Ransomware attacks are ramping up and hitting businesses across the UK.
“Just over four in 10 businesses (43%) and three in 10 charities (30%) reported having experienced any kind of cyber security breach or attack in the last 12 months,” according to GOV.UK’s 2025 survey.
Richard Breavington (pictured top right), head of cyber and tech insurance at global law firm RPC, believes that all businesses need to be on guard. “It’s a common misconception that only large companies or those with significant amounts of sensitive data are targeted,” he said. “While such organisations might be specifically targeted by some groups, any business can end up being affected by ransomware if there are vulnerabilities which allow threat actor access. On this basis, it is not just large, sophisticated data processing organisations who need cyber insurance coverage – all businesses are at risk of the growing threat of ransomware.”
Yet how insurance addresses cyberattacks may be about to take a turn, as it was recently announced that the government is proposing a ransom payment ban.
According to GOV.UK, ransom payment legislation could include “banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments, in order to make them unattractive targets for criminals. This is an expansion of the current ban on payments by government departments.”
Speaking on how this would impact organisations, Breavington said: “For affected organisations, the immediate effect could be greater financial losses resulting from ransomware incidents. If the option to pay a ransom is removed, the potential impact could be significantly greater because it is unlikely to be able to restore data unless backups are available or the data can otherwise be replaced from non-affected sources.”
This also has an impact on insurers assisting these organisations: “For insurers indemnifying these organisations, the inability to pay a ransom could increase the likelihood of more severe outcomes, as a key mitigation strategy would no longer be available,” Breavington implored. “This would need to be factored into cyber insurers' plans at both the underwriting and claims stage.”
The growing threat of ransomware and changes to legislation are impacting exposure models and IT risk appetite.
Breavington said: “Recent legislation has created a need for certain corporations, in particular, to assess their exposure models. For example, the Digital Operational Resilience Act (DORA) requires boards in affected financial entities to oversee IT risk management including resilience testing and reporting. Guidance from the Financial Conduct Authority (FCA) requires firms to have effective processes for identifying, managing, monitoring, and reporting risks, including IT risks.”
More organisations could also be affected by cybersecurity regulation, he added: “... A range of new corporations – including Managed Service Providers – are due to be brought "in scope" under the Bill, meaning that they would be subject to additional obligations as to technical security levels and incident reporting. This could create an increase in corporations reassessing their exposure models, particularly in higher risk sectors which are subject to the legislative changes.”
The threat of ransomware is also having a direct impact on insurance.
According to Breavington, insurers must be aware and adapt to the prospect of systemic risk “where a single event or chain of events causes widespread loss across many insured entities simultaneously.”
“That combined impact could be the result of a number of entities being successfully attacked at the same time – possibly as a result of the same vulnerability – or as a result of supply chain impact in which one provider is affected by ransomware and this has a knock-on effect on a large number of that provider's clients,” he said.
In terms of how insurers are responding, Breavington said: “Insurers are developing various strategies to deal with this – including sophisticated modelling, asking questions upfront about supply chain so as to monitor exposure across insureds – and reinsurance. However, it remains a key concern in this area.”
Breavington believes that brokers can offer support to clients by encouraging them to make use of add-ons. “The cyber insurance market is soft – with capacity often outstripping demand,” he said. “Some brokers and insurers are looking to provide add-ons that help to mitigate risks when it comes to clients vulnerable to ransomware. These add-ons can relate to the scope of cover available in the cyber insurance wording. Alternatively or additionally, they can include wider assistance, such as pre-breach training and/or wider cybersecurity functions being provided to insureds to reduce the risk of subsequent claims.”
Breavington also emphasises that brokers need to be involved in breach response and educate clients on how they can be covered in the event of an attack: “This should, in turn, help clients to respond effectively,” he said. “More generally, brokers can assist in helping clients to be fully familiar with the processes required for responding to a ransomware incident so that coverage under cyber policies is insured to the extent possible. This can include being clear as to: breach response processes – including notification; which vendors should be used to assist the client – which should ideally be agreed with insurers in advance; and what information will need to be gathered to support and evidence a claim.”
