The number of successful cyber insurance claims made by UK organizations shot up last year, according to the latest figures from the industry’s trade association.
The Association of British Insurers (ABI) said £197 million ($259 million) in cyber insurance payouts were made to victimized organizations in 2024, up from £59 million ($77 million) in 2023.
UK to ban ransomware payments by public sector organizations
Cyber insurance companies are a controversial part of the security market. Some argue the minimum standards they enforce on policyholders drive up security standards, while others have accused them of encouraging criminals to extort by making payments to ransomware crews.
ABI data showed that ransomware and malware infections contributed to 51 percent of the claims made by UK organizations in 2024. This percentage increased markedly year-over-year, with ransomware and malware making up 32 percent of all claims in 2023.
The ABI said the surge in attacks leading to policy payouts illustrates an increase in sophistication and the damage cyberattacks are having on businesses.
“Cyber insurance is more than just a financial safety net,” said Jonathan Fong, head of general insurance policy at the ABI. “The right policy not only supports businesses in the aftermath of an incident but can also help prevent attacks through access to expert advice, threat monitoring, and incident response planning.
“With cyber threats continuing to grow in scale and sophistication, it needs to be a critical component of every organisation’s modern risk management strategy.”
The ABI’s most recent data pertains to the period before the wave of digital heists on major British businesses began this year.
These included retailer Marks & Spencer, which last week reconfirmed to investors that it made a maximum £100 million ($131 million) claim on its cyber insurance policy, suggesting that 2025’s data could lead to further increases in total payouts.
Officials at fellow besieged retailer Co-op confirmed in September the company did not hold comprehensive cyber insurance in place at the time of its April attack, and it would not make a claim on the limited-scope policy.
CFO Rachel Izzard told Reuters: “We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties, but we don’t believe we will be claiming on insurance for back-end losses.”
Jaguar Land Rover reportedly did not have a cyber insurance policy in place at the time of its hugely costly cyberattack this year. When The Reg asked the org about this, a JLR spokesperson told us: “We do not comment on commercial matters such as these.” Ultimately, the UK government had to step in with a landmark support package to help the automaker, and the smaller businesses across its supply chain, financially recover.
Even if JLR did have a cyber insurance policy in place at the time – however comprehensive it might have been – it is unclear whether the massive costs associated with its downtime would have been materially eased by an insurance payout.
The circa £2 billion ($2.6 billion) costs of its attack could be compared to those of Change Healthcare in the US, whose ALPHV ransomware attack in 2024 also led to costs exceeding $2 billion.
Industry figures have debated the role and efficacy of cyber insurance for years.
At the UK National Cyber Security Centre’s (NCSC) annual conference earlier this year, the matter of cyber insurance was one of the few topics all the top expert panellists agreed on, offering sup