Cyber: Underinsurance vs Uninsurance

Rising inflation, supply chain shortages and wider socio-economic issues are having a significant impact on the insurance industry, particularly in relation to underinsurance. Cyber insurance is not immune to these pressures; far from it. There are some additional factors pertinent to cyber which play a large part in the current hard market conditions.

What are we seeing?

Changing attacker tactics

Rather than just taking a ‘point and shoot’ approach with ransomware in particular, criminals are now taking much more time to understand their victim, even small businesses. Rather than just encrypting data, they’re now stealing it from the network and threatening to publish it. Previously, encryption was often their first and only goal and ransomware events could be fairly easily remedied with good backups. However, these new methods require much more in the way of investigation and remediation. They also give rise to additional considerations, such as reporting and notification requirements under legislation such as the Data Protection Act 2018 / GDPR.

Increased digitisation

Particularly since the start of the pandemic, companies have become more reliant on their access to digital systems in order to carry out even the most basic of services. Whilst this can have incredible business benefit, it also means that any disruption to these systems may have a much greater impact than the same incident in a more analogue world might have had.

Cyber skills shortage

With an increasing sophistication of both the types of technology that businesses are using and the attacks that they’re facing, a particular skillset is required to investigate and remediate cyber attacks, particularly in terms of IT forensics. These are skills that many companies, particularly SMEs, do not retain in-house1, so there is a need to engage external expertise. The number of companies that are able to provide such services has not grown as rapidly as the risk has, meaning that the law of supply and demand kicks in.

Setting the right limits

The result of all of this is that even the smallest of companies could see a cyber incident cost tens or hundreds of thousands of pounds, with the cost of larger attacks having the potential to run into tens of millions of pounds. Despite this, companies may not be selecting a limit based on an actual assessment or calculation, which could leave them exposed with a limit that is not sufficient to fully indemnify them.

It seems as though the same limits are being applied as would be for Public and Employers Liability, where there are contractual or legal requirements for those limits and not necessarily because the cover is the right amount based on the cyber risk for the business. It’s important that businesses fully understand the potential cost of a claim and make an informed choice when setting their limit.

Cyber insurance typically doesn’t come with an average clause either, so the impact on attritional claims isn’t as marked as it is in property policies. That doesn’t mean that businesses won’t be left with a large uninsured bill though.

Understanding the risk

Adequacy of limit is one element of underinsurance when it comes to Cyber, but the biggest challenge remains uninsurance. Even the most optimistic of surveys puts the number of companies buying cyber insurance in the minority; a trend which is more pronounced for SMEs. According to the 2022 DCMS Cyber Security Breaches survey2, 38% of business say that they have cyber insurance. This number, however, drops to only 5% when considering a specific, stand-alone cyber policy which raises questions about both adequacy of cover, but more importantly, whether customers truly understand what cover they actually have. This is particularly pertinent given insurance industry efforts to remove ‘silent cyber’ cover from non-specific cyber policies or sections over the last 24 months.

We have the opportunity to work together to give customers more transparency around the benefits of cyber cover but also highlight the importance of understanding limits of indemnity so they’re not left out of pocket should they fall victim to an attack.

Visit our cyber page for some useful material and resources to support you in these conversations or head to Broker Create for dual branded options. 

More generally, for insight and helpful resources relating to underinsurance, visit our dedicated page on Aviva Broker here.  

Stephen Ridley 
Head of Cyber, Aviva  


Cyber security skills in the UK labour market 2021, DCMS

Cyber Security Breaches Survey 2022, DCMS

Both sources contain public sector information licensed under the Open Government Licence v3.0.