AXA XL has struck a strategic partnership with Deloitte to deliver cybersecurity and operational technology services to clients across the globe, in a move that carrier significant implications for the UK cyber insurance market at a moment when the industry is under intense scrutiny.
The tie-up, available through the AXA Digital Commercial Platform, expands on AXA XL's existing cyber insurance and risk consulting capabilities. Under the agreement, clients will gain access to a suite of Deloitte-delivered services spanning the full prevention and detection spectrum, from critical asset identification and vulnerability assessments to cyber crisis simulations and continuous threat monitoring.
The deal arrives at a watershed moment.
In April 2025, Marks & Spencer, Co-op and Harrods were each struck by serious cyberattacks, with Co-op estimating the incident cost it £206 million in lost revenue and an £80 million hit to operating profits in the first half of the year. M&S warned that its attack could reduce operating profit by approximately £300 million for the year.
The Cyber Monitoring Centre, a UK-based independent body established by the insurance industry, classified the M&S and Co-op incidents as a single combined "Category 2 systemic event," estimating the total financial impact at between £270 million and £440 million. The attacks also laid bare a significant protection gap -- neither M&S nor Co-op appeared to have had full coverage for catastrophic cyber losses, with Co-op's insurer covering only parts of the damage.
Cyber incidents surged to unprecedented levels in 2025, yet premiums fell by an average of 11% and coverage broadened, a rare divergence between underlying risk and insurance pricing driven by aggressive growth targets, new managing general agents, a new syndicate and insurers deploying more net capacity.
Claims severity has, however, intensified. In ransomware particularly, a small share of notifications drove roughly three-quarters of payouts, and developing 2023 to 2024 claims are trending materially worse.
This tension between plentiful capacity and deteriorating loss trends is precisely the environment in which prevention-led propositions become commercially compelling. Eddie Lamb, global head of cyber at Hiscox, has argued that enhanced propositions should drive volume rather than price: "As insurers add to their proposition, it becomes a more attractive buy and they'll end up with a higher sales volume out of that, which is potentially how insurers can help sustainably manage the cost."
The partnership is also well-timed from a regulatory perspective. The Cyber Security and Resilience Bill was introduced to Parliament in November 2025, aiming to modernise the UK's cyber regulatory regime, widen the scope of regulated entities and strengthen resilience across critical sectors.
The Association of British Insurers welcomed the legislation, noting that nearly £200 million was paid out in cyber claims last year and describing cyber insurance as "not just a financial safety net" but a tool that "helps to put businesses on the front foot, improving their security processes, providing expert advice and helping with incident response planning."
Despite the growing threat environment and regulatory pressure, uptake remains stubbornly low. The 2025 UK Cyber Security Breaches Survey found that only 7% of all UK businesses held standalone cyber coverage, with just 17% of small businesses holding such policies, even though over 43% report cyberattacks annually.
The Deloitte deal comes weeks after AXA XL unveiled a dedicated prevention business unit led by global chief underwriting officer Libby Benet, designed to accelerate the development and reach of the insurer's risk consulting capabilities. The new unit becomes AXA XL's fifth, sitting alongside Americas, APAC & Europe, UK & Lloyd's and Reinsurance. The Deloitte partnership operationalises that vision on the cyber front, offering clients a direct pipeline to specialist cybersecurity expertise through their insurance relationship.
AXA XL chief executive Scott Gunter has been clear about the direction of travel. "Prevention must be at the heart of how we support our clients," he has said. "That is why we are making services a core part of our offering." With rates soft, losses rising and clients demanding more than indemnity cover, the Deloitte deal suggests that prevention-as-a-service is fast becoming the new competitive frontier in cyber insurance.
"As cyber risks continue to grow, prevention, early detection and swift remediation are becoming increasingly important to business resilience, alongside appropriate cyber insurance coverage," said Imade Elbaraka, managing partner at Deloitte Cyber. "Together, we aim to strengthen clients' resilience by helping them better anticipate and prevent cyber-related risks, while contributing to a safer cyber environment for businesses."
