The Truth About Cyber Insurance

Cyber insurance has grown into a multi-billion-dollar global market, yet when a serious breach occurs, the real story often lies in the small print, the exclusions, and the security controls that should have been in place long before the policy was signed.

Once Just An Add-On

Cyber insurance was once treated as a niche add-on to professional indemnity cover. Today it sits at the centre of boardroom risk discussions. The reason is simple. Cyber incidents are no longer rare. They are routine, costly and increasingly disruptive.

So what exactly is cyber insurance, how large has the market become, and when does it actually pay out?

What Cyber Insurance Really Covers

At its core, cyber insurance is designed to cover two broad categories of loss. First-party losses include incident response, forensic investigation, legal advice, customer notification, system restoration, business interruption and, in some cases, ransom payments. Third-party cover addresses claims brought by customers, partners or regulators following data breaches or operational failures.

The detail, however, varies significantly between policies. Cover is often conditional on specific security controls being in place, such as multi-factor authentication, tested backups and patch management processes. In practice, cyber insurance now operates as a form of security gatekeeper. Insurers increasingly assess a firm’s cyber hygiene before agreeing terms or setting premiums.

How Big Is The Market?

According to Munich Re (Münchener Rückversicherungs-Gesellschaft), one of the world’s largest reinsurance companies, the global cyber insurance market was worth around $15.3 billion in 2024 and is expected to reach $16.3 billion in 2025. Munich Re projects that global premium volume could more than double by 2030, with annual growth exceeding 10 percent.

North America accounts for roughly 69 percent of global premiums, with Europe representing around 21 percent. Growth in Europe has been particularly strong over the past few years as regulatory pressure and ransomware attacks have increased awareness.

In the UK, the Association of British Insurers reported that insurers paid out £197 million in cyber claims to UK businesses in 2024. That figure represents a 230 percent increase on the previous year. Malware and ransomware accounted for 51 percent of all UK cyber claims, up from 32 percent in 2023.

These numbers underline two trends. Claims are rising sharply, and insurers are paying substantial sums.

But what do claims actually look like in practice?

Claims And Payouts

There is no universal “claim approval rate” published across the market, but available industry data offers some insight into how incidents unfold.

Coalition’s 2025 Cyber Claims Report, covering incidents in 2024 across several markets including the UK, found that 60 percent of claims arose from business email compromise and funds transfer fraud. These are not sophisticated zero-day exploits. They are often payment diversion scams targeting finance teams.

The same report noted that 44 percent of policyholders affected by ransomware chose to pay the ransom when it was deemed reasonable and necessary. Meanwhile, 56 percent of reported matters required no out-of-pocket payment from the policyholder, often because insurer-provided incident response support mitigated losses before they escalated.

The key takeaway here is that many cyber claims are not dramatic data centre shutdowns. They are invoice fraud, stolen credentials and misdirected payments.

That said, some cases have tested the boundaries of cover entirely.

When The Small Print Becomes The Story

One of the most widely reported examples of a major cyber insurance coverage dispute followed the 2017 NotPetya attack (a malware attack attributed to the Russian military). Pharmaceutical giant Merck said the malware disrupted around 40,000 machines and ultimately caused losses of approximately $1.4 billion. Several of its insurers sought to rely on traditional “war exclusion” clauses, arguing that the attack was attributable to a state actor and therefore not covered. In 2022, a New Jersey court ruled that the wording of the war exclusion did not apply to the cyber attack in question. The parties later reached a confidential settlement.

The Merck case became a landmark moment in cyber insurance interpretation. It highlighted how state-linked cyber operations can blur the boundary between criminal activity and geopolitical conflict, and exposed the limits of legacy policy wording when applied to modern cyber warfare.

Exclusions

In the wake of disputes linked to NotPetya and similar incidents, Lloyd’s of London issued a market bulletin requiring, from 31 March 2023, that standalone cyber policies include clearly defined exclusions addressing state-backed cyber attacks unless expressly covered. The intention was to reduce ambiguity around systemic cyber risk and clarify how attribution would be handled within policy terms.

Other Examples

Other incidents illustrate the potential scale of insured losses. Colonial Pipeline paid a $4.4 million ransom in 2021 following a ransomware attack, with US authorities later recovering approximately $2.3 million in cryptocurrency. CNA Financial was widely reported to have paid $40 million after a ransomware attack the same year. Norsk Hydro, by contrast, refused to pay ransom after its 2019 attack and later disclosed financial impacts in the region of $60–70 million, supported in part by insurance arrangements.

Taken together, these cases demonstrate both the scale of financial exposure and the growing legal and structural complexity surrounding cyber insurance. Insurance can provide vital financial cushioning when an attack hits, yet it can just as quickly become the subject of dispute, interpretation and courtroom argument when definitions, exclusions or attribution are tested.

Why Cyber Insurance Is Interesting Now

Three structural shifts are fundamentally reshaping the cyber insurance market and changing how organisations think about risk, cover and accountability.

Cyber insurance is increasingly acting as a de facto regulator. Insurers demand evidence of MFA, endpoint protection, network segmentation and backup testing before binding cover. Organisations seeking insurance often upgrade security controls simply to qualify.

There is a clear protection gap. Swiss Re estimates that SMEs account for around 30 percent of global cyber premiums, yet penetration rates among smaller firms remain modest. Many UK SMEs remain uninsured despite rising threat levels.

Systemic risk looms large. Supply chain attacks, cloud provider outages and state-linked campaigns raise questions about correlated losses. Insurers must balance growth with exposure to events that could trigger thousands of simultaneous claims.

What Does This Mean For Your Business?

For UK organisations, cyber insurance is neither a silver bullet nor a formality. It is a financial resilience tool that sits alongside prevention, not in place of it.

Policies can provide rapid access to specialist incident response teams, legal advisers and negotiators at moments of crisis. That support can materially reduce downtime and reputational damage, yet cover is conditional. Failure to implement agreed controls can jeopardise claims.

Businesses should therefore treat cyber insurance procurement as part of a broader risk management strategy. That means reviewing exclusions, understanding sub-limits for ransomware and business interruption, and aligning technical controls with policy requirements.

The market is growing, claims are increasing, and insurers are paying out significant sums. The most important lesson from the past decade is that buying cyber insurance is not the end of the story. It is the point at which scrutiny, obligations and real risk management truly begin.