Cybersecurity breaches are growing at an alarming rate. As the guardians of so much customer data, the insurance sector is particularly vulnerable. We provide guidance on how to protect your organisation.
Imagine this: it’s a bright Monday morning, and you’re ready to tackle the week’s insurance policy changes and claims. But as you try to access the claims processing system, it doesn’t respond. You check with a colleague, and they face the same issue.
Soon an announcement confirms your worst fears — your organisation has been hit by a cyber attack over the weekend. Business applications are down, customer complaints are piling up, and there’s no clear resolution timeline.
The result? A significant reputational impact, lost business and financial losses.
This scenario isn’t just theoretical. It’s becoming a reality for many UK insurers as 2025 progresses. In April, Co-op Group, which operates insurance businesses alongside its retail operations, said hackers attempted to breach its systems. The incident forced a shut down of its back office and call centre operations. This followed a series of high-profile attacks against UK businesses, including M&S, that have demonstrated the increasing sophistication of threat actors.
How is the threat changing?
According to the Cyber Security Breaches Survey 2025 by the Department for Science, Innovation & Technology, cyber security breaches and attacks remain a major threat, with 43% of businesses reporting some form of cyber security breach in the last 12 months. This percentage jumps dramatically to 70% for medium-sized businesses and to 74% for large businesses.
Even more concerning is the rise in ransomware attacks. The survey revealed they have doubled from less than 0.5% of businesses in 2024 to 1% in 2025. This means around 19,000 affected organisations. For insurers, who hold vast amounts of sensitive customer data, the stakes are particularly high.
IT decision-makers from the insurance sector have identified ransomware as their top cyber security risk, according to research by Node4 (IT services provider). This threat is amplified by emerging technologies. According to the National Cyber Security Centre (NCSC)’s 2024 annual review, artificial intelligence enables threat actors to increase both the volume and impact of cyber attacks.
Why is cyber incident exercising so important?
Cyber incident exercising involves simulating real-world cyber breaches to test and improve an organisation’s response plans. These exercises help them to detect, manage, and mitigate cyber attacks effectively. No matter how well-designed the plans might be, it’s not possible to achieve the necessary operational resilience without ‘organisational readiness’.
And that means testing your response capability. Have you played out the attack scenarios? Does your team know exactly what to do when (not if) an attack happens? Do you feel confident in your preparedness?
There’s a growing appetite for proactive breach preparation across the industry. This ranges from technical security measures to developing breach response plans and organising tabletop exercises to rehearse breach scenarios (see below). This shift reflects a growing understanding that cyber resilience goes beyond prevention to include response capabilities.
Tabletop versus liveplay: how the exercises work
The Council of Registered Ethical Security Testers (CREST) outlines two distinct approaches for cyber incident exercising, each with its benefits and limitations:
- Tabletop exercises: In these discussion-based sessions, team members review their roles and responsibilities during a cyber incident. An independent assessor records responses, identifies deviations and gaps, and documents lessons learned for necessary improvements. Tabletop exercises are less resource-intensive and can be conducted many times a year.
- Liveplay exercises: These real-time simulations require team members to respond to controlled scenarios as they would in an actual incident. An independent assessor records the capabilities of various teams, including the security operations centre (SOC), for timely detection and response. Liveplay exercises are more detailed and time-consuming, involving extensive stakeholder engagement, but their outcomes are highly effective.
Building resilience beyond technical controls
While technological defences are essential, true resilience comes from a comprehensive approach. The Government’s Cyber Security Breaches Survey found that while 77% of businesses have updated malware protection and 73% have implemented password policies, supply chain vulnerabilities remain a worrying blind spot. Only 14% of businesses formally reviewed risks posed by their immediate suppliers, with even fewer examining the wider supply chain.
Are you truly prepared?
The question for insurance executives isn’t whether you have invested in cyber security. It’s whether you’ve tested your organisation’s ability to respond. Some things to consider:
- Have you conducted realistic cyber attack simulations? Not just theoretical discussions, but exercises that test your actual capabilities.
- Does your entire team know their roles? From IT to customer service, claims processing to legal, everyone must understand their responsibilities during an incident.
- Have you tested your communication plans? Both internal communication and external messaging to customers, regulators, and the media, are critical during a cyber crisis.
- Have you established response relationships? Having pre-arranged agreements with forensic specialists, legal counsel, and PR firms can save precious time during an incident.
- Have you practised your recovery procedures? Restoring systems and data should be a well-rehearsed process, not an improvised effort.
- Are you regularly assessing your supply chain risk? Automated tools such as Vendifi can provide ongoing monitoring of your cyber posture to help prevent an incident and enable timely response procedures if one occurs.
What should you do next?
While tabletop exercises offer a quick health check, liveplay exercises provide a comprehensive assessment of an organisation’s readiness. Regardless of the approach, adopting industry best practices and frameworks such as CREST, NCSC, MITRE or NIST, and regular testing, is crucial to stay ahead of emerging threats.
As we witness the ongoing wave of attacks hitting UK businesses, including insurers, the message is clear: technical protections alone are not enough. True resilience comes from preparation, practice, and the ability to respond effectively when an attack inevitably occurs.
CREST is collaborating with the NCSC to help customers find top-quality providers of cyber incident exercising (CIE) services. At PKF Littlejohn we are an assured CIE services provider. For more information contact Phil Broadbery or Syed Osama Ali.
