A UK ransom payment ban could 'place a target' on critical infrastructure, says Marsh's Butler

By Rebecca Delaney

March 4 - (The Insurer) - The global cyber insurance market is projected to reach $20 billion in gross written premium by the end of the year, Marsh’s UK cyber leader Kelly Butler told a UK parliamentary committee on Monday as part of an ongoing consultation on proposals to reduce ransomware risk.

The consultation will examine a proposed a ransom payment ban for public sector organisations and regulated private sector critical national infrastructure, and whether this would be effective in deterring cybercriminals from targeting these types of organisations.

Butler and other speakers expressed concern that such a ban may “place a target” on the back of critical infrastructure in general, especially SME organisations that do not yet have sufficient cyber resources and resilience.

"We would mostly agree that paying ransom is not a desirable outcome, but the question is whether a hardline ban will help reduce ransomware, and we have our doubts," said Butler.

A previous joint committee report in 2023 warned of the vulnerability of UK critical infrastructure to ransomware. The report also described UK regulations as outdated, with most victims receiving insufficient support after an incident.

Butler cited improved awareness as a key driver of an increased take-up of cyber insurance.

“People are using the cyber insurance application process as a way to do a health check within their organisation. The insurance industry has now seen a flood of ransomware events come in and know what a good risk looks like in terms of the critical controls that they should have in place,” she said.

Butler said that Marsh estimates the size of the global cyber insurance market at $15.6 billion in GWP, with expectations that it will reach $20 billion by year-end. Although uptake has increased among larger corporates, the SME sector continues to lag, she said, owing to a general lack of awareness around its value as a product and/or internal resourcing.

“Insurance companies now collect long-term data. It was one of the big challenges for cyber because we didn't have the long-term and long-tail data, but now that is starting to build,” she said. “We saw a major flood of claims around 2020/21, so a huge amount of work has been looking at the lessons learned.”

When asked if the insurance industry would be willing to share claims data with the government, Butler said the level of sensitivity around a cyber event may make this difficult. Claims data from Marsh McLennan found that 68% of organisations affected by a ransomware attack elected to pay a ransom in 2019, which declined to 23% in 2024.

Asked if penalties or mandatory reporting should be considered, speakers underlined the nuance of a cyber event, again particularly for SMEs.

“There would have to be a lot of clarity for people around when and what they are required to report,” said Sadie Creese, professor of cybersecurity at the University of Oxford, adding: "It may be that what we're really looking for is a tailored, tiered reporting structure.”