Coverage limits in property damage and business interruption can reach several billion pounds. Equivalent cyber limits rarely exceed £500 million. That single disparity - two interconnected risks, an order of magnitude apart in available protection - captures the central argument of a new joint report from Airmic and the International Underwriting Association, published in June 2026.
The report, Closing the Protection Gap, draws on a series of roundtables held with members of both organisations earlier this year. It identifies three distinct types of protection gap: risks where cover exists but is not taken up, risks where cover does not respond as buyers expected, and risks for which no adequate solution yet exists. Its conclusion is that the industry has long acknowledged the problem but has yet to act on it decisively enough.
A central finding is that large corporate buyers find insurance too structured around product lines rather than outcomes. A cyber-triggered property loss may fall across multiple policies or between them entirely. A supply chain failure spanning geopolitical and commercial dimensions faces the same problem.
Tom Hughes, director of underwriting at the IUA, said both sides of the market recognise the structural nature of the challenge.
"There is consensus among underwriters and insurance buyers, particularly large organisations, that the protection gap is real, structural, and growing," he said. "A better understanding of clients and risk profiles is in the interests of all and will result in better pricing, fewer disputes, and longer-term relationships."
Diane Maxwell, CEO of Airmic, said the convergence of emerging risks has outpaced existing products. "The insurance industry is confronting a widening protection gap, as organisations face an unprecedented convergence of emerging risks. They are creating exposures which existing products, distribution channels, and capital structures do not fully address," she said.
The report calls for reform of how exclusions are introduced, recommending that trade associations convene a consultative process before any new exclusion is finalised for a major class, and that insurers exhaust alternatives such as sub-limits and limitation clauses before resorting to broad exclusionary language.
The cyber shortfall is stark. UK government data recorded 204 nationally significant cyber incidents in the year to August 2025, a 129% increase on the previous year, yet between a third and half of UK organisations still lack appropriate standalone cyber protection, according to industry estimates.
The supply chain gap is equally visible. A March 2026 Gallagher report found 29% of UK firms said supply chain disruption had worsened over the past five years, with tariff and trade disputes cited by 53% as a leading threat - and the broker concluded that insurance protection has not kept pace with the structural shift.
Industry leaders at Insurtech Insights Europe 2026 warned the gap has not narrowed despite years of attention. SCOR's group chief digital and transformation officer David Sütterle said the gap "has almost increased further, or at least stayed flat," adding the market must think beyond repricing to insure risks that are currently uninsurable. The report's own conclusion points in the same direction - that public-private partnership capacity may eventually be required for truly systemic risks where private market limits alone are insufficient.
Airmic and the IUA are calling for broader industry input before final recommendations are made, with a second phase of the project expected to involve brokers and other market participants. The gap between what corporate buyers need and what the market currently provides, however, is not waiting for a second phase to become a problem.
