Cyber and data incident preparedness: Know your insurance

Cyber is in the headlines again, with M&S and other retailers suffering attacks and the cause of the power outage in the Iberian peninsula not yet clear. What is clear, however, is that cyber attacks continue to increase among medium and large businesses and charities, as noted in the UK Government’s Cyber Security Breaches Survey (see our previous blog). 

In a similar vein, Dr Richard Thorne, CEO of the National Cyber Security Centre (NCSC) stated in his speech at CyberUK that NCSC managed twice as many nationally significant cyber incidents from September 2024 to May 2025 as it did in the same period in the previous year. 

The level of activity is also reflected in Marsh’s recently published 2024 UK cyber insurance claims trends report. This found that 2024 saw the second highest number of cyber claims (2023 having been the highest), driven by ransomware, AI-enable intrusions and also widespread non-malicious events, with Marsh expecting cyber claims to increase year on year going forward. 

Majority of data incidents are not cyber, but losses from cyber are larger

However, whilst it is cyber attacks that are in the headlines, the UK Information Commissioner’s Office (ICO) reported that c75% of data breaches notified in Q1 2025 were the result of non-cyber incidents, with the proportion of non-cyber incidents having increased by 7% compared to Q1 2024.  Of these, personal data emailed to the wrong recipient was the most common incident type reported, amounting to c18% of notified incidents in Q1 2025.

This contrasts with Marsh’s findings that extortion, including ransomware, was the leading cause of insurance claims in 2024 (at c28%), with accidental data breaches being the cause of c17% of claims. This apparent disparity with the ICO data can most likely be explained by the fact that many non-cyber related data incidents will need notification to the ICO, but would not cause significant losses so as to lead to an insurance claim.

So, whilst cyber is often the cause of the incidents which have the most impact on the operations of a business and therefore the biggest insurance claims, human error is the main cause of data incidents more generally. 

Cyber insurance for non-cyber incidents

It is therefore important that insurance covers not just cyber incidents, but data breaches more widely. Despite its name, cyber insurance can cover this too, as well as IT outages more generally. However, it is not just specific cyber insurance that may be relevant. Whilst insurers have been active in specifically excluding cyber from general or business interruption policies – so called “silent cyber” - some non-cyber specific policies may still provide coverage for losses caused by data incidents.

Importance of understanding your insurance coverage and obligations

Understanding which policies provide coverage of what type of incident and what steps must be taken to make a claim on them is therefore an important workstream in an organisation’s preparedness activities for both cyber and non-cyber incidents. The facts in the case of Watford Community House Trust (the Trust) v Arthur J Gallagher Insurance Brokers Limited demonstrates the importance of this. 

In this case, an employee at the Trust inadvertently sent an email disclosing personal data relating to c3,500 tenants and employees to c3,000 recipients, leading to over 1,000 complaints. The Trust had three relevant insurance policies which had been arranged by their broker: a cyber policy, a combined policy and a professional indemnity policy. The broker notified the cyber policy insurers of the breach shortly after its occurrence, but did not notify the insurers under the other policies until after the end of the policy periods. This led to the other insurers to decline cover.  

Whilst the case was about whether the broker had been negligent in its advice on what notifications were required and the impact on coverage as a result, what is clear from the facts is that the extent of coverage under each policy and the related requirement to notify was only considered in real time following the incident. If this had been considered as part of incident preparedness, advice could have been taken up front as to what each policy covered, how the policy terms of each interacted with the other policies and which insurers needed to be notified. As was evident in this case, this is not necessarily straightforward and so not something that should be left to be considered for the first time as part of incident response, particularly given how many other challenges the business will face then.

Learnings for organisations 

Whilst the court found in favour of the Trust, it is far better to avoid the need for litigation. The lessons for others are therefore to:

• ensure that your preparedness activities include an insurance workstream; 
• consider the breadth of cover you want under your cyber policy – do you want to extend this to cover IT outages and non-cyber data incidents too?
• review all potentially relevant policies to assess potential coverage and to analyse how the policies may interact with each other in different circumstances (positively or negatively); and
• maintain a matrix of which insurers need to be notified in which circumstances so that this can be to hand for when (not if) an incident occurs.