Cyber specialist and RPC partner talks cyber insurance, ransomware and how insurers are changing their strategies to get the most from the market
Insurer strategies in the cyber market may be maturing, but the growing number of threat vectors from cyber criminals could highlight the line’s lack of penetration as developments such as “ransomware-as-a-service” threaten to lower the barrier to entry for attackers.
This is according to Richard Breavington, partner at law firm RPC and specialist in data breach response, cyber insurance and technology errors and omissions insurance.
Speaking exclusively to Insurance Times, Breavington explains that insurers have been steadily refining their processes, hoping to provide certainty in a dynamic sector.
He explains: “When I first became involved in the cyber insurance market eight or nine years ago, there wasn’t an awful lot of underwriting rigour compared to the situation now.
“Now there’s a focus on basic cyber security measures. Making sure that insureds have decent patching policies, multi-factor authentication (MFA) where they can, proper backups that are segregated across their systems. [Insurers] cover that off at the underwriting stage relatively easily.”
Breavington added that insurers’ approach to systemic risk had also become more developed, especially in the ransomware space, owing to the potential impacts of this sort of peril
He explains: “There are two main areas [of systemic risk]. One is that you could have a vulnerability that gives rise to lots of ransomware at the same time. The other is the supply chain effect – you have one organisation that suffers ransomware and there is a knock in impact.
“[Insurers] are aware of it, and they’re doing a lot of modelling around it. We’ve worked with some insurers that will do some basic questioning around people’s supply chain, not so much to judge the risk, but so they can get a sense of where their book of business is potentially exposed.”
Cyber risk gap
Despite the progress insurers feel they have made, overall penetration of the cyber market remains low.
Read: Chancellor pledges £2.5bn to quantum computing strategy
Read: Higher cyber premiums ’may incentivise attackers to escalate threats’
Explore more cyber related content here, or discover other news stories here
In fact, some estimates put the cyber risk protection gap – the difference between insured and economic losses – at a daunting £700bn, or 99% of economic losses.
Breavington explains: “It’s quite a young market, but you’d have expected the penetration to grow more steeply than it has.
“For some corporates, they would take the risk – they’d effectively rather insure themselves. And there are other ways you can effectively pass on some of this risk without insurance, the best example [of which] would be to have retainer options with [cyber] security firms.”
He continues: “It’s the classic example – what’s more important? Cyber or property insurance? Everyone has property insurance. If your office burned down that would be a first party loss and you’d have to find other offices, but a lot of businesses could probably carry on.
“But with cyber that’s not always the case, so [cyber insurance] can be crucial. Certainly, we see people who don’t have it and if they don’t have the money to cover off what they need, we’ve seen businesses go under.”
Ransomware ban
It is not only insurers that are trying to lay the groundwork for a stronger cyber foundation. On 8 April 2025, the UK government completed a public consultation on plans to reduce payments to cyber criminals and increase incident reporting.
Breavington elaborates: “There were three proposals that came out from the government. One is a ban on [ransomware payments] on critical national infrastructure or government entities.
Read: Briefing – Schools, charities and public sector sees ‘more frequent’ cyber attacks in 2024
Read: TechTalk – Is the cyber insurance world prepared for quantum computing?
Explore more cyber-related content here, or discover other news stories here
“The second is a ‘ransomware payment prevention regime’. The idea is if want to pay a ransom, you’ve got to tell a government entity beforehand and get their approval. The third proposal is more reporting.”
The proposals are not without their opponents. Insurance Times understands, via reports, that many business leaders fear the payment friction that is intended to reduce payouts is more likely to hurt firms via increasing business interruptions than it is to deter criminals.
Value for money
One path to higher cyber insurance proliferation, Breavington explains, is more clearly demonstrating the value for money of the products on offer.
He says: “One thing that insurers and brokers are trying to do as a result of the softening market is think about how they can involve add-on services that give you something up front for your money.
“So that might be preparatory work, tabletop exercises, working with breach response policies – even some technical services.
“And part of the reason for that is it increases security, increases good hygiene, probably makes the risk better. Another [reason] is that sort of intangible feeling that you’re getting something immediate for your money – and that’s making things more attractive.”
No comments yet