Much like the rationale for spending time and money on preparing for data breaches that you hope will never happen, businesses that purchase cyber insurance take the view that it is better to have it but not need it, than to need it but not have it.
Last week it came to light that the victims of two of the UK's most high-profile recent data breaches — the Co-operative Group and Jaguar Land Rover — did not have cyber insurance in place. As a result, the companies will bear the cost of their losses, which have been reported at £206 million in lost revenues and £50 million per week in lost production, respectively. In Jaguar's case, the UK Government will underwrite a £1.5 billion loan to allow the carmaker to support its suppliers that have been affected following a shutdown in production as a result of the cyber attack.
By contrast, Marks and Spencer, which also experienced a significant cyber incident earlier this summer, reportedly had in place cyber insurance coverage of £100 million — albeit the policy will not cover in full the estimated £300 million of damages incurred by the retailer.
The Co-op and Jaguar are not alone. The Government's latest Cyber Security Breaches Survey, published in June 2025, found that fewer than half (45%) of businesses in the UK maintained cyber insurance, and that small- and medium-sized businesses (62% and 65%, respectively) were more likely than large businesses to have such insurance in place. Given that 43% of British businesses reported experiencing a cyber security incident in the same survey period, at least some of those organisations will have been unable to rely on insurance to cover the costs of these incidents.
If Not, Why Not?
If the decision not to maintain cyber insurance can be so costly, why do all businesses not have coverage in place? There is no one-size-fits-all answer to this question, but there are four common factors that organisations cite to support a decision not to purchase insurance.
- Cost of Coverage. Comprehensive coverage is not cheap and insurance premiums can be high. To compound matters, premiums have risen as a result of the increasing number of large-scale breaches at organisations that have relied on insurance to cover the costs of an incident.
- Limitations of Coverage. Cyber policies are drafted in such a way as to reduce the likelihood of payouts, with exclusions, sub-limits and potentially ambiguous terms all contributing to uncertainty around a business's ability to claim under the policy. Most commonly, this can involve: (1) exclusions for state-sponsored attacks and service provider breaches; (2) caps on coverage for ransom payments and the costs of recovery of data and legal fees; and (3) carve-outs for the failure to have in place or maintain security controls (e.g., known vulnerabilities that weren't patched).
- Robust Security Measures. Understandably, businesses that have invested significant time and resources to implement and maintain a strong security programme may take the view that they can identify and respond to incidents in such a way as to reduce the likelihood that they will need to rely on insurance. The counterpoint to this view is that insurance can complement an organisation's technical security measures, which are not foolproof, and many breaches are the result of human failure (phishing, social engineering, and so on), for which no technical measures can entirely prevent.
- Perceived Lack of Risk. The incidents that make the headlines naturally tend to involve high-profile organisations and/or significant breaches of security and/or sensitive or high-risk data, such that businesses which do not fall into those categories may think that they are not a target for bad actors. On the contrary, cyber criminals are indiscriminate in their approach, and typically use automated tools that are agnostic as to type of organisation and sensitivity of data. If anything, some criminals prefer attacking lower-profile businesses, which are likely to have less robust security measures and are more likely to accede to ransom demands.
A Calculated Risk?
Of the targets that we have diligenced for our private capital clients in the past two years, approximately half had cyber insurance in place at the time of acquisition, while others took it out post-completion. Understanding whether an organisation's third-party suppliers have their own cyber insurance coverage, particularly those operating in critical and data-heavy industries, is also vital, and should form part of the vendor diligence process.
Clearly, an organisation's security strategy should not be driven by a handful of front-page incidents — even if there will be many more data breaches, both small and large, suffered by businesses that do not have cyber insurance in place. However, the fact that almost every organisation is susceptible to a data breach, and indeed may also be the target of cyber criminals, means that it would be prudent to consider — or reconsider — whether cyber insurance is appropriate for your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
