Cyber insurance is improving, but so is the threat landscape. As risks become more interconnected and difficult to define, the gap between exposure and protection remains difficult to close, particularly among SMEs.
The challenge is no longer access to cyber cover, but ensuring it is understood, structured and aligned to practical loss. As cyber risk becomes more closely tied to operational and financial exposure, the consequences of misunderstanding cover are becoming more significant.
Cyber insurance is evolving, with broader coverage, more sophisticated wordings and policies that increasingly respond to the impact of an incident rather than the method of attack itself.
“The market is broadly moving in the right direction. Coverage is far more sophisticated than it was even three years ago,” said Nathan Hankin (pictured left), head of UK retail cyber and tech E&O at Aon.
Insurers have expanded definitions, strengthened business interruption triggers and introduced extensions that better reflect how organisations operate in practice. As a result, policies are becoming more closely aligned with practical exposures, although the challenge increasingly lies in how they are applied.
Ethan Godlieb (pictured centre), associate partner – cyber, tech and fintech at Consilium, said the product has matured significantly, with a clear shift towards covering business impact, including interruption, response costs and liability.
The nature of cyber risk is also shifting. Rather than sitting within a single line of business, it now extends across operations, governance and financial exposure, requiring a more integrated approach to both risk management and insurance placement.
“Cyber risk no longer sits neatly in one box,” Godlieb said. “It cuts across people, process and technology.”
This shift is changing how cyber insurance needs to be positioned, moving it away from a standalone purchase and towards a broader risk and resilience strategy that reflects how businesses actually operate.
Despite improvements in coverage, placements can still fall down in practice, and the issue is rarely the claim itself. More often, it lies in how expectations are set at the outset, particularly where clients misunderstand how policies respond to different types of incident.
“It’s designing programmes where the evolving risks and the claims outcomes are anticipated rather than discovered,” said Godlieb.
In practice, many clients still expect cyber policies to respond to any digital incident, when in reality coverage is shaped by triggers, definitions and programme structure. Hankin pointed to structural challenges in underwriting, including incomplete submissions, weak controls and misaligned business interruption triggers, particularly where cloud providers or supply chain dependencies are involved.
“Real-world outages rarely align neatly with policy definitions,” he said.
Another issue lies in quantification. While many organisations recognise cyber as a critical risk, far fewer are able to clearly define the financial impact of a major incident, which can result in limits that do not fully reflect exposure, highlighting a disconnect that persists across parts of the market.
For Daniel Winn (pictured right), development broker at Jensten, pricing and engagement remain key barriers, particularly among SMEs, where uptake continues to lag behind risk.
“Our main non-buyers are SME clients, and it is just getting them over the line,” he said, adding that a broader capability gap among brokers, particularly those without specialist cyber expertise, can make it more difficult to communicate risk effectively.
“There is a fear of the unknown. They do not necessarily know the cyber language or how to explain it to clients,” he said.
As the product evolves, so too does the role of the broker. Cyber broking is no longer a purely transactional exercise, but one that increasingly requires interpretation and translation across multiple disciplines.
Brokers are now expected to operate between technical, financial and operational risk, bridging the gap between IT teams, senior leadership and insurers, and ensuring that cyber exposure is understood in a broader business context.
“The modern cyber risk advisor is to act as both a risk advisor and a security translator,” Godlieb said.
In practice, the difference between a well-structured cyber programme and a poorly aligned one is no longer marginal. It can determine whether a loss is absorbed or transferred.
This shift reflects a wider evolution in the market, where insurers and insurtechs are positioning themselves as partners, combining insurance with monitoring, advisory and incident response services.
For Hankin, the policy itself is now only one part of a much broader advisory role that spans quantification, control guidance, stakeholder education and scenario planning.
“The insurance policy is the final output, not the starting point,” he said.
Winn echoed that view, emphasising the importance of clarity and confidence in how cyber is explained to clients, particularly as many brokers continue to build their understanding of the space.
“It is about understanding what the policy does and being able to explain it clearly. A lot of brokers are overcomplicating it for themselves,” he said.
At its core, cyber insurance remains a form of risk transfer, but the level of understanding required to deliver it effectively has increased significantly as both the product and the risk have developed.
A persistent challenge remains the gap between perceived and actual risk, particularly among smaller businesses, where awareness and uptake are still developing.
“There’s a huge protection gap,” Godlieb said.
Winn agreed, noting that many organisations continue to believe they are too small to be targeted, despite evidence that smaller firms are often more vulnerable to attack.
“They are not too small to get attacked, they are just not big enough to make the news,” he said.
Misconceptions around cost and complexity continue to influence decision-making, even as the market becomes more accessible and placement processes more streamlined. At the same time, expectations of cover do not always fully align with reality, particularly in areas such as business interruption, supply chain exposure and regulatory costs.
The opportunity and responsibility are clear: the brokers who succeed will not be those who place cover fastest, but those who structure it most effectively, aligning cyber across multiple lines and articulating risk in financial terms.
“Cyber broking, to wrap it into a sentence, is becoming a capability rather than simply a product specialism,” Godlieb said.
As cyber risk continues to evolve, closing the disconnect between exposure and protection will depend on how effectively brokers can turn complexity into clarity and ensure clients are equipped to respond.
