Cyber insurance: adapting to evolving risks and regulation

Corporate policyholders of cyber insurance are navigating an increasingly complex landscape that is being shaped by evolving threats and shifting regulatory expectations. With high-profile recent cyber attacks, such as those on Marks & Spencer and the Co-op¹, and findings from the government’s Cyber Security Breaches Survey 2025² revealing that 43% of businesses experienced a cyber incident in the past year, the urgency for strengthening cyber resilience has never been clearer.

Recent developments, including efforts to standardise cyber insurance policies, the introduction of new codes of practice and proposed regulatory enhancements, reflect a concerted effort to address these challenges. While the journey towards comprehensive and clear cyber insurance coverage is still in its early stages, a number of recent initiatives highlight a promising direction of travel. Policyholders are encouraged to engage with their brokers and legal advisers to ensure that they are well equipped to manage the risks of the digital age.

Policy standardisation

One of the biggest challenges for the cyber insurance market has traditionally been a lack of standardisation across cyber policies, which leads to confusion for policyholders over coverage terms and difficulties in comparing policies. Although an understandable consequence of the fact that cyber risk profiles can vary so much between businesses, this lack of uniformity complicates the process for businesses that are seeking to understand their coverage and ensure that they are adequately protected against cyber attacks.

ABI Lloyd’s guidance. In November 2024, the ABI Lloyd’s Cyber Working Group published guidance for key stakeholders in the insurance industry on, among other things, how to approach defining a major cyber event (the guidance)³. The guidance represents an effort to build a shared approach across the industry as, although cyber risk is one of the most prominent systemic and emerging risks, there are few historic events for insurers and reinsurers to evaluate when trying to establish clear definitions and policy wording.

The aim of the guidance is to develop a framework for insurers to consider when building their own definitions, looking at elements such as:

• The attribution of malicious and non-malicious attacks.
• The identification of specific causes of loss following a cyber attack.
• The number of victims or the size of exposure.

The guidance should assist in providing more certainty for insurers and policyholders that their policy clearly deals with the wide variety of circumstances that can occur as part of a major cyber event.

CMC scale. A further significant step towards addressing the complexities of cyber risk has been the establishment of the Cyber Monitoring Centre (CMC), which in February 2025 published guidelines seeking to provide a consistent classification for cyber security incidents⁴. The CMC scale, which is likened to the Saffir-Simpson Hurricane Wind Scale and the Richter scale for earthquakes, aims to provide a structured approach to categorising the impact of systemic cyber events; that is, cyber events that originate from a single source but affect multiple organisations. The CMC scale should aid both policyholders and insurers in coming to a clear understanding of what their policy’s terms and conditions are and, in some cases, whether a cyber event is covered by their insurance.

However, it is clear that measures to standardise cyber policies are in their infancy. This is, in part, a product of the emerging and incredibly complex nature of cyber attacks, as well as the individual nature of the risk profile of every policyholder. It is to be expected that the best coverage for any business should be bespoke, as insurance should protect policyholders against their largest exposures. For this reason, businesses should not underestimate the value of a good broker and legal advisers, who can explain to policyholders what they are truly buying in easy-to-understand terms.

Cyber security governance

Although the cyber risks that the cyber insurance industry seeks to protect businesses against are sophisticated and ever-evolving, implementing even the most basic security measures can significantly reduce these risks. For example, Verizon’s 2024 data breach investigations report⁵ noted that 21% of security breaches in what it categorises as “basic web application attacks” were enacted by brute force methods, such as inputting easily guessable passwords. This figure rose dramatically to 56% in Verizon’s 2025 data breach investigations report⁶.

AI cyber security code of practice. On 31 January 2025, the government introduced a new voluntary code of practice for the cyber security of AI (the AI code)⁷. The AI code sets out baseline cyber security principles to help secure AI systems and the organisations that develop and use them. The AI code addresses the unique risks associated with AI, such as:

• Data poisoning; that is, a cyber attack where manipulated or corrupted data is added into, or data is removed from, the training datasets of AI models to negatively affect their performance, accuracy and reliability.
• Malicious code obfuscation; that is, using AI to modify malware source codes to make it more difficult for antivirus software and other cyber security tools to detect cyber threats or attacks.
• Indirect prompt injection; that is, embedding malicious instructions in data sources that large language models use to understand prompts.

