Strengthening resilience first step to closing the cyber risk protection gap

Whether you are Goldman Sachs, the NHS or Partick Thistle Football Club, cyber resilience is “one of the most systemically important issues of our time” and is an area where the insurance industry can “make a real difference.”

That was according to Pool Re chief executive Tom Clementi, who hosted a panel last week (27 March 2025) entitled Closing the cyber risk protection gap organised by Marsh McLennan and Zurich.

The panel brought together Thomas Clayton, head of cyber at Zurich UK, Tom Spurgeon, underwriting manager at Liberty Mutual reinsurance, Shannan Fort, international cyber product leader at Marsh McLennan, and George Lawley, director of UK government relations at Marsh McLennan, to discuss the challenges of increasing the risk bearing capacity of cyber insurance.

In 2023, the global gross written premium (GWP) of the cyber insurance market was £11.1bn ($14bn), but according to the global federation of insurance associates (GFIA), the risk protection gap between insured losses and economic losses was a daunting £0.7tn ($0.9tn) – 99% of economic losses.

Overwhelming traditional risk management

Since the inception of the cyber insurance market, insurers have struggled to deal with the rate of innovation in cyber threat vectors.

That, combined with the market’s intrinsic connections to the erratic geopolitical climate, has made traditional risk management methodologies unsuitable to pricing cyber risk.

Clayton said: “Nation state activity is the biggest [threat] on our radar. The need to drive growth in modern economies, the need for competitive advantage in terms of technology is all leading to ever increasing motivation to [steal] intellectual property.”

Similarly, ransomware has become a major concern for every modern business, so much so that the UK has taken a global lead in preventing payments reaching terrorists or other bad actors.

In 2024 the government’s Home Office announced a proposal for a payment prevention regime, which Clementi explained would prohibit ransomware payment “for public bodies and critical national infrastructure” and introduce a requirement for “engagement with an authority” before payments.

Closing the gap

The quickest way to close the cyber risk protection gap, the panel suggested, would be increasing resilience in the cyber space, enabling insurance firms to handle more risk.

Such measures would include increased awareness and education, uptake of insurance products, subsidy investment from public-private partnerships and improving collection of structured data on cyber loss.

And implementing these steps, said Fort, could produce a snowball effect.

She explained: “One of the things we’ve seen with cyber over the past few years is a really positive feedback loop. Going through the process of trying to procure cyber insurance has required a higher level of cyber hygiene for organisations, and that is very positive for companies and the market.”

According to Lawley, the benefits of building resilience are clear.

He said: “Good risk is being rewarded. You are able to get cover now and, if you are willing to build that resilience in, you’re able to get an affordable rate of cover.”