Cyber insurance discussions are becoming less about whether organisations have cover and more about whether policies reflect how a business would actually fail during a cyber event.
For Tom Dryden (pictured), Partner and Head of Cyber, Europe at McGill and Partners, that shift has fundamentally changed the nature of conversations taking place at board level.
“There’s been a more real and structural change across this gradual trend of cyber being more in focus,” he said. “Cyber insurance no longer sits just in the technology teams, in the IT teams, but very much at top level.”
Dryden said cyber insurance conversations now routinely involve CFOs and general counsel alongside security and risk leaders, reflecting broader concern around the financial and reputational consequences of cyber events.
Recent high-profile incidents in the UK have accelerated that shift. Public disclosures around losses, disruption and insurance recovery have pushed boards to examine more closely how policies would respond under stress and where the most significant operational and financial pressure points would emerge during an attack.
“[It’s] not just are we insured,” Dryden said, describing the questions boards are now asking, “but does our policy actually reflect how we would fail in the event of a major catastrophic cyber event.”
That change has also altered expectations of brokers. Dryden said clients increasingly expect guidance that extends beyond placement into broader advisory work. “We see our role more as a cyber risk advisor, not just an insurance placement broker,” he said.
The change is not simply greater board attention, but a more detailed examination of how exposure is modelled and transferred.
Dryden said organisations are increasingly focused on the financial impact of different cyber scenarios rather than headline limits alone, and on understanding how those scenarios would unfold within their business.
That has led to more scrutiny of how programmes are structured. In some cases, Dryden said, companies are being encouraged to reconsider whether simply increasing limits is the right approach. “Let’s not just renew as is or just top up,” he said. “It’s maybe you should take a much higher self insured retention because it makes sense for how a loss would impact you as a business.”
At the same time, he warned against reactive buying following major incidents. Public breaches can create pressure to move quickly without fully interrogating what cover is actually needed. “There can be a slight danger that some of these pressures from the top can accelerate how you buy,” he said.
As cyber policies have broadened, Dryden believes one issue has become increasingly important: clarity.
The market has expanded cover and introduced new extensions in response to emerging risks, particularly around AI-related exposures. But Dryden suggested the pace of product development can sometimes complicate rather than simplify conversations with clients.
“I think we have been very good at evolving the product to meet evolving exposures,” he said. “But it often does confuse the picture for some of our clients.”
The underlying issue, he suggested, is not necessarily a lack of innovation, but difficulty communicating what policies are designed to do and where coverage boundaries sit.
Dryden believes the London cyber market has generally responded quickly to changes in the threat landscape, particularly through product development and broader resilience support services.
But he said parts of the underwriting process still lag behind how organisations manage cyber risk internally. Annual assessments and static questionnaires remain common, despite businesses increasingly monitoring cyber exposure continuously.
“There could be some benefit to moving faster to more continuous monitoring,” he said.
The challenge becomes more pronounced as businesses concentrate critical operations among a small number of technology providers, particularly cloud platforms. Dryden said the market continues to wrestle with how to absorb that level of aggregation risk.
“There needs to be a solution to help capture some of that very significant exposure,” he said.
As boards become more sophisticated in how they assess cyber risk, insurers and brokers are facing pressure to match that sophistication not just through broader cover, but through clearer underwriting, better advice and a stronger understanding of how organisations actually fail.
