In its 2026 manifesto, Biba proposed a UK cyber backstop to meet the risk of increasingly severe attacks and low cyber insurance penetration. But is this partnership feasible and could it effectively mitigate extreme systemic cyber risk?
WE ASKED: “How beneficial would a cyber-centric public-private partnership be for UK general insurance (UKGI) and its end clients?”
Shaune Worrall, deputy head of general insurance, Biba
Biba recently submitted views to Parliament on this issue, as the cyber security and resilience bill reached its committee stage.
One of those views considers a backstop for extreme systemic cyber events. While a strong private insurance market is the key for day-to-day protection, a government backed pool covering the most extreme events, with very clear triggers, could be a solution where losses are too large for the private market alone.
The overall size of market adoption for standalone cyber insurance and low take-up among SMEs means cyber systemic risk might not be forefront of the insurance industry’s priorities.
Nonetheless, what will be needed to underpin growth and confidence in a maturing cyber insurance market is the means to cover a large systemic incident. With new covid business interruption cases still reaching the courts in 2026, we know what happens if these certainties aren’t in place.
With new ‘customer business interruption’ cyber policy extensions giving suppliers cover if their own key customers are attacked, one wonders if this will hasten the need for systemic cyber solutions.
The Cyber Monitoring Centre has a wise view, shared by Biba, on what needs to happen next – the “government should seek to begin clarifying thresholds for future intervention, definitions of critical economic sectors and related parameters”.
Tom Draper, managing director, Coalition
The current private market already covers cyber incidents to an extent. It has reacted to demand but has chosen not to cover certain risks, such as physical damage hitting critical national infrastructure – that’s not an appetite the market has.
When it comes to backstops, that is a very different proposition because that is essentially the insurance market being unable to accept systemic risk of major concern.
There are a couple of real challenges with that. One of which is that, in the UK, most of the premium that flows in for cyber is not UK premium.
Therefore, a challenge with Cyber Re existing is that the UK exposure is quite small, because most of the exposure is in US-centric policies, as it is Lloyd’s underwriters writing US deals.
Meanwhile, there is not a market gap in the need for insurance or reinsurance – syndicates and insurers can already go out and happily purchase cyber reinsurance.
Where there is a concern is areas with geopolitical risk, the government itself acts as a financial backstop anyway.
Read: In Focus – Could cyber-centric broker schemes boost commercial cyber insurance penetration?
Read: Attacking opportunity – Can the cyber insurance market deliver in 2026?
Explore more cyber related content here, or discover other news analysis stories here
Finally, it also comes down to cyber insurance being made mandatory. As there is not an appetite to impose cost on business, we wouldn’t expect to see anything close to that.
Simon Hughes, chief commercial officer, Cowbell Cyber
A cyber-centric public-private partnership is a logical evolution for a market that demands stability over volatility.
Currently, the threat of systemic cyber events looms large, creating hesitation where the UK economy needs confidence.
A public-private partnership could act as a vital backstop – much like Pool Re provides for terrorism risk – ensuring the capital certainty insurers need to maintain capacity, even when unpredictable and high impact black swan scenarios threaten the market.
For UKGI and its end clients, the benefit of such a partnership is consistency.
A government-backed framework could remove the fear of sudden capacity withdrawals, ensuring that protection remains available and affordable.
This model would allow the private sector to focus on what it does best – using data to assess and mitigate risk – while the public element of the relationship manages the catastrophic tail risk.
This is not just about financial indemnification – it is about signalling to British businesses that the insurance sector is robust and supported by a sound approach to risk management, which will transform a complex landscape into one where businesses can operate with genuine confidence.
Arabella Ramage, legal and regulatory director, Lloyd’s Market Association
Why there is a cyber gap with SMEs failing to purchase coverage has been debated at length between insurers, government and regulators. Cyber cover should now be just as important for firms as their traditional property and liability policies.
The Lloyd’s market is a world leader in providing cyber insurance but despite innovation and reportedly plenty of capacity available, there remains a low rate of take up amongst SMEs.
It is generally agreed that there are various causes including lack of understanding of the risk and the insurance solution and lack of data and affordability. Suitability is not an issue as complaints about the product are very low.
An informal public private partnership addressing education, demand and data should close the affordability gap.
However, a formal public-private partnership like Flood Re or Pool Re at this relatively early stage of development is likely to impact pricing the product and distort the open market.
It may also reduce incentives for SMEs to mitigate cyber risks and discourage new insurers from coming into the market with innovative products.
We do believe that government and insurers should remain open to considering a formal public-private partnership solution in the future if the affordability gap is not closed to ensure SMEs have adequate protection.
William Gow, chair of cyber and technology special interest group, Chartered Institute of Loss Adjusters
Cyber risk can be systemic, is fast-evolving and increasingly difficult for insurers to model.
As seen in other catastrophe risks, the private market struggles when threats become both high-severity and correlated. It has become a defining threat to markets and national resilience.
There is high volatility, it is globally connected and impacts multiple sectors. A public-private partnership framework may encourage long-term risk appetite and provide insurers with greater certainty when offering cover.
This could provide a dependable backstop that allows capacity to grow and pricing to stabilise. It would support long-term underwriting strategies instead of the reactive cycles driven by large-scale cyber events. Also, enabling more tailored and adaptive cover for businesses.
This could translate into more accessible and consistent cyber insurance, particularly for SMEs, where there can be challenges around affordability and cover level.
A public-supported reinsurance layer could unlock wider availability, broader terms and a smoother experience for insureds during significant cyber incidents.
This partnership would strengthen resilience by integrating government, industry, and economic efforts under a coordinated framework.
It could enhance incident response, promote better cyber hygiene, and increase stability, clarity, and collaboration. While not solving market challenges, it would boost cyber risk insurability and confidence for UK businesses amidst rising digital threats.
Consequently, this is an approach the Chartered Institute of Loss Adjusters (Cila) supports and will be discussing further.
With a range of freelance experience, Harriet has contributed to regional news coverage in London and Sheffield, as well as music and entertainment reporting across various publications.View full Profile
No comments yet