UK Cyber Insurance Payouts Surge 234% as Global Market Faces Unprecedented Challenges

Breached Company

22 Nov 2025 — 17 min read

Executive Summary

The UK cyber insurance landscape experienced a dramatic transformation in 2024, with payouts skyrocketing from £59 million to £197 million—a staggering 234% increase that signals both the growing sophistication of cyber threats and critical gaps in organizational preparedness. This surge occurred before several of 2025's most devastating attacks, including the £1.9 billion Jaguar Land Rover breach, suggesting that the true scale of the crisis is yet to be fully reflected in industry data.

The UK Crisis: By the Numbers

The Association of British Insurers (ABI) released data showing that ransomware and malware infections drove 51% of all cyber insurance claims in 2024, up dramatically from just 32% in 2023. This represents not merely an incremental increase in attacks, but a fundamental shift in the threat landscape where sophisticated ransomware groups have industrialized their operations and systematically targeted British enterprises.

The £197 million in payouts covers only 2024 incidents, predating three of the most significant breaches in UK history:

Case Study: Marks & Spencer - When Insurance Isn't Enough

Marks & Spencer's April 2025 cyberattack stands as a cautionary tale of inadequate coverage. Despite holding cyber insurance, the retailer's losses vastly exceeded policy limits. The company incurred total costs of £101.6 million, with £82.7 million arising from incident response and recovery, and £18.9 million from third-party costs. While M&S successfully claimed the maximum £100 million from its cyber insurance policy, the attack still decimated the company's statutory pre-tax profits, which plummeted from £391.9 million to just £3.4 million in six months.

Joanna Grant, managing partner at Fenchurch Law, captured the fundamental problem: "The losses were far in excess of the policy limits. Boards have been tending to underestimate both how long it can take to get things up and running again, and also what the scale of the losses can be."

The Jaguar Land Rover Disaster: £1.9 Billion Without Coverage

The Jaguar Land Rover incident represents the most financially devastating cyber event in UK history, with estimated total damages between £1.6-2.1 billion. What makes this case particularly alarming is that JLR reportedly failed to finalize a cyber insurance deal with broker Lockton before the September 2025 attack occurred.

According to three senior cyber insurance market sources, the automaker was still in negotiations when the attack struck, leaving the company completely exposed. The attack forced JLR to halt production at all three UK factories for weeks, with losses estimated at £50 million per week in lost production alone.

The systemic impact was extraordinary. FCA Chief Executive Nikhil Rathi noted that "the JLR cyber incident showed how one shock ripples through the economy – an estimated £1 in every £160 of UK GDP tied to one firm and its supply chain." The UK government was ultimately forced to intervene with a landmark support package to help the automaker and its 104,000 supply chain workers financially recover.

Co-op: The Partial Coverage Problem

The Co-op's April 2025 attack revealed another critical vulnerability in cyber insurance strategies. While the company held some cyber coverage, it was limited in scope. CFO Rachel Izzard explained: "We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties, but we don't believe we will be claiming on insurance for back-end losses."

This "partial coverage" approach left the organization financially exposed to the most costly elements of cyber incidents—business interruption and long-term recovery costs.

The Scattered Lapsus$ Hunters: A New Breed of Threat

All three major UK incidents were tentatively linked to a cybercriminal collective known as "Scattered Lapsus$ Hunters"—apparently a collaboration between multiple groups including Scattered Spider, which has revolutionized ransomware tactics.

Scattered Spider represents a paradigm shift in cybercriminal operations. Unlike traditional ransomware groups that encrypt and wait, these adversaries engage in real-time combat with incident response teams. When security teams close doors, attackers pry them back open. They actively sabotage eviction attempts and demonstrate sophisticated understanding of enterprise security architectures.

NCC Group analysts note that Scattered Spider's alliances with ransomware-as-a-service gangs act as a force multiplier for both scope and frequency of attacks. The group uses compromised credentials as their primary attack vector, often moving from initial account takeover to full ransomware deployment in as little as 24 hours.

Global Market Dynamics: A Tale of Two Trajectories

While UK payouts surged, the global cyber insurance market tells a more complex story. The market reached $15.3 billion in 2024 and is projected to hit $16.3 billion in 2025, according to Munich Re. However, this growth masks significant regional variations and evolving risk patterns.

