Cyber and data

Published on 14 January 2025

Written by Elizabeth Zang

Key developments in 2024

Last year's edition of the Annual Insurance Review included predictions that 2024 would see a trend towards an increased general level of cyber security given (i) the importance placed on security measures by regulatory bodies such as the ICO and (ii) the focus cyber underwriters had placed on assessing prospective insureds' security before offering cover.

According to Sophos' report on Cyber Insurance and Cyber Defenses 2024 (the Sophos Report) which was based on surveys completed by organisations with between 100 and 5,000 employees across fourteen countries, this trend appears to have taken place worldwide. An impressive 97% of organisations that purchased a cyber insurance policy in the last year said they had invested in improving their defences in order to optimise their insurance position. Of those organisations, 99.6% said that this investment had a positive impact on their cyber insurance position and 76% said it enabled them to obtain insurance coverage they would not otherwise have secured.

Based on our own experience, compromise of account credentials remains a common method of entry. Whilst some threat actors use more sophisticated tactics to circumvent security protocols such as multi-factor authentication, having these measures in place will increase the bar required for threat actor access and contribute to a decrease in successful attacks.

What to look out for in 2025

Despite the improved security posture of organisations, we are continuing to see an increase in the number of ransomware incidents which have hit an all-time high over the course of 2024¹.

The NCSC has been clear that it "does not encourage, endorse or condone payment ransoms" and the ICO advised that "payment ransoms to release locked data does not reduce the risk to individuals" and that even if organisations pay ransoms because they think it is the right thing to do the ICO "will not take this into account as a mitigating factor". Despite this, the number of ransomware payments has increased.

Cohesity's Global Cyber Resilience Report 2024², which polled over 3,100 decision-makers across eight countries and multiple sectors, found 53% of UK-based firms that suffered a ransomware attack in the past year had paid a ransom, up from 38% in 2023.

The Sophos Report suggests that this propensity to pay correlates with insurance cover, finding that (i) 64% of organisations with a cyber policy made ransom payments whereas only 28% of organisation without a cyber policy did the same and (ii) organisations with a cyber policy were just as likely to pay the ransom to recover data as they were to use backups to achieve the same outcome.

However, it is possible that this trend will change in 2025. It may be impossible to rule out the payment of ransoms altogether. It is potentially true that if ransom payments were never made, this could end up reducing the motivation for threat actors to carry out ransomware attacks. However, there are considerable concerns with this approach. The effects of ransomware can potentially destroy a business and/or the service being provided. The potential position of business owners choosing between their business being wiped out or paying a ransom is invidious. Further, some services are particularly important to societal infrastructure. Allowing them to be destroyed might not realistically be plausible but allowing the providers of those services to be the only ones allowed to make ransom payments selects them as a more appealing target.

However, with three major UK insurance associations (the ABI, the BIBA and the IUA) joining forces with the NCSC "with the aim of toughening the sector’s approach to ransom payments", there may be a shift towards ransom payments as an absolute last resort, rather than one of potential options for recovery. This may see fewer ransom payments being made.