UK cyber insurance claims tripled in 2024 – an increase attributable to a perfect storm of overlapping causes. Some of these relate to rising geopolitical tensions and threats, as MI5 Director General Sir Ken McCallum noted in his recent threat update. But others concern our own vulnerabilities. “We can’t rely solely on investigating and disrupting,” McCallum said, exhorting the public and private sectors to shore up their defences against an onslaught of cybercrime. “Together we have to ensure the UK is a hard target.”
Many UK organisations, the MI5 chief continued, still lack the “simple and effective controls” required to protect our economy and society. Meanwhile, those threats continue to grow. We’re witnessing the industrialisation of ransomware services and the leveraging of AI to make phishing and social engineering attacks more convincing and harder to identify. Technologies including AI are also making it easier and quicker for threat actors both to find ‘zero-day vulnerabilities’ – weaknesses unknown to a system’s operators – and to exploit them. As McCallum warned, we face “risks from non-human, autonomous AI systems which may evade human oversight and control.”
Cyber insurance claims an indicator of deeper problem
Another weak spot lies in the complex supply chains operated by many organisations today. We’ve seen numerous examples of vulnerabilities lying in the operations of companies commissioned by sub-sub-contractors of our own clients, or even further down the chain. Without effective oversight and management, these can lead to easy backdoor access for threat actors.
The push by procurement and finance teams over recent years for low-cost back office services has created further risks. Quite understandably, UK business buyers focus on business outcomes rather than on the details of the technologies deployed to realise them, but over the years, this has led to enterprise-wide procurements driven by cost savings. This has created a culture surrounding cybersecurity wherein compliance with basic principles has become a mere box-ticking exercise. The result, in large part, has been a rise in the use of offshore functions in which data visibility, authentic access and authorisation cannot be easily verified.
While cloud-first architectures have offered business advantages in cost, speed and information sharing, they have also altered risk management profiles. Data sovereignty – the retention of sensitive data and functions on-shore, and within systems whose security can be guaranteed – is a fast-growing security and resilience issue, particularly given how much more difficult it is for the UK government to protect and support UK organisations whose breach has occurred overseas.
So the landscape is one of both growing threats and spreading vulnerabilities. For both insurers and the insured, ramping up insurance premiums cannot be the right response: we need to plug the holes, not pour in more water. The solutions lie in part in improved UK regulations, and in part in better support from the insurers for insured organisations – helping them to strengthen their cybersecurity maturity in line with UK guidance.
Meanwhile, the insurance market must learn to juggle the changing risk profiles more dynamically: to develop a better understanding of their clients’ operational and resilience risks, as well as the quality and location of their supply chain services and solutions, to better price those risks. If we do not act, today’s £197m in annual payouts will prove to be only a down payment on a much more volatile and expensive period of cyber risks.
Warren O’Driscoll is the head of security practice, services and solutions at NTT Data UK&I.
Read more: Cloud sovereignty is now fashionable. But most such offerings are anything but.