The Paradox of Declining Premiums and Rising Claims

Aon's 2025 Global Cyber Risk Report reveals a counterintuitive market dynamic: cyber insurance premiums decreased by an average of 7% in Q1 2025, even as claim frequency increased. Buyers achieved these reductions primarily through ample market capacity, new entrants, and aggressive renewal terms from incumbent insurers.

This "soft market" persists despite elevated ransomware activity because average payment amounts declined 77% year-over-year in 2024. The paradox—rising claims but declining payments—reflects improved cybersecurity controls among insured organizations and better incident response capabilities.

The Mid-Market Vulnerability

Aon's research identified a critical exposure point: mid-sized firms with annual revenue between $100 million and $2 billion accounted for 52% of all reported cyber claims in 2024. These organizations often lack formal cyber readiness plans and adequate insurance coverage, making them attractive targets for ransomware groups pivoting from well-defended large enterprises.

Allianz Commercial's analysis confirms this trend. Michael Daum, Global Head of Cyber Claims, explains: "The sweet spot for attackers is a company with large revenues, lots of personal records and that is easy to penetrate. But these targets are becoming harder to find, so they are moving down the chain where companies are less well protected."

Ransomware: The Persistent Threat

Ransomware remains the dominant driver of cyber insurance losses globally, accounting for roughly 60% of large claims (over €1 million) in the first half of 2025, according to Allianz Commercial. However, the nature of ransomware attacks has fundamentally evolved.

The Shift to Double Extortion

Attackers have increasingly shifted from pure encryption to "double extortion" tactics that prioritize data theft. This method is faster, easier for attackers, and significantly increases the likelihood of ransom payment. Allianz data shows that 40% of large cyber claims in the first half of 2025 included data theft, up from 25% in all of 2024. Claims involving data exfiltration were more than double the value of those without data theft.

Record-Breaking Ransom Payments

Munich Re documented several extraordinary ransom demands in 2024-2025:

Dark Angels: A Fortune 50 company reportedly paid a record $75 million ransom
BlackSuit vs CDK Global: Demanded ~$25 million, causing approximately $1 billion in collective losses across thousands of car dealerships
ALPHV vs Change Healthcare: $22 million ransom payment, with total impact estimated at $2.4 billion for UnitedHealth Group
ShinyHunters vs AT&T: $370,000 paid in cryptocurrency for millions of stolen customer call records

The average ransom demand reached $600,000 in 2024, with ransomware-as-a-service (RaaS) platforms lowering the barrier to entry for cybercriminals and industrializing extortion.

Industry-Specific Vulnerabilities

Munich Re's claims data reveals significant variation in ransomware losses by industry sector:

Manufacturing: 33% of large claims by value (2020-2025)
Professional Services: 18% of large claims
Retail: 9% of large claims, but showing dramatic recent increase

The retail sector's vulnerability stems from high transaction volumes, extensive personal data holdings, and susceptibility to business interruption. Retailers entered the top three most impacted industries in Allianz's analysis for the first half of 2025, representing a significant shift in attacker targeting.

Healthcare remains uniquely vulnerable due to the sensitive nature of data, regulatory requirements, and life-critical operational dependencies. The sector continues to face both the highest claim costs and the most severe operational disruptions from cyber incidents.

The Insurer Strikes Back: Subrogation Lawsuits

A troubling trend emerged in 2025: cyber insurers increasingly pursuing subrogation lawsuits against cybersecurity vendors and managed service providers whose failures contributed to successful attacks. This shift represents a new battlefield where insurers become adversaries to the very vendors meant to protect their policyholders.

The ACE v. Congruity & Trustwave Precedent

In September 2025, ACE American Insurance Company (a Chubb subsidiary) filed a groundbreaking lawsuit seeking to recover $500,000 paid to CoWorx Staffing Services following an April 2024 ransomware attack. The insurer sued two vendors—Congruity 360 and Trustwave Holdings—alleging:

Architectural failures in network segmentation
Negligent security event monitoring
Misclassification of critical alerts
Breach of contract for adequate monitoring services
Failure to provide timely notification that could have limited damages

What makes this case particularly significant is the standing advantage insurers possess. While individual employees whose data was compromised face nearly insurmountable hurdles establishing standing for lawsuits, ACE as the insurer suffered concrete financial harm through its $500,000 payout, giving it clear legal standing to pursue recovery.

