Cyber Insurers Paid Out Over Twice As Much For Uk Ransomware Attacks Last Year
The number of successful cyber insurance claims made by UK organizations shot up last year, according to the latest figures from the industry’s trade association.
The Association of British Insurers (ABI) said £197 million ($259 million) in cyber insurance payouts were made to victimized organizations in 2024, up from £59 million ($77 million) in 2023.
Cyber insurance companies are a controversial part of the security market. Some argue the minimum standards they enforce on policyholders drive up security standards, while others have accused them of encouraging criminals to extort by making payments to ransomware crews.
ABI data showed that ransomware and malware infections contributed to 51 percent of the claims made by UK organizations in 2024. This percentage increased markedly year-over-year, with ransomware and malware making up 32 percent of all claims in 2023.
The ABI said the surge in attacks leading to policy payouts illustrates an increase in sophistication and the damage cyberattacks are having on businesses.
“Cyber insurance is more than just a financial safety net,” said Jonathan Fong, head of general insurance policy at the ABI. “The right policy not only supports businesses in the aftermath of an incident but can also help prevent attacks through access to expert advice, threat monitoring, and incident response planning.
“With cyber threats continuing to grow in scale and sophistication, it needs to be a critical component of every organisation’s modern risk management strategy.”
The ABI’s most recent data pertains to the period before the wave of digital heists on major British businesses began this year.
These included retailer Marks & Spencer, which last week reconfirmed to investors that it made a maximum £100 million ($131 million) claim on its cyber insurance policy, suggesting that 2025’s data could lead to further increases in total payouts.
Officials at fellow besieged retailer Co-op confirmed in September the company did not hold comprehensive cyber insurance in place at the time of its April attack, and it would not make a claim on the limited-scope policy.
CFO Rachel Izzard told Reuters: “We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties, but we don’t believe we will be claiming on insurance for back-end losses.”
Jaguar Land Rover reportedly did not have a cyber insurance policy in place at the time of its hugely costly cyberattack this year. When The Reg asked the org about this, a JLR spokesperson told us: “We do not comment on commercial matters such as these.” Ultimately, the UK government had to step in with a landmark support package to help the automaker, and the smaller businesses across its supply chain, financially recover.
Even if JLR did have a cyber insurance policy in place at the time – however comprehensive it might have been – it is unclear whether the massive costs associated with its downtime would have been materially eased by an insurance payout.
The circa £2 billion ($2.6 billion) costs of its attack could be compared to those of Change Healthcare in the US, whose ALPHV ransomware attack in 2024 also led to costs exceeding $2 billion.
Industry figures have debated the role and efficacy of cyber insurance for years.
At the UK National Cyber Security Centre’s (NCSC) annual conference earlier this year, the matter of cyber insurance was one of the few topics all the top expert panellists agreed on, offering support for its role in improving security standards.
The prevailing takeaways from the CYBERUK session were that insurers hold decades of expertise in assessing risk, and they have access to the most pertinent threat intelligence affecting modern organizations, which informs their policy requirements.
If organizations can’t meet them – i.e. they don’t implement the baseline standards required to defend against the most successful modern attacks – they don’t get a policy.
On the other side of the debate sit those who believe insurers are encouraging ransom payments.
Anne Neuberger, chief of cyber under the Biden administration, argued last year for a ban on insurers from covering extortion payments, claiming current policies incentivize payments, which in turn fuel cybercriminal operations.
Others who spoke to The Register at the time disagreed.
Monica Shokrai, Google Cloud’s head of business risk and insurance, said: “I’m not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue.”
“In the case of large companies, cyber insurance will still cover the cost of the incident and the ransom itself often isn’t material, particularly compared to the cost of business interruption that a large corporation may face.
“So, if larger companies continue to pay the ransom despite insurance not covering it, the impact of a ban on the insurance coverage becomes less meaningful.”
Others argued that a payment ban was too reductive a countermeasure, saying the root cause of rising payments was due to “widespread digital insecurity.” ®
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
