Cyber Insurance Shortfall: When Policies Fail to Pay

The UK’s Cyber Insurance Craze: A Cautionary Tale

In a world where ransomware phishers are on the rise, Mactavish—the country’s top authority on insurance governance—has spotted a swell of businesses leaping onto the cyber policy bandwagon. But behind those glossy brochures lies a market still learning its steps.

Why the buzz is missing a few keys

Mactavish, a firm that’s guided a quarter of FTSE 100 companies through their coverage needs, just launched a Cyber Risk Consulting arm. They’ve sussed out dozens of off‑the‑shelf cyber policies and boiled them down to seven common snags:

1. Coverage limited to “attacks” or “unauthorised activity.” Accidental mistakes and slips? Not covered.
2. Data‑breach costs capped. Only the bare legal minimum counts, leaving the real bill (think PR, legal fees, lost sales) hanging in the balance.
3. System downtime only during active outage. Once the lights are back on, the ripple effects on revenue—those are often excluded.
4. Outsourced service providers get a thin blanket. Many firms rely on third‑party platforms; the extra risk is frequently under‑insured or outright excluded.
5. Developer software and rolling upgrades are a grey zone. Some policies carve them out—so a “newness” glitch could cost you.
6. Contractor mishaps might not hit the policy. If the client is legally responsible, insurers might shrug that incident away.
7. Notification rules that smack you full of paperwork. The requirement to ping the insurer can be a cumbersome maze, eating precious hours before a claim can be filed.

“New cyber policies are rolling out faster than a coffee‑shop line of students. Yet the market is still untested—most claims will likely be contested or settled far below what businesses expect.” – Bruce Hepburn, CEO of Mactavish

Put a real shield around your cyber strategy

To avoid finding an empty claim pile, companies first need to map their cyber exposure meticulously. Once that blueprint is in place, they can tackle a custom policy that truly fits their risk appetite—no more generic covers falling apart when the breach happens.