Implications for the Security Services Industry

Industry experts note several common scenarios where insurers now pursue subrogation:

IT vendors making configuration errors during security implementations
MSSPs failing to maintain contractually required security controls
Vendors neglecting to implement required measures like multi-factor authentication
Incident response failures with inadequate notification or remediation

Insurers are now scrutinizing policyholders' vendor contracts during underwriting, with companies showing weak or vague vendor agreements facing higher premiums or coverage limitations. This represents a fundamental shift in how cyber insurance operates, placing unprecedented accountability on the security services industry.

The Claim Denial Crisis: When Coverage Fails

Despite growing cyber insurance adoption, a disturbing pattern of claim denials reveals critical gaps between perceived and actual coverage.

Common Denial Scenarios

Analysis of recent cases identifies frequent denial reasons:

1. Security Control Requirements

The City of Hamilton, Ontario learned a costly lesson when insurers denied their claim because they lacked multi-factor authentication—despite the insurer recommending its implementation back in 2022. The policy explicitly excluded coverage where absence of MFA was the root cause. Ward 9 Councillor Brad Clark captured the frustration: "How does council find out it wasn't done if staff doesn't share it with us? I find it immensely frustrating there has been zero accountability on this."

2. War Exclusion Clauses

Merck faced a $1.4 billion claim denial after the 2017 NotPetya attack, with insurers arguing the incident constituted an "act of war" because it was attributed to Russian military intelligence. After years of litigation, New Jersey courts ruled in Merck's favor, finding that the war exclusion didn't apply to cyberattacks on non-military targets. The case settled in 2024, establishing important precedents but only after extensive legal battles.

3. Policy Complexity and Misunderstanding

The Heritage Company, an Arkansas nonprofit, discovered their cyber insurance didn't cover what they believed it did when a 2019 ransomware attack forced them to lay off 300 employees. Despite purchasing what they thought was comprehensive coverage, Corvus Insurance completely denied the claim. The case illustrates how policy language can be so complex that even sophisticated buyers cannot understand actual coverage.

Regional Variations and Emerging Markets

While the UK and North America dominate cyber insurance markets, significant regional variations are emerging:

European Union Regulatory Impact

The EU's NIS2 Directive and Digital Operational Resilience Act (DORA) are imposing stringent new requirements for cybersecurity, incident reporting, and supply chain risk management. Organizations operating in EU markets face mandatory cyber maturity standards that directly impact insurance eligibility and pricing.

The EU Cyber Resilience Act, which entered force in December 2024, creates a paradigm shift for digital products. Manufacturers must implement vulnerability management and incident reporting throughout product lifecycles, with reporting obligations for actively exploited vulnerabilities beginning September 11, 2026.

The Underinsurance Crisis

FCA Chief Executive Nikhil Rathi warned of "massive underinsurance" following the JLR incident. "Globally, a fraction of catastrophe and cyber risks are insured," he noted. "The rest migrate to company P&Ls, credit ratings, risk premia, prices and ultimately to households. When cover is thin, it hits the Exchequer."

The cyber insurance market penetration remains relatively low despite the $16.3 billion global market size. Jarrod Schlesinger, Global Head of Financial Lines and Cyber at Allianz Commercial, emphasizes: "Many companies remain unaware of the breadth of coverage offered, which can include costs associated with breach response, business interruption, and regulatory fines and penalties."

The Resilience Gap: Insured vs. Uninsured

Allianz Commercial's analysis of claims and risk trends reveals a clear and widening gap in cyber resilience between insured and uninsured organizations. Insured entities benefit from:

Heightened risk awareness through underwriting processes
Mandated security controls as policy requirements
Access to expert incident response services
Risk prevention services and threat intelligence
Financial resources for rapid recovery

In the first half of 2025, insured organizations demonstrated remarkable resilience. Overall claims severity declined by more than 50%, and large loss frequency (claims over €1 million) decreased by approximately 30%. This improvement reflects cumulative investments in cybersecurity, detection, and response capabilities.

