7 min read

Initiating the insurance backstop: Financial resilience as a national strategic cyber objective

Read more

By Hans Allnutt

|

Published 07 October 2025

Overview

During 2025, cyber attacks on UK food supply, retailers and manufacturers have highlighted the fragility of the UK to the disruption and economic impact that cyber risk poses at the national level.

Attacks on single organisations spread their tentacles into impacting the supply chain, up and down stream, causing second order economic harm in the form of insolvencies and job losses. Following one such cyber incident, it was announced that the government would be underwriting a substantial loan in excess of £1 billion to assist suppliers affected. This was not because those suppliers were attacked but because of the downstream cashflow implications of the originating cyber attack could result in job losses, insolvency and even permanent loss of manufacturing capability. 

Other cyber attacks in 2025 on British companies have been cited as costing those organisations £300m and £206m. Even prior to 2025, there are a number of cyber attacks which have gone onto contribute to an organisations' demise. A fear highlighted by the ICAEW last month, noting "Cyber attacks cause disruption and bankruptcy fears".

National cyber security strategy has rightly had a technical focus. The Government Cyber Security Strategy: 2022 to 2030 recorded objectives of managing cyber security risk, protecting against cyber attack, detecting cyber security events, minimising impact and developing skills, knowledge and culture. Notably by its absence, in light of recent cyber attacks, is financial resilience.

Without sufficient financial resilience amongst organisations impacted directly and indirectly by cyber attacks, financial burden falls to UK plc.

 

Financial resilience in cyber: the role of insurance

Insurance is, by its very nature, an effective route to providing financial resilience for uncertain events. This article does not get into the detail of the scope of cyber insurance, such as whether insurance coverage could be universally obtained for third party companies impacted by cyber attacks on victim organisations. However, the cyber insurance market has shown a repeated readiness to innovate and develop coverage so the extent of cover should not function as a barrier in the event of government supported policy to extend cover.

One limiting factor that is often cited to cyber insurance is that of capacity, noting the recent figures of financial losses leading into the hundreds of millions if not billions. The cyber insurance market may not, in its current form, be able to provide the sufficient levels of resilience needed.

However, a government-backed backstop or pooling system based on mandatory insurance could provide the necessary market intervention to trigger this change. This proposal has been discussed for several years and must surely now require further consideration. Indeed, the Joint Committee on the National Security Strategy report on ransomware from 2023 highlighted that a number of market participants had argued for greater level of government involvement in the cyber insurance market. One leading participant proposed that a government-backed reinsurance scheme (which we will refer to 'Cyber Re') should be targeted "to the aspects of cyber risk that private markets consider to be uninsurable."1

In the UK, the most well-known government-backed reinsurance schemes are Pool Re, offering terrorism reinsurance, and Flood Re, offering flooding reinsurance. The schemes work on slightly different bases but have the same aim and outcome. In short, where a risk is considered too large or too uncertain for insurance companies to insure against, the Government may choose to provide a guarantee to those companies through the form of a reinsurance scheme.

In addition, limited schemes such as the Live Events Reinsurance Scheme and the broader Trade Credit Reinsurance Scheme were started in response to the COVID-19 pandemic.

The current intersection between cyber risk and the reinsurance schemes is limited. The Office of Budget Responsibility notes that the Pool Re scheme provides cover for insurers for 'remote digital interference'. However, this coverage is narrow, responding specifically to terrorism events triggered by a cyber event which have caused physical damage. A limited response, the coverage does not respond to other losses such as revenue and other intangible assets caused by a cyber attack.

The Joint Committee of the National Security Strategy has previously proposed that "the Government should work with the insurance sector to establish a re-insurance scheme for major cyber attacks, akin to Flood Re…"2 In response, the previous government stated that an intervention into insurance markets would not be considered due to the impact on competition. Any intervention would have been limited to strengthening the commercial cyber insurance market through work such as the release of anonymised cyber breach data.

The Chief Executive Officer of Pool Re wrote to the chair of the committee inviting a discussion on how Pool Re "may be able to support the development of a reinsurance pool to build resilience against cyber threats to the UK economy."

The letter emphasised a public-private partnership would negate the need for additional government spending and could "be deployed to other 'difficult to insure' risk for which the government is often the insurer of first resort." A point that must surely not have been lost on the UK Government when it came to underwrite the recent £1bn loan following a major UK cyber attack on UK manufacturing.

It was reported in late 2024 that Pool Re would be presenting proposals for a systemic cyber insurance pool to the government. Since that report, there has been no further publications or formal proposals issued publicly.

Reinsurance companies share support for a cyber reinsurance scheme. In early 2025, Lockton Reinsurance raised the possibility of a cyber reinsurance scheme, discussing various proposals and concluding that "The merits of a cyber risk pool are clear: its time has come."

It is unclear whether the current government holds firm views on these proposals. Focus has been firmly directed to proposals to change the UK's approach to dealing with ransomware, as highlighted in their recent reply to public feedback, which we commented on here.

 

How might Cyber Re take shape?

Publicly available information indicates that any initial proposals may take shape from preparatory work completed by Pool Re with the support of parties within the UK cyber insurance market.

As part of that work, Pool Re established a series of initiatives and recommendations to strengthening demand and supply of cyber insurance. One of these initiatives was the creation of a cyber catastrophe reinsurance scheme with a government backstop. This would build on aforementioned interventions such as Pool Re and Flood Re and would require clarification on what precisely would be covered. In light of the indirect impact to third party organisations affected cyber attacks on an associated victim company, coverage may need to extend to an element of contingent cover. Coverage will no doubt be hotly debated but it should not be difficult to at least establish a base level of cover which could evolve in later periodic strategic reviews.

The scope of cover would be assisted by the creation by an independent body of a shared cyber event declaration and classification mechanism. Such a clarification would presumably operate on a similar basis to classifications published by the ABI and Lloyd's Working Group and the Cyber Monitoring Centre in the last year.

Published in November 2024, the ABI and Lloyd's guidance proposed a holistic perspective for defining the components of a major cyber event This would involve a consideration of the following elements – who (attribution), what (cause of loss), where (footprint and digital ecosystem impacts), when (start and duration), how (spreading mechanism), why (motive) and impact (monetary loss).

These initiatives are already gathering pace. In February 2025, the Cyber Monitoring Centre announced it would be categorising cyber events impacting UK organisations on a scale of one (least severe) to five (most severe). The classification takes into account the financial impact of an event, and the percentage of organisations impacted or affected population.

Once the scope of cover within the pool had been determined, it may then provide the mechanism through which to provide a minimum level of base cyber cover on a mandated or subsidised basis (see Flood Re). We do not underestimate the level of detail required and challenges associated with such a proposition. However, doing nothing against the growing cyber threat that is undermining our national financial security, should not be an option.

[1] Paragraph 71, A hostage to fortune: ransomware and UK national security

[2] Paragraph 72, A hostage to fortune: ransomware and UK national security

Authors