Disconnect on Cyber risk: Our research reveals UK & Ireland firms underestimating vulnerability

Published On : 08 May 2025

Research from Pen Underwriting has revealed a disconnect between how protected firms believe themselves to be against cyber-attack and their confidence at being able to recover quickly, set against the reality of an attack in terms of business impact and likelihood of them having cyber risk comprehensively insured.

The results suggest firms in the UK and Ireland are underestimating their vulnerability to cyber-attack as well as the severity of potential commercial consequences, while over-estimating their cyber resilience.

Pen surveyed 300 business insurance decision-makers from different sized firms across the UK and Ireland (UK&I) and found 90% believed themselves to be protected against potential cyber-attacks, while 81% were confident they could recover quickly in the event of one.

However, less than half of those surveyed (47%) had dedicated cyber cover in place which would provide the loss-preventing risk management services and expert-led breach response that could bolster their resilience to attack and reduce the duration and extent of loss. This number fell to only 18% for the smallest firms by turnover (less than £1million).

Peril frequency
Despite this, UK&I firms are much more likely to suffer a cyber-attack than damage from other perils that they look to insure as standard. Over the past five years, 39% of all those surveyed had been targeted by cyber criminals at least once, with 81% of those saying the attack posed a serious threat to their business and 74% confirming they had suffered both commercial disruption and financial loss.

By contrast, only 10% had suffered a fire or fire damage over the past five years, and only 7% any flood damage – two perils businesses will seek to insure against as a matter of course. Even theft, such as the loss of goods, equipment or money, had a lower frequency (35%) than cyber over that same period. And 80% of those that had been targeted by cyber criminals had been targeted more than once.

Risk mitigation
Strategies to improve cyber security and mitigate the risk of a cyber-attack and its commercial impact were also found to be patchy, with only half (51%) training staff on cyber security and carrying out regular automated data back-ups; less than half of all firms (49%) requiring multi-factor authentication (MFA) for all remote systems access; and a slightly lower figure (46%) requiring MFA to access employee email accounts with the same number (46%) carrying out systems vulnerability scans.

Commercial consequences
The top five commercial consequences cited by those who had been hit by at least one cyber-attack in the past five years were financial loss; data breach / loss of sensitive information; loss of employee time / productivity; operational disruption / increased cost of working; and reputational damage.

More than one in four (26%) also confirmed the impact and disruption had lasted more than a week. However, 80% of all firms surveyed – including all those respondents who had not experienced a cyber-attack in the past five years – said they could not commercially afford to be offline for a week, or less. And half of those (41%) said they would be in trouble commercially if offline even for a day.

Smallest most at risk
The survey also found that lower revenue businesses are the most vulnerable to cyber-attacks but the least protected – with half (50%) of businesses that turnover less than £1m confirming they have no insurance in place at all to cover a cyber-attack.

Two in every five (38%) firms in this turnover bracket do not monitor their cyber security or check for weaknesses in their IT systems, only 31% carry out regular data back-ups, and only 32% train employees on cyber security. Furthermore, only 29% use MFA for all remote systems access and only 26% require it for access to employee email accounts.

And yet 84% of those small firms said they thought their business was either protected or very protected against a potential cyber-attack, while 72% were confident they would recover quickly if hit.

Asked how long they could afford to be offline, 68% of this group said a week or less – while more than one in five (22%) said they would struggle commercially if disruption lasted more than a day. But 44% of those businesses of this size that had suffered commercial disruption and financial loss following a cyber-attack reported that it had lasted a week or more.

Ian Summerfield, Head of Cyber at Pen, said: “Our concern that businesses are underestimating their vulnerability to systems breaches, data loss and potential exfiltration by cyber criminals, while over-estimating their cyber security and resilience is given weight by this research.

“The frequency of cyber-attacks and subsequent loss and disruption is significantly higher than the occurrence of other perils that firms look to insure against as standard, such as physical theft, fire and flood. And yet the fact that only 47% of all businesses in the UK and Ireland take out dedicated cyber insurance – a number that falls to 18% for the smallest businesses – points to a disconnect between perceived cyber risk and reality. In our view, cyber risk is as fundamental to every cover conversation between businesses and their insurance brokers as property and liability.”

He added: “Cyber insurance offers much more financial compensation for losses suffered because of a successful breach. First and foremost, it can provide vital risk management and mitigation services that enable businesses to identify and address vulnerabilities to improve their cyber security and resilience. Equally important is the immediate access to a range of experts should the worst happen, that will minimise the time a business spends unable to trade or operate normally, while expediting systems recovery.”



Pen Underwriting
Pen Underwriting is a multi-class, multi-territory managing general agent (MGA) that operates as a virtual insurer, meaning it can fulfil all the typical functions of an insurance company — from underwriting, sales & distribution, pricing & analytics, product innovation, risk & governance through to claims handling — other than the provision of insurance capital.

Pen Underwriting has four divisions: Commercial – UK & Ireland; International; Public Sector; and SME & Personal Lines; offering a wide and growing range of specialisms from e-solutions and delegated authorities for volume business through to specialty products with individual underwriting for hard-to-secure placements.

Already one of the largest MGAs headquartered in the UK, responsible for managing c£1bn gross written premium (GWP), Pen has a bold ‘2030 Vision’ – to become a £1.75bn GWP underwriting and distribution business, through a combination of organic and acquired growth, and the leading MGA in the UK and wider EMEA region with the best products, people and culture.