However, uninsured organizations face exponentially worse outcomes. The cost difference between an attack detected and contained early versus one progressing to data theft and encryption can be 1,000 times higher, according to Allianz's claims analysis.

The Role of Third Parties and Supply Chain Risk

The JLR incident highlighted the critical vulnerability of supply chain dependencies. The attack's impact cascaded through a network of 104,000 supply chain jobs, demonstrating how third-party system fragility must now be treated as a core risk.

Investigations into the M&S, Co-op, and JLR attacks focused on potential links to outsourced IT provider Tata Consultancy Services (TCS). Liam Byrne, chair of the UK's Business and Trade Committee, wrote to TCS seeking information amid reports that attacks were linked to TCS employees. While TCS maintained there were "no indicators of compromise" within its network, the incidents raised fundamental questions about outsourcing risk management.

All three affected companies had significant IT outsourcing relationships with TCS:

M&S outsourced more than half of its IT team in 2018
Co-op outsourced some IT roles in 2020
JLR maintained extensive outsourcing relationships

The Telegraph reported that M&S ended its business relationship with TCS in July following the attack, though TCS disputes aspects of this reporting. The pattern suggests that organizations must fundamentally reassess how they manage third-party cyber risk in their insurance and operational strategies.

The Policy Debate: Covering Ransom Payments

A contentious debate continues over whether cyber insurance policies should cover ransom payments to cybercriminals.

The Biden Administration's Position

Anne Neuberger, chief of cyber under the Biden administration, argued in 2024 for banning insurers from covering extortion payments, claiming current policies incentivize payments that fuel cybercriminal operations.

Industry Pushback

Monica Shokrai, Google Cloud's head of business risk and insurance, countered: "I'm not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue. In the case of large companies, cyber insurance will still cover the cost of the incident and the ransom itself often isn't material, particularly compared to the cost of business interruption that a large corporation may face."

Shokrai argued that if larger companies continue to pay ransoms despite insurance not covering it, the impact of a ban becomes less meaningful. Others contended that a payment ban was too reductive, with the root cause of rising payments being "widespread digital insecurity."

The Trend Away from Ransom Payments

Despite the controversy, data shows the percentage of companies paying ransom demands has declined over time. Improved backup strategies, better incident response capabilities, and growing awareness of unreliable decryption tools are driving this shift. Organizations increasingly recognize that payment neither guarantees data recovery nor prevents future attacks.

Emerging Threats and Future Challenges

AI-Enabled Attacks

Generative AI is making social engineering, phishing, and business email compromise schemes significantly more convincing. Compromised credentials have emerged as the most frequent attack vector, with AI tools enabling attackers to craft highly personalized and contextually appropriate lures.

Insider Threats

The October 2025 case involving Star Health Insurance's CISO allegedly selling customer data to a hacker highlights one of the most dangerous types of insider threats—privileged access abuse. This incident underscores the expanding risk landscape beyond external attacks.

Non-Malicious Incidents

Business interruption linked to IT outages entered Allianz's claims dataset for the first time in 2025, fueled by a global service disruption affecting millions of systems. Technical failures and privacy missteps now account for a greater share of claims, with privacy litigation rising sharply—more than 1,500 actions filed in the US in 2024.

Regulatory Complexity

Organizations face an increasingly complex regulatory environment with new mandatory reporting requirements:

CIRCIA: Final rules expected late 2025, mandating critical infrastructure operators report significant incidents to CISA within 72 hours and ransomware payments within 24 hours
HIPAA Security Rule Update: Proposed updates would make previously "addressable" controls—including MFA, encryption, and network segmentation—mandatory for healthcare entities
SEC 4-Day Disclosure Rule: Already in effect, requiring public companies to disclose material cyber incidents within four days
UK Cyber Security and Resilience Bill: New legislation strengthening national cyber defenses

Insurance Industry Response and Evolution

Underwriting Sophistication

Insurers have dramatically enhanced underwriting processes. Stricter assessments now include:

Longer, more granular technical control questionnaires
Security scans and automated risk assessments
Partnerships with cloud providers and security scoring services
For larger businesses, site visits and hardware examinations
Mandatory implementation of baseline controls (MFA, endpoint detection, regular patching, network segmentation)

The Shift to Proactive Risk Management

Jonathan Fong, head of general insurance policy at the ABI, emphasized that cyber insurance represents more than a financial safety net: "The right policy not only supports businesses in the aftermath of an incident but can also help prevent attacks through access to expert advice, threat monitoring, and incident response planning."

