The Cyber and Fraud Centre – Scotland recently hosted an insightful session on cyber insurance as part of our monthly Cyber Byte series. Our panellists – Kye Brown from Coalition, Heather Toomey from the ICO, and Graeme MacLeod from Brodies LLP shared their thoughts on what businesses get right (and wrong) when buying cyber insurance policies, how insurers assess risks, and where insurance fits alongside security, compliance and legal obligations.
Kye started off the session by explaining that cyber insurance isn’t new, but it’s become much more mainstream over the past decade. He explained that it’s a good time to investigate cyber insurance cover; insurers are competing more than ever, which means lower premiums, wider coverage and more value-added service options.
Despite that, fewer than one in five UK businesses currently have cyber insurance cover. Most of the cyber insurance claims Coalition receive, relate to money being stolen (through fake invoices or social engineering), business email compromise, and ransomware attacks. Kye’s main message was that insurance isn’t a replacement for good cyber security; but it is a reliable safety net that helps you respond and recover when things go wrong.
A recent cautionary real-world example underlines why this matters. Western Isles Council; the local authority covering Scotland’s Western Isles, is still dealing with serious service backlogs two years after a ransomware attack in November 2023. The incident disabled many of the council’s systems and backups, disrupted essential functions like benefits and tax billing, and even after more than 24 months some legacy processes remain incomplete. Instances like this clearly show why cyber insurance should only ever be one element of a broader resilience strategy and why firms and public bodies should also invest in robust security.
There are lots of different types of policies, and the details really do matter. Kye recommended working with a good insurance broker who understands the cyber market, as well as selecting a specialist policy rather than a simple add-on to standard business insurance.
A good cyber insurance policy should include cover for things like; breach response services, IT forensics, third party liability, legal advice, business interruption, cyber extortion, reputational damage and cyber crime to name a few. It’s also worth checking what extra support services are offered, some insurers now include tools that monitor for vulnerabilities, or alert clients proactively to potential risks.
Graeme pointed out that insurance policies are contracts, so understanding the small print is crucial. The wording decides what is and isn’t covered, so it’s important to check definitions, exclusions, and any limitations before you commit.
He also mentioned that some insurers only let you use their preferred experts if you suffer a cyber attack, so it’s worth knowing in advance the process and the team that will support your organisation in the event of an attack, rather than finding out during an incident.
Heather reminded us that under GDPR (General Data Protection Regulation) and NIS (Network and Information Systems) regulations, a cyber incident isn’t just about stolen data. Losing access to systems or services can also count as a breach, especially if it stops people from getting information they need.
The ICO expects organisations to be able to show how they’ve managed risk, including supply chain security, record-keeping, and testing response plans. She encouraged everyone to plan ahead, document decisions and make sure that incident reporting routes are clear and tested.
All three panellists spoke about the increasing cyber risk from supply chains. Many businesses rely on third-party software and services, but don’t always check how secure their partners are. Kye and Graeme both said organisations should be reviewing supplier’s cyber posture regularly.
Don’t take their word that they are compliant with your organisations’ supplier policies and procedures – use an evidence-based approach to effectively manage risks. Heather added that the Government guidance now encourages using Cyber Essentials across supply chains to help set a baseline for security.
The panel agreed that running cyber exercises makes a huge difference, when the real thing happens. Kye suggested reviewing and testing a cyber incident response plan at least once a year, more often if you make big changes to your systems or suppliers.
Graeme added that testing helps everyone understand their role in an incident, and makes it easier to respond quickly under pressure. Heather also noted that these exercises shouldn’t just involve IT; senior leaders, comms teams and facilities staff should all be part of the discussion.
The ‘to pay or not to pay’ ransomware question came up too. Kye said that insurers don’t force companies to pay ransoms, but they do help them handle negotiations safely if it happens. The general advice is to avoid paying where possible, but every situation is different. Graeme mentioned that paying a ransom isn’t illegal (unless it might contravene anti-terrorism or sanctions legislation) but regulations are changing and constantly under review.
Ransom payments by public sector bodies and operators of critical national infrastructure are set to be banned. Heather stressed that having good backups and recovery plans in place means you’re far less likely to face that difficult decision in the first place. Kye mentioned that there can be significant financial costs to bear in managing a ransomware incident, and getting back fully operational aside from the ransom demand itself.
Cyber insurance can’t stop an attack, but it can soften the blow. It gives you access to experts, covers the cost of recovery, and helps you get back on your feet faster.
As Kye summed up, “Cyber insurance isn’t a silver bullet, but it’s a vital safety net in an increasingly complex threat landscape.”
If you missed the webinar, keep an eye out for our next Cyber Byte session, where we’