Cyber incidents are increasingly forcing businesses to rethink how they understand financial risk, particularly as operational disruption and supply chain exposure move higher up corporate agendas.
For Claud Bilbao (pictured), VP of underwriting and distribution for UK and Australia at Cowbell, recent high-profile attacks, such as those affecting M&S and Jaguar Land Rover, have accelerated a broader shift already underway across the market. Businesses are increasingly moving beyond viewing cyber primarily as an IT or privacy issue and are increasingly recognising its balance-sheet implications.
“The financial impact is now understood to extend well beyond the immediate cost of a cyber incident,” Bilbao said. “There’s now a wider appreciation and understanding of the operational implications of a cyber incident and the costs that can be associated with that.”
That shift is particularly visible in sectors such as automotive, where interconnected operational technology systems, logistics platforms and digitally integrated manufacturing processes have widened the potential impact of attacks. In those environments, Bilbao argued, the most significant exposure is often no longer data loss itself, but the inability to continue operating.
“The most acute cyber exposure is often the inability to operate,” he said.
Bilbao said larger corporates are increasingly developing more sophisticated approaches to cyber risk, particularly around operational resilience and financial modelling. SMEs, however, still face a significant preparedness gap.
“When we talk about cyber insurance, it’s circa 10%,” he said, referring to UK cyber insurance penetration. “There’s still that belief of ‘it’s not going to happen to me’.”
Part of that disconnect, he argued, stems from the way cyber incidents are discussed publicly. The industry has become highly effective at documenting major corporate breaches, but that has also reinforced the perception among smaller businesses that cyber attacks primarily target multinational organisations.
“We’ve done a terrific job at documenting the big breaches,” Bilbao said. “But what that has done in part is made [SMEs] think that this doesn’t happen to me, it only happens to big businesses.”
In reality, attackers are often pursuing scale rather than prestige targets. “A lot of the time it’s an opportunity for them to issue lots and lots of attacks and they’re just trying to see where they’re going to have success,” Bilbao said.
That dynamic is becoming increasingly important as supply chain vulnerabilities expand cyber exposure far beyond a company’s own systems. Rather than targeting a heavily defended multinational directly, attackers can instead exploit weaker controls elsewhere in the chain. In practice, that means smaller suppliers, service providers and outsourced technology partners increasingly become part of the broader cyber exposure facing larger organisations.
“Sometimes attackers want to go for the lowest hanging fruit, the path of least resistance,” Bilbao said. “What I can do is use their supply chain, potentially a smaller business that’s interconnected with them, and I can use them as my entry.”
Bilbao argued cyber insurance products have evolved materially over recent years as ransomware and business interruption exposures have become more severe. Policies that once focused largely on privacy breaches and regulatory costs now place far greater emphasis on operational recovery, incident response and business continuity support.
“Prior to 2018, 2019, prior to ransomware, the operational and business interruption aspect of a cyber incident wasn’t so well known,” he said.
The shift reflects how ransomware and operational outages have altered the market’s understanding of cyber loss over the past five years, particularly as business interruption has become a far more prominent consequence of attacks.
The market has also moved towards more proactive models, with insurers increasingly providing forensic support, incident response services, ransomware negotiation and resilience guidance as part of broader cyber offerings.
“We’ve moved away from a very reactive policy and we’ve now moved to a proactive policy,” Bilbao said.
Bilbao also pointed to changes in how cyber risks are being underwritten as insurers respond to ransomware, AI and a rapidly evolving threat landscape. At the same time, he warned the pace of change means businesses still struggle to fully model the financial implications of major cyber incidents.
“Not all cyber threats and cyber incidents are created equally,” he said.
As cyber incidents become more operational and interconnected, businesses with tested contingency and response plans are consistently better positioned when disruption occurs, Bilbao said.