However, experts at the UK National Cyber Security Centre's annual conference noted that cyber insurance has yet to become a robust tool for consistently helping insureds implement preventative measures before incidents occur. The market remains largely focused on managing fallout rather than building resilience.

Market Projections

Industry forecasts suggest continued growth:

Munich Re projects the global market will average 10% annual growth through 2030
The market is predicted to nearly double to $30 billion by 2030
Growth is expected to be fastest among mid-sized companies and regions with historically low uptake
Demand is increasing in emerging markets as digitization accelerates

Critical Takeaways for Organizations

1. Coverage Adequacy Assessment

Organizations must fundamentally reassess whether their cyber insurance limits match actual risk exposure. The M&S case demonstrates that even £100 million in coverage may prove inadequate for major incidents. Boards must challenge assumptions about recovery timelines and loss scales.

2. Policy Understanding

Companies must move beyond assuming coverage exists to thoroughly understanding what policies actually cover. System outages, indirect losses, and supply chain failures remain grey areas in many policy wordings. Legal review of cyber insurance policies should be as rigorous as review of any major contract.

3. Baseline Security Controls

Organizations without fundamental controls—MFA, endpoint detection, regular patching, network segmentation—will increasingly find themselves unable to obtain coverage at any price. Insurers now view these as non-negotiable baseline requirements.

4. Third-Party Risk Management

The JLR, M&S, and Co-op incidents underscore that cyber risk management must extend comprehensively to vendors, service providers, and supply chain partners. Contracts with third parties should explicitly address cyber security requirements, liability, and insurance obligations.

5. Incident Response Preparedness

The cost difference between early detection and late-stage compromise can be 1,000-fold. Organizations must invest in:

24/7 security operations capabilities
Tested incident response plans
Relationships with specialist response providers
Regular tabletop exercises simulating major incidents
Backup and recovery strategies that function under attack conditions

6. Board-Level Engagement

Cyber risk can no longer be delegated entirely to IT departments. Boards must understand their organization's cyber insurance strategy, coverage limits, exclusions, and the gap between insured and uninsured risk. The FCA's warning about "massive underinsurance" demands board-level attention.

https://cyberinsurancecalc.com/

Conclusion: The Road Ahead

The 234% surge in UK cyber insurance payouts represents more than a statistical anomaly—it signals a fundamental transformation in the threat landscape that demands equally fundamental changes in how organizations approach cyber risk.

The cases of Marks & Spencer, Jaguar Land Rover, and Co-op provide stark lessons. M&S had insurance but was underinsured. JLR had no insurance and faced devastating losses that required government intervention. Co-op had partial insurance that left critical exposures unaddressed. Each represents a different failure mode, but all resulted in massive financial and operational impact.

The global market's trajectory—toward $30 billion by 2030—reflects growing recognition that cyber insurance has evolved from a specialty product to a critical component of enterprise risk management. However, market maturation must be accompanied by organizational maturity in understanding coverage, implementing security controls, and building genuine resilience.

As FCA Chief Executive Nikhil Rathi emphasized, "Resilience is profitable." Organizations that invest in robust cybersecurity, comprehensive insurance, and proactive risk management will not merely survive cyber incidents—they will emerge stronger, with competitive advantages in an increasingly digital economy.

The widening gap between insured and uninsured organizations suggests that cyber insurance, properly implemented alongside strong security practices, represents a strategic differentiator. But as the UK's experience demonstrates, insurance alone is insufficient. Only a holistic approach combining prevention, detection, response, and financial protection can adequately address the sophisticated, persistent, and evolving threat landscape of 2025 and beyond.

About the Research

This analysis incorporates data from the Association of British Insurers, Munich Re, Allianz Commercial, Aon, and multiple industry sources including breach.company, ComplianceHub.wiki, and regulatory filings. The research spans UK-specific data from 2024-2025 and global market analysis covering cyber insurance trends, ransomware evolution, regulatory developments, and organizational case studies across multiple industries and jurisdictions.