The 2025 ‘Annual Insurance Review’, recently published by RPC, offered stark insights into the key issues shaping the cyber insurance industry today – and why the sector is entering a ‘pivotal year’ as ransomware and multifaceted extortion threats evolve.
Providing a deeper dive into the findings of the report, Richard Breavington (pictured right), partner and head of cyber & tech insurance at RPC, highlighted some of the factors behind why 2025 is likely to be gamechanger for the market. First and foremost, he said, is the matter of increased regulation across sector.
“There are various recent and upcoming pieces of legislation across the EU and UK which will influence the cyber industry,” he said. “In the EU, DORA came into force on January 17, 2025 affecting financial entities and their ICT providers. We also expect more EU Member States to transpose the NIS2 Directive, which contains minimum security standards on a broader range of sectors, as well as stringent notification obligations.
“In the UK, we anticipate that the Cyber Security and Resilience Bill (which will resemble NIS2) will be put through parliament during the course of the year. The Data (Use and Access) Bill is also expected to be in force by spring.”
Ransomware groups are another key trend, he said, particularly as the ransomware business model is evolving. “Groups like 'Ransomhub' and 'FOG' work on a 'self-service model' where 'affiliates' with a high level of autonomy broker access to victims' systems and receive high commission rates,” Breavington said.
This effectively means less skilled actors have motivation to hack into systems, increasing the overall number of potential attackers. RPC anticipates this will increase the volume of incidents and result in more 'amateurish' incidents in which it sees issues such as incorrectly installed ransomware and accidental deletion – meaning that when a ransom is paid, encryption keys will not enable data to be re-constituted.
Artificial intelligence (AI) is another crucial factor impacting the cyber insurance landscape in 2025, according to Breavington who cited the NCSC's 2024 Annual Review which pinpointed how threat actors and criminals are using AI to increase the volume and heighten the impact of cyber-attacks. “This means we can expect a higher level of incidents which, as threat actors, will work more efficiently and target more businesses,” he said.
The cyber threat landscape of today is a different world, not least due to the impact of new technologies, including AI and generative AI. The increased use of software as a service is lowering the barrier to entry for amateur bad actors and in turn allowing wide-spread and voluminous attacks on countless businesses.
“These attacks are generally not particularly sophisticated – they are leveraging issues such as unpatched known vulnerabilities, unprotected ports and/or login vulnerabilities,” he said. “The increasing use of AI is also adding to the proliferation of relatively unsophisticated cyberattacks.
“While legislation across the EU and UK aims to promote better cyber-security standards and promote better pre-breach readiness, due to the volume of attacks and persistence of threat actors, businesses will still get caught because vulnerabilities will always exist - at least at some times in some systems.”
It’s important to note that AI can also be used to defend against threats. For example, he said, the ICAEW has suggested that companies should explore AI-supported threat detection, which can reduce the likelihood of incidents and minimise cyber-related loss (here). Nevertheless, at present, the functionality of AI appears to weigh in favour of threat actors.
Exploring what these factors mean for insurers and the insurance industry, Breavington outlined how they increase businesses' exposure to regulatory scrutiny and a higher volume of incidents. “This means insurers must consider how they underwrite their policies, the level of cover that is available and relevant exclusions which may have to be applied,” he said. “In a soft market, this creates a challenge which it might not be possible to sustain.”
Looking to the future of the market, he noted that each year sees an increased level of cyber-awareness and more businesses realise that cyber-security is a boardroom issue. For example, he said, Chubb recently reported that 89% of executives plan to expand cyber insurance for technological vulnerabilities. “We have also seen an increase in appetite for proactive breach preparation. This can range from technical security through to drawing up breach response plans and organising table top exercises walking through a breach scenario.”
The UK's cybersecurity sector is also growing, he said, meaning more businesses are available to assist. The NCSC's Annual Review estimates around 61,000 people are employed in the UK cyber-ecosystem. Last May, the government indicated that there were 2,091 firms in the UK which provide cyber security products and services. The number of cyber roles also increased by 5% between 2023 and 2024.
“The combination of a growing cyber sector and increased levels of awareness is positive for insurers,” he said. “Businesses are more prepared and experienced stakeholders are readily available to assist – this should in turn mitigate the risk being taken on by cyber insurers.”