Some £197m was paid out by insurance companies for recovery from cyber incidents in 2024, according to the UK trade association the ABI (Association of British Insurers).
Data from firms taking part in the ABI’s cyber data collection showed a 230 per cent year-on-year increase in the amount paid out for cyber-attacks, £138m more than in 2023. Malware and ransomware accounted for about half (51pc) of claims. The ABI notes that with cyber threats escalating, demand for protection rose in 2024. Some 17pc more policies were taken out in 2024 than the previous year.
Jonathan Fong, Head of General Insurance Policy at the ABI, said: “Cyber insurance is more than just a financial safety net. The right policy not only supports businesses in the aftermath of an incident but can also help prevent attacks through access to expert advice, threat monitoring, and incident response planning. With cyber threats continuing to grow in scale and sophistication, it needs to be a critical component of every organisation’s modern risk management strategy.”
The ABI pointed out that its figures were from member firms and a sample of the overall UK cyber insurance market.
Comment
Dr Ilia Kolochenko, CEO at ImmuniWeb, and a Fellow at the British Computer Society (BCS), said: “While the numbers are self-explanatory, there is a very interesting and hidden detail here. Many recent reports on ransomware – published by both public and private sector entities – boldly state that companies around the globe pay less and less ransom. In my experience, this is very far from being the truth.
“Ransomware industry becomes highly mature, for instance, some groups offer a form of legal advice to their victims on how to avoid mandatory requirements to disclose payment of ransom or how to bypass a legal restriction on ransom payment by using hidden channels and proxy companies that artfully conceal such payments by disguising them as consulting fees or even money paid to ransomware negotiators.
“Illicit payments relentlessly and progressively flow into the deep pockets of organized cybercrime, while victims are getting more and more reluctant to report incidents for various reasons. First, the fear of negative publicity and regulatory fines often outweighs a legal duty to report. Second, when there is a “sound” way to pay the ransom while concealing this fact, without taking much risk. This creates a strong psychological temptation for both cybersecurity professionals and C-level executives to ignore the law. Third, in many cases, paying a ransom is the only feasible way to continue business operations and avoid bankruptcy.
“Lastly, most organizations have lost their trust in law enforcement agencies (LEAs) when dealing with cyber-attack investigations and prosecution of wrongdoers, despite the steadily growing number of successful joint operations of LEAs that manage to seize and return paid ransom. In sum, 2026 will probably hit another grim record of ransomware attacks and silent payments to cyber racketeers.”
