Attacking opportunity: Can the cyber insurance market deliver in 2026?

For anyone reflecting on the prevailing insurance topics of 2025, it would be shocking if cyber did not come to mind.

High‑profile attacks on UK companies last year, notoriously Marks and Spencer, the Co‑op and Jaguar Land Rover (JLR), left shelves emptied and fewer new cars in dealerships.

But, most notably, the attacks exposed the potential domino effect of these incidents on intricately woven supply chains.

For example, the Cyber Monitoring Centre estimated that the JLR cyber incident disrupted more than 5,000 UK organisations.

In turn, the National Cyber Security Centre’s annual review, published 14 October 2025, revealed that the UK experienced a record 204 nationally significant cyber attacks in the year to August 2025 – an astonishing 129% growth from 89 incidents the previous year.

Despite the rising threat, Broker Insights revealed that standalone cyber insurance policies, as opposed to those bundled into other coverage, had just 2.8% penetration with UK businesses.

With levels of dedicated cover remaining stubbornly low exactly as new cyber risks emerge, it must be questioned whether the effectiveness of cyber insurance is actually trusted to protect organisations from these incidents.

Speaking to Insurance Times, Philippe Cotelle, president at the Federation of European Risk Management Associations (Ferma), said that persistent concerns around cyber insurance can limit its perceived effectiveness.

Cotelle explained that European risk managers continue to highlight challenges around coverage gaps between traditional and cyber policies.

He also noted that low penetration rates among SMEs further reduce its impact.

“A comprehensive cyber exposure analysis is essential to determine where insurance fits alongside other mitigation measures,” he said.

“Reviewing all existing policies, both cyber-specific and traditional, helps identify overlaps and gaps and ensures insurance addresses the right financial exposures without duplication.”

If the market wants to be an effective measure to protect businesses from cyber risk, he explained, firms must align with risk management strategies through broker collaboration.

Barriers to growth

Echoing these concerns, Tom Draper, managing director at Coalition, said that the “real challenge” is connecting anticipated cyber risk with the insurance product.

As the cyber class is typically viewed as technical and outsourced, he explained that many broker discussions with potential clients fail because of a lack of communication with the right stakeholders.

He said: “Where we do see a noticeable change in engagement is when we onboard a potential policyholder onto our risk management platform and they talk to our security teams, [which leads to] a far higher uptick in purchase.” 

Despite this, he admitted that security teams still struggle to prove return on investment while “all budgets are under pressure”, which makes cyber spend difficult to justify until, or after, an incident occurs.

He added that, for SMEs under 250 employees, this is a significant issue as “many of them don’t have full-time insurance management” and navigating cyber exposure “becomes one of their many responsibilities”.

Supply chain risk from cyber attacks and low penetration of this cover among SMEs was a centrepiece of Biba’s 2026 Manifesto.

Giving brokers the tools and education to be able to sell cyber insurance effectively to SMEs was key to the trade body’s strategy, according to Biba chief executive Graeme Trudgill.

In a pre-launch briefing for the latest manifesto, Trudgill told Insurance Times that that Biba intends to train members, offer products with partners and, if supported by government, create an accredited cyber insurance broker directory to help businesses access specialist cover.

He added: “It’s one of our missions is to promote a standalone policy that’s more tailored to the individual, which is part of the idea behind the directory.”

Having recently introduced new wording in the UK, Simon Hughes, chief commercial officer at Cowbell, was optimistic about the impact of tailoring standalone policies to the current market.

Hughes told Insurance Times that it is important to ensure businesses know that investing in security is simply not enough to protect them.

He said: “One of the biggest barriers to penetration is businesses, especially small businesses, not knowing the benefit of a cyber insurance policy and how broad it is, let alone the insurance side and the proactive services that the market can offer.”

How can the market adapt?

The Ferma Global Risk Manager Survey 2024 revealed that 53% of respondents fear some critical business activities may become uninsurable.

Cyber attacks, digitalisation risks and technological threats were reported as the areas perceived as most at risk of coverage withdrawal, Collette explained.

“In this context, systemic cyber risk is a key concern,” he continued.

“Increasing concentration among major software, cloud and IT service providers, further accelerated by AI creates single points of failure with economy-wide impact. Addressing this systemic risk is essential to unlocking sufficient cyber insurance capacity and to ensuring SMEs, which are highly dependent on these digital infrastructures, remain adequately protected.”

For Nate Brink, head of broker partnerships at CyberCube, identifying weaknesses in cybersecurity using data and analytics before an attack is essential.

The success of this approach, Brink explained, has been clear in the middle market, where CyberCube’s risk analytics have helped brokers quantify exposure so they can provide better education for those buyers.

He said: “In the broker space, distribution platforms, often referred to as a quote bind issue technology, are becoming incredibly important because that is where the generalist at an insurance broker is talking to an SME insurance buyer.

“We need to get the data and analytics for them, so that they can have that information at their fingertips.”

In 2026, Brink added that he had observed brokers “beginning to scale that same type of education to the small and medium business segment”.

Opportunities

So, is this a wake up call for the market?

According to GlobalData, the global cyber insurance market grew $22.2bn (£16.3bn) in 2025 and is estimated to reach $35.4bn (£25.9bn) by 2030.

Ed Ventham, head of broking at Assured Insurance, said that he saw the market as a “massively growing space”.

He noted that there were “more first time buyers of cyber insurance than ever before”.

He told Insurance Times that the cyber risk broker gained 40 clients in which 43% were first time buyers.

Demand has grown across industries including utilities, retail, manufacturing and construction, he explained, with “huge momentum among the larger corporates” despite many businesses over the £350m level not previously buying.

Seeing a similar picture, Brink noted that “it’s becoming a first time buyer’s market” because of the stabilising rates and softer market.

He added that most of CyberCube’s brokers have communicated that they want to ”double the global penetration rate” of 5% or less within the next three years.

In a sector ripe with opportunities, the question is whether 2026 will see the market seize the growth that cyber insurance could offer.

As Cotelle said, cyber insurance can only be of use to manage risk if it “enables informed risk-taking, rather than retreating from complexity”.