The AI code is accompanied by a comprehensive 50-page implementation guide that sets out detailed steps to ensure compliance. The aim of the AI code is to offer explainable AI solutions that are both secure and accessible for organisations, and to support the government’s agenda of harnessing the transformative potential of AI while mitigating avoidable vulnerabilities and cyber risks.

Cyber governance code of practice. On 8 April 2025, the government published a new cyber governance code of practice (the cyber governance code). The cyber governance code is aimed at board members of large and medium businesses and is intended to assist them in improving their resilience to cyber risk, with a primary focus on outlining steps to secure operations and sensitive data, and maintain business continuity in the face of cyber attacks.

The cyber governance code recommends that in-scope businesses put in place internal controls to promote transparency and accountability, including that boards take specific actions built around five key governance principles: risk management, strategy, people, incident planning, response and recovery, and assurance and oversight. This promotion of effective cyber governance at board level will likely increase demand for robust cyber insurance coverage and encourage insurers to develop innovative solutions to meet evolving needs.

Enhanced regulatory framework

As part of the 17 July 2024 King’s Speech, the government announced that it will introduce a Cyber Security and Resilience Bill (the Bill) in the current Parliamentary. On 1 April 2025, the government published details of the measures to be included in the Bill⁸. The government intends that the Bill will:

• Bring more entities into the scope of the regulatory framework under the Network and Information Security Regulations 2018 (SI 2018/506) (2018 Regulations) (see Briefing⁹). The Bill focuses on managed service providers that have access to IT systems, networks, infrastructure and data. These entities will be subject to the same duties as firms that provide digital services, regulator-designated critical suppliers (which are defined as suppliers whose goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service that they support), operators of essential services and relevant digital service providers.
• Empower regulatory bodies and enhance oversight by widening incident reporting criteria under the 2018 Regulations, expanding the Information Commissioner’s Office’s information-gathering powers and improving regulators’ cost-recovery mechanisms.
• Ensure that the regulatory framework can keep pace with the cyber landscape by introducing a power for the Secretary of State to update the 2018 Regulations without requiring an Act of Parliament, potentially allowing new sectors to come more easily within the scope of regulation.

Cyber risks pools

Cyber insurance underwriters continue to grapple with systemic risk factors, including geopolitical risk and a projected rise in both the frequency and severity of cyber attacks, as well as a corresponding need to increase liability reserves.

In response to the growing threat of large-scale cyber incidents, there have been proposals for private-public (that is, state-backed) cyber risk pools. These pools aim to provide a safety net for catastrophic cyber events that exceed the capacity of the private insurance market. By leveraging government support and private sector expertise, these pools would be designed to help mitigate the financial impact of significant cyber incidents. Similar public-private insurance pools have been established in response to other types of catastrophic risks; for example

• Pool Re, which provides terrorism insurance in the UK.
• Flood Re, which provides flood cover in the UK.
• Australian Reinsurance Pool Corporation, which provides Australian communities with reinsurance for terrorism and cyclone events.
• The US Terrorism Risk Insurance Program, which provides cover for losses from terrorist attacks.

While there have been few concrete proposals to create cyber risk pools in the UK, there has been growing industry interest. For example, on 10 February 2025, Lockton Re published a report on cyber risk pools that posed the question of whether private capacity is sufficient to remain relevant and address the consequences of a major cyber event¹⁰. The report concludes that the merits of a cyber risk pool are clear, and that “its time has come”. Although a government-backed cyber risk pool would not be a panacea, it would help to close the cyber protection gap.

Practical tips for corporate policyholders

When considering their cyber insurance coverage, businesses should:

• Engage with brokers and legal advisers to understand the specific coverage needs of their business.
• Stay informed about recent cyber incidents and regulatory changes to better assess risk exposure.
• Implement basic security measures, such as strong password policies, to reduce vulnerability to cyber attacks.
• Consider the implications of new codes of practice and regulatory frameworks on their current policies.

This article first appeared in the August 2025 issue of PLC Magazine¹¹.

Authored by Sara Bradstock, Charlie Shute, and Bethan Savage.