Blogs

As the Financial Times reported recently in its feature “Cyber insurance rate hikes slow – but exclusions expand”, exclusions are a growing concern. Cyber incidents “stemming from war attacks” are typically excluded — a difficult clause to apply in a world where attribution is rarely clear-cut. Aaron Le Marquer, head of insurance policyholder disputes at Stewarts, told a Lloyd’s of London audience there were no fewer than 48 versions of the cyber “war exclusion” currently in circulation. Some even carve out losses “indirectly” arising from war, vastly broadening the scope of denial. Physical damage caused by cyber incidents is also often excluded, as are AI-related losses, which insurers increasingly see as untested territory.

As The Economist observed in its feature “Businesses are grappling with a wave of cybercrime” (October 2025), barriers to cybercrime are falling fast, while global cyber-insurance premiums — about $15 billion in 2024, according to reinsurer Munich Re — are expected to double by 2030. 

Between 60 and 70 per cent of FTSE 100 companies now have some form of attack coverage, according to insurance brokerage Marsh’s Q1 2023 Global Insurance Market Index, while globally about 80 per cent of large enterprises are insured. Some UK Government contracts now require cyber insurance to be included. Even so, confidence remains thin. With no universal policy language and widely differing exclusions, businesses can struggle to know what protection they have until the worst happens.

The cost of policies varies widely. Premiums for large organisations can range from hundreds of thousands to millions of pounds, with coverage extending several times that. After a sharp rise in 2021–22, prices have since fallen for eight consecutive quarters, according to Marsh, as competition has increased. Better risk controls can bring premiums down — a reminder that insurers reward safer drivers with lower premiums.

Another Economist article made the point that insurance does at least incentivise firms to take security more seriously — careless organisations pay higher premiums. But the same logic underscores a deeper truth: the best way to earn those lower premiums is to invest early in governance, assurance, exercising and recovery planning — not to rely on indemnity after the fact. Is your cyber security team credible enough to engage with your insurer to negotiate those lower premiums?

As the newspaper notes, many insurers now bundle incident-response teams or discounted security software into their cover and these options can improve organisational resilience:  the ability to absorb disruption and restore operations quickly. Having an incident response team on call can be expensive so rolling it into your insurance premium is a good move. How can your security team use your insurer to bolster defences as well as prepare for potential losses? 

The real lesson from both publications is clear. Cyber insurance is not a cure-all and doesn’t absolve you from responsibility, it may be a financial backstop, but it cannot deliver operational continuity. In practice, recovery speed is the only true measure of resilience. That means testing incident-response plans, validating supply-chain dependencies, and ensuring leadership teams can act decisively under pressure.

 

Five practical steps to prove resilience, not just insure it

Most insurers now recognise that prevention alone isn’t enough; recovery capability determines insurability.

Every organisation should be able to demonstrate that it can:

1. Test its defences under pressure – run realistic cyber-exercising and incident-response simulations.
2. Assess and benchmark its maturity – understand how people, processes and technology compare with industry standards.
3. Remediate known weaknesses – close the gaps identified in testing, audits or assurance reviews.
4. Map critical dependencies – know which suppliers, systems and data flows matter most and how they interconnect.
5. Embed security culture and leadership readiness – ensure decision-makers can act decisively and communicate clearly during disruption.

Each of these measures strengthens both operational recovery and an organisation’s ability to negotiate better insurance terms — proof that resilience has been built, not merely promised

Insurance will always have a vital role. But what organisations need most is evidence — to themselves, their boards and their regulators and insurers — that they can recover swiftly, sustain confidence and keep delivering their mission when others cannot. That is resilience.

Preparedness is the only policy that pays every time.

To find out how QinetiQ can help you to become resilient, view our Cyber & Digital Resilience website here.