comparison to 2024).
  • The third and fourth quarters in 2025 show the highest claims activity, mirroring 2024’s trend of increased incidents in the latter half of the year.
  • 2025’s third-quarter spike is not attributable to a sole incident, such as CrowdStrike in the third quarter of 2024 and MoveIT in the third quarter of 2023. This demonstrates the need for organisations to continue investing in their cyber controls and incident responsiveness, as cyber threats continue to evolve in unpredictable ways. 

UK cyber claims in 2025

Cyber claims among Marsh’s UK clients rose in 2025, driven by a number of different causes — notably a rise in social engineering attacks and digital supply chain flaws that produced endless ripple effects (see Figure 1). The year saw a record 668 claims notifications — an 8% increase on 2024 — with the third and fourth quarters accounting for the most activity, continuing the trend of heightened incidents in the latter half of the year. Unlike prior third-quarter spikes tied to single large incidents (for example, CrowdStrike in the third quarter of 2024 and MoveIT in the third quarter of 2023), the 2025 increase reflected multiple, dispersed events. Even a single cyber attack can wreak havoc across a network of partners and threats and the cyber threat landscape evolve unpredictably. This underscores the need for organisations to keep strengthening cyber security controls and incident-response capabilities.

01 | Total cyber notifications of Marsh UK clients by quarter 2017-2025

Sector vulnerability: Cyber exposure extended beyond data‑centric firms

The media, technology, and communications and financial institutions sectors continued to be among the most exposed to cyber risk in 2025, driven by tightly interconnected IT, computer systems and operational technology environments (see Figure 2). 2025 has underlined the systemic nature of these risks. The supply‑chain compromise of a major car manufacturer highlighted how a single digital flaw can produce wide‑ranging ripple effects across customers, partners and affected systems. Media and tech firms remained particularly susceptible because they rely on complex, multi‑tiered supply chains and numerous third‑party providers, and because they hold large volumes of valuable intellectual property that attract persistent adversaries. At the same time, 2025 also saw a notable uptick in attacks on the retail sector, with high‑profile incidents affecting household names, illustrating that cyber exposure now spans both data‑centric and consumer‑facing businesses.

02 | Cyber notifications by industries in 2025

Nature of cyber incidents in 2025

Ransomware attacks continued to pose a central threat to organisations across all sectors in 2025, with extortion and hostile data breaches remaining the leading causes of loss (see Figure 3). At the same time, AI-enabled intrusions and increasingly sophisticated social engineering attacks grew in both frequency and complexity in 2025, while technology disruptions — such as outages and system failures — persisted as major drivers of claims, emphasising the importance of strong incident response and business continuity planning. Notably, 2025 also saw a sharp rise in non-breach privacy tech errors and omissions claims, driven in part by US privacy statutes such as the Classified Information Procedures Act (CIPA) and by increased litigation tied to track-and-trace devices and other cookie-collecting technologies, underscoring the more litigious environment in the US compared with the UK and the heightened focus on regulatory compliance and data security.

03 | Cause of cyber losses in 2025

Spotlight: Ransomware — exfiltration versus encryption

Extortion remained the predominant cyber threat in our dataset in 2025, so we undertook a focused analysis comparing incidents involving ransomware encryption with those involving data‑theft‑only extortion claims. In 2021, ransomware was deployed in 70% of the extortion claims we recorded. By 2025, that proportion had fallen to 24%.

This shift likely reflects several dynamics: encrypting systems is more time‑consuming, while data theft is quicker and harder to detect. Widespread, improved backup practices have reduced the effectiveness of pure encryption tactics, and can accelerate data recovery. Threat actors increasingly favour data‑theft and cyber extortion because it remains financially attractive. Although payment rates are trending down, organisations still sometimes pay, depending on the nature of the stolen data (e.g. if it’s sensitive information), the nuances of the incident, and potential reputational harm.

AI’s impact on cyber risk

As the generative AI adoption expands across industries, so does the potential cyber threat associated with new types of cyberattacks, such as the use of deep fakes and the growing relevance of real time access controls for critical workflows.

AI-enabled attacks threaten to change the face of the risk landscape, highlighting the importance of ensuring appropriate steps are taken to best manage the risk, such as:

  1. Regularly conducting AI-specific fraud training for all employees.
  2. Sufficiently vetting unusual requests via secure channels of communication.
  3. Mandating the proper verification protocols for all high-risk requests, irrespective of source or seniority.
  4. Ensuring a sufficient incident response plan is in place and escalations considered, should an impersonation attempt take place.

Claims and incident management

A cyber event and the resulting claims can seriously damage an organisation’s reputation, finances, and operations, so a swift, coordinated response is essential. That means rapidly mobilising internal teams, engaging specialist advisers, and managing cyber liability insurance matters promptly to protect both your reputation and your financial position.

Organisations require end-to-end support throughout the claims process and incident lifecycle. Marsh’s claims and incident management services offer a comprehensive range of solutions and advanced tools to help clients prepare for, respond to, and recover from cyber incidents more effectively. This service can also help clarify how existing policies may respond, including third party coverage, and the scope of potential compensation, resources, and public relations support following a cyber breach.

Claims & incident management

How you respond makes all the difference

Calendar month

Prepare

Creating and testing IR plans reduces losses by $1.49 M on Average — (IBM Cost of a Data Breach Report 2023).
  • CIM onboarding*
  • Review* and Develop Incident response plans
  • Incident response vendor selection*
Document feed

Test

Well-practiced teams know their roles, responding quickly and effectively.

  • Tabletop Exercises & Crisis Simulations
Placeholder Image

Respond

A coordinated, holistic effort is vital for effective incident response.

  • Active Incident Response (AIR) support*
  • Secure incident response platform (Marsh Central) powered by CGNVS
  • Cyber Network Directory
arrow

Recover

Expert support ensures proactive management of cyber claims complexity, maximizing insurance claims recovery.

  • Claims Advocacy*
  • Forensics Accounting
Grid with pivot chart

Enhance

Convert learnings and challenges into opportunities for growth.

  • Enhanced Claims Feedback*
  • Resilience Roadmap Development

Best practice steps for day one of a cyber incident

Cyber incident response guide

  • Establish what happened and the nature of the incident.
  • Determine when the incident occurred and when it was discovered.
  • Find out which systems and devices have been affected.
  • Determine what kind of data has potentially been impacted.

  • The Marsh Cyber Incident Management (CIM) team will provide you with initial guidance and support.
  • Your Marsh broker will obtain a copy of your insurance policy.
  • A Marsh claims advocate will be assigned to your case.

  • Use your insurer’s 24/7 monitored email and hotline to report the incident; this alerts your insurer that you are likely going to need covered services. The Marsh CIM team can assist you with this.
  • Most cyber insurance policies cover certain incident response services, which often require prior consent. Many insurers have panel vendor requirements, so it’s important to check this before appointing third parties to assist with your crisis response.
  • Marsh will typically follow up with an official notification to your insurer/excess insurer in accordance with policy terms as well as review panel vendor requirements in your policy. Your Marsh claims advocate will facilitate an internal call with your insurer.

  • If you suspect your systems have been compromised, consider keeping communications outside of your organisation’s network, either through an out-of-band communication platform like Marsh Central, phone or through a contingency email platform that is not connected to your network.
  • Do not send copies of your cyber insurance policy via your organisation’s email system when communicating internally or externally.

Some policies allow you to choose your external vendors, but many require you to seek prior consent from your insurer or choose an expert from the insurer’s vendor panel. Your should communicate the appointment of vendors to your insurer as soon as possible and keep your insurer updated with statements of work as they are produced. Marsh can assist you with selecting from and activating the support of your insurer’s vendor panel or help you identify appropriate vendors from Marsh’s network.

  • Private Privacy counsel / breach coach*
    • Retain experienced privacy lawyers to guide the investigation, provide legal advice on regulatory notifications and ransom payments, and maximize potential legal privilege.
  • Digital forensics and incident response (DFIR) vendors*
    • External technical DFIR expertise may be necessary to support your IT team’s internal investigation.
    • It can be beneficial for the DFIR firm to be retained by the outside law firm in order to maximize potential privilege.
  • Other incident response vendors
    • Depending on the specific incident, you may need the services of other categories of incident response vendors, for example, crisis communications support or notification and call centre vendors in the event of a data breach requiring you to notify affected individuals.
Folders

1. Gather the facts

  • Establish what happened and the nature of the incident.
  • Determine when the incident occurred and when it was discovered.
  • Find out which systems and devices have been affected.
  • Determine what kind of data has potentially been impacted.
Envelope

2. Contact Marsh immediately, even if you don’t yet know all of the facts

  • The Marsh Cyber Incident Management (CIM) team will provide you with initial guidance and support.
  • Your Marsh broker will obtain a copy of your insurance policy.
  • A Marsh claims advocate will be assigned to your case.
Telephone

3. Contact your cyber insurer immediately, while you’re still gathering facts

  • Use your insurer’s 24/7 monitored email and hotline to report the incident; this alerts your insurer that you are likely going to need covered services. The Marsh CIM team can assist you with this.
  • Most cyber insurance policies cover certain incident response services, which often require prior consent. Many insurers have panel vendor requirements, so it’s important to check this before appointing third parties to assist with your crisis response.
  • Marsh will typically follow up with an official notification to your insurer/excess insurer in accordance with policy terms as well as review panel vendor requirements in your policy. Your Marsh claims advocate will facilitate an internal call with your insurer.
Placeholder Image

4. Be mindful of electronic communication

  • If you suspect your systems have been compromised, consider keeping communications outside of your organization’s network, either by phone or through a contingency email platform that is not connected to your network.
  • Do not send copies of your cyber insurance policy via your organization’s email system when communicating internally or externally.
People select blue

5. Reach out to the necessary external expertise

Some policies allow you to choose your external vendors, but many require you to seek prior consent from your insurer or choose an expert from the insurer’s vendor panel. Your should communicate the appointment of vendors to your insurer as soon as possible and keep your insurer updated with statements of work as they are produced. Marsh can assist you with selecting from and activating the support of your insurer’s vendor panel or help you identify appropriate vendors from Marsh’s network.

  • Private counsel / breach coach*
    • Retain experienced privacy lawyers in order to guide the investigation, provide legal advice on regulatory notifications and ransom payments, and maximize potential legal privilege.
  • Digital forensics and incident response (DFIR) vendors*
    • External technical DFIR expertise may be necessary to support your IT team’s internal investigation.
    • It can be beneficial for the DFIR firm to be retained by the outside law firm in order to maximize potential privilege.
  • Other incident response vendors
    • Depending on the specific incident, you may need the services of other categories of incident response vendors, for example, crisis communications support or notification and call centre vendors in the event of a data breach requiring you to notify affected individuals.

Marsh will support you throughout the cyber incident response and claims process.

  • The Marsh CIM team will continue to provide support and guidance as your cyber incident response progresses.
  • Your claims advocate will ensure that your claim has been formally notified to the market and will:
    • Facilitate ongoing communication with your insurer(s) and its assigned claims adjuster or monitoring counsel.
    • Review whether any other policies may apply to the incident.
    • Confirm the extent of the coverage available, advise on insurer requirements, and assist with obtaining any necessary insurer approvals.

Why Marsh?

Marsh is committed to helping organisations prepare for, respond to, and recover from cyber incidents.

Placeholder Image

1. Prepare: Build resilience

Our team can help you review and develop tailored incident response plans, ensuring your organisation is ready to respond quickly and effectively to any cyber threat. We also assist in selecting the right incident response vendors to bolster your preparedness.

Document feed

2. Test: Strengthen your response

Marsh offers tabletop exercises and crisis simulations to ensure your team knows their roles and can respond cohesively during a cyber incident. This proactive approach enhances your organisation’s readiness and resilience against ransomware attacks.

Placeholder Image

3. Respond: Coordinated incident management

Our Active Incident Response (AIR) support provides you with expert guidance and resources to manage the incident effectively. We also offer access to our secure incident response platform (Marsh CIM Tool), powered by CGNVS, to streamline your response efforts.

Clock with backward arrow

4. Recover: Maximise claims recovery

Our expert support ensures you can proactively manage the claims process, maximising your insurance recovery. We provide forensic accounting and claims advocacy to help you understand and optimise your claims.

Grid

5. Enhance: Turn challenges into opportunities

Our resilience roadmap development and enhanced claims feedback services help you identify areas for improvement, ensuring your organisation is better prepared for future challenges.

Contacts

For more information on Marsh Specialty’s cyber insurance solutions, and how we can support you in your journey to cyber resilience, please contact your local Marsh representative or visit marsh.com.

Holly Waszak

Holly Waszak

Head of Cyber Claims, UK Cyber, Media & Technology Practice, Specialty UK

  • United Kingdom

Helen Nuttall

Helen Nuttall

Managing Director, UK Cyber Incident Management Leader, Marsh Specialty

  • United Kingdom

Alasdair Paterson

Alasdair Paterson

Cyber Incident Management Specialist - Cyber, Media & Technology Practice, Specialty UK

  • United Kingdom

Suleyman Salih

Suleyman Salih

Cyber Claims Advocate Cyber, Media & Technology Practice, Specialty UK

  • United Kingdom

Harriet Brain

Harriet Brain

Senior Cyber Claims Advocate - Cyber, Media & Technology Practice, Specialty UK

  • United Kingdom

Related insights

Cyber tech outage

Report

The quiet crisis in cyber insurance

04/06/2026
Group of people in meeting at modern office

Podcast

Using AI to enhance benefits insights: The science behind personalisation

29/05/2026
Rows of data storage units are present in a large facility at night. The lights from the units create a blue glow, showing the technology in use. The setting highlights the scale of storage.

Article

Service level agreement parametric insurance for data centres

28/05/2026
Closeup of Lady of Justice statue in front a bookcase in an office.

Article

King’s Speech: What UK Cyber Laws Mean For Organisations

20/05/2026
View more