Cyber risk may now be firmly established as a board-level concern for UK businesses, but the insurance market increasingly believes a more dangerous problem sits underneath that awareness: many companies still fundamentally misunderstand what cyber resilience and cyber insurance actually involve.
For Sam Franks, country manager for UK & Ireland at Beazley, that disconnect continues to create significant vulnerabilities.
“We see that as a slightly conflicting result,” Franks said. “The cyber threat continues to move forward and continues to increase. Cyber resilience isn't a one stop, you've done it, you're now all good. It is about constant investment.”
That confidence gap is colliding with another persistent problem: widespread misunderstanding about what cyber insurance actually does.
Helen Nuttall, head of cyber claims and incident management at Marsh, believes public perception of cyber insurance has become distorted by high-profile disputes involving businesses attempting to claim cyber losses under non-cyber policies.
“There are myths peddled out there often because of cyber incidents being organisations trying to wedge cyber incidents under a non-cyber insurance policy, which then results in coverage issues,” she said. “And that gets reported in the press and is not particularly accurate.”
In practice, Nuttall said, “the vast majority of cyber claims are paid out”, often with remarkable speed and little dispute.
“We've had clients submit claims and get interim payments from insurers within two weeks,” she said. “Those interim payments have been the difference between their business folding or their business surviving.”
For brokers, the implication is significant. Misconceptions around disputed claims and cyber coverage exclusions may be discouraging businesses from buying cover that, in practice, is often responding exactly as intended.
For Richard Talbot-Jones, director of Talbot Jones, the perception problem becomes operational the moment clients attempt to meet contractual cyber insurance requirements.
The absence of standardised wording means terms such as “cyber liability” are often interpreted differently by insurers, clients and procurement teams.
“Cyber liability for us is you're sued because you've lost somebody's data and they've suffered a financial loss,” Talbot-Jones said. “But some people don't mean that.”
That inconsistency is creating growing friction for brokers and clients alike.
“We've had clients who've come to us and said, you've arranged this insurance for us, but our client has said that we don't comply with the contractual terms because we need cyber liability, when yours is called something else,” he said. “But whatever label it has, it means cyber liability.”
The result is that businesses can fail procurement or contractual checks despite already holding materially equivalent cover, simply because the market has not standardised the terminology used to describe it, or because legal and procurement teams aren’t aware of the scope of cover available.
Beyond wording disputes and perception problems lies the deeper issue Franks identified: businesses treating cyber resilience as a destination rather than an ongoing discipline.
Nuttall said organisations that struggle most during cyber incidents are often those that have response plans in place but have never properly tested them.
“If you've not practised a plan, it can quite quickly turn into a major crisis because nobody knows who is doing what,” she said. “Most organisations dealing with an incident like ransomware or cyber extortion have never dealt with an incident like this before.”
At the same time, regulation is raising expectations around what operational resilience now requires in practice.
NIS regulations, DORA and the Cyber Security Resilience Bill progressing through Parliament are collectively reshaping how cyber preparedness is viewed across the market.
“All of that is joining together to create an environment where a cyber incident is not just a data privacy incident, it's a resilience event,” Nuttall said.
Increasingly, conversations about cyber insurance can no longer stop at policy purchase. Franks said brokers have a critical role in reinforcing that resilience requires continual investment rather than one-off compliance exercises.
“We want to work with brokers to continue to highlight that it is that ongoing investment that's needed to make sure that UK businesses are resilient to AI or whatever the next cyber threat might be,” he said.
The market has undoubtedly matured. Awareness is rising, cyber claims are being paid and businesses increasingly recognise cyber insurance as critical operational infrastructure rather than a discretionary purchase.
But the gap between what businesses think they understand and what resilience actually requires remains substantial.
As Talbot-Jones put it, cyber insurance, business continuity planning and risk management increasingly need to operate together rather than separately.
“They should all be working together,” he said. “It's a continuum.”
