Cyber claims surge offers a stark wake-up call for brokers and boards

The sharp edge of cyber risk cut deep into British industry in 2024, and the reverberations are being felt across the insurance broking sector. Marsh’s latest UK Cyber Insurance Claims Trends Report reveals a year defined by ransomware volatility, operational disruption, and a stark acceleration of threat actor sophistication — all amid a marketplace showing signs of both growing maturity and mounting complexity.

For brokers, the message is clear: this is no time for complacency.

Ransomware: fewer claims, higher stakes

While the total number of cyber claims dipped slightly compared to 2023 — in part due to the absence of a mass-scale incident like MOVEit — Marsh still recorded the second-highest annual claims total on record. Ransomware remained the dominant threat, accounting for nearly a third of all claims. These incidents increasingly targeted supply chains and relied on artificial intelligence (AI) to breach defences, demonstrating that attackers are evolving faster than many corporate risk strategies.

What’s more, 2024 saw chilling developments in tactics. In the UK, executives were threatened with physical harm as hackers accessed personal data, including home addresses and phone numbers.

The familiar extortion playbook — encrypt, exfiltrate, demand — now includes deeply personal intimidation, a development that should give pause to risk managers and boardrooms alike​.

Fewer ransom payments, bigger demands

In a paradoxical twist, Marsh’s report notes that fewer organisations chose to pay ransoms last year.

Improved detection, robust backup regimes, and a shift in public sentiment — less shaming of victims — helped firms stand their ground. However, threat actors responded in kind. Average ransom demands soared, with some reduced by more than 60% only after specialist negotiators were engaged, reinforcing the value of having access to expert vendor panels via cyber insurance​.

Retailers, manufacturers and finance in the crosshairs

Sector-specific findings are of particular note to brokers advising clients with complex exposure profiles. Retailers saw a spike in claims during Q3 and Q4, timing that coincides with the crucial Black Friday and Christmas period. Manufacturers also featured prominently, with operational technology now deeply entwined with IT systems — making them ripe targets for attackers seeking to disrupt production.

Financial institutions, despite being frequent reporters of incidents, had relatively low claims rates. Marsh attributes this to more rigorous cybersecurity protocols and higher levels of insurance uptake — but warns that their extensive data holdings and third-party dependencies still render them high-risk​.

CrowdStrike fallout highlights need for supply chain scrutiny

One of the most consequential events of the year was the CrowdStrike software update outage in July 2024. While not malicious, the global disruption underscored how reliant many organisations are on a small set of digital infrastructure providers. Claims related to non-malicious network interruption surged, providing a rare real-world test of business interruption cover and incident response readiness​.

Brokers must ensure clients fully understand what their cyber policies include in terms of non-malicious system failure — and that business continuity plans account for such scenarios.

The role of people and AI in escalating threats

Marsh’s report makes clear that employees remain both the front line and the weak link. Phishing and social engineering remained the most common vectors of compromise, now supercharged by generative AI and even deepfakes. One observed trend saw attackers simulate the voices of executives in voicemails to trick staff into transferring funds or disclosing sensitive data.

The stakes are rising, not only in volume but in nuance. Threat actors are innovating at the intersection of technology and psychology. Brokers must press clients to adopt not only technical safeguards but also regular, realistic staff training​.

A more regulated landscape is coming

Finally, the regulatory burden is swelling. With the EU’s DORA and NIS2 now in force, and the UK Government consulting on plans to outlaw ransom payments for critical infrastructure, insureds must prepare for a world in which cyber resilience is not just good governance — it’s mandatory. The ICO has also signalled it will impose stricter penalties on firms lacking basic cyber hygiene, including multi-factor authentication​.

Implications for brokers: act now or fall behind

For insurance brokers, Marsh’s data should serve as both a warning and a guide. The market remains competitive, but securing coverage for clients increasingly requires demonstrable controls and strong incident response planning. Brokers must take a more proactive role in assessing client readiness, understanding evolving threats, and tailoring coverage to reflect the risks of today — and tomorrow.

As Helen Nuttall, Head of Cyber Incident Management at Marsh, put it: global tech outages and ransomware attacks are not a matter of if, but when. The opportunity for brokers lies not merely in placing risk, but in shaping resilience.

Biggest (cyber) hits of 2024

1. Change Healthcare ransomware attack (February 2024)

• Actor: BlackCat (ALPHV)
• Impact: Disruption across U.S. healthcare systems affecting approximately 100 million individuals.
• Details: One of the largest breaches of the year, compromising medical records, social security numbers, and billing data, with major knock-on effects throughout the healthcare sector.

2. CrowdStrike global IT outage (July 2024)

• Cause: Faulty software update (non-malicious)
• Impact: Over 8 million Windows systems worldwide experienced crashes.
• Details: Although not a cyberattack, the incident led to substantial business interruption globally and prompted a surge in insurance claims related to system outages.

3. Snowflake data breach (April 2024)

• Impact: Data exfiltration from 165 corporate customers.
• Details: Attackers gained access via compromised employee credentials, resulting in a significant breach of customer databases and commercial data.

4. Synnovis NHS ransomware attack (June 2024)

• Impact: Cancellation of thousands of surgeries and medical appointments.
• Details: The ransomware attack targeted Synnovis, a key NHS pathology provider, significantly disrupting public healthcare operations in the UK.

5. IRLeaks attack on Iranian banks (August 2024)

• Actor: IRLeaks
• Impact: 20 of 29 Iranian banks compromised.
• Details: Large-scale data breach affecting national banking infrastructure, with reported ransom payments made to prevent further public exposure.

6. North Korea’s $1.5 billion cryptocurrency theft (February 2024)

• Actor: Lazarus Group (state-sponsored)
• Impact: Theft of $1.5 billion from the Bybit cryptocurrency exchange.
• Details: The largest digital currency heist in history, highlighting the ongoing threat posed by sophisticated state-affiliated actors.

7. Keytronic ransomware attack (August 2024)

• Actor: Black Basta
• Impact: Estimated $17 million in financial losses.
• Details: Attack on a U.S.-based electronics manufacturer, leading to data theft and operational disruption across its facilities.

8. Marks & Spencer cyberattack (April 2025, incident in 2024)

• Actor: Scattered Spider
• Impact: Nearly £700 million wiped from market capitalisation.
• Details: Attack disrupted M&S’s online sales and in-store payment systems, with significant financial and reputational fallout.

9. CDK Global ransomware attack (June 2024)

• Impact: Thousands of car dealerships across North America affected.
• Details: The breach of this automotive software provider paralysed dealer operations for days, demonstrating the vulnerabilities of vertical SaaS vendors.

10. Ticketmaster data breach (June 2024)

• Actor: ShinyHunters
• Impact: Exposure of over 560 million customer records.
• Details: One of the year’s largest consumer data breaches, affecting contact information, ticketing histories, and payment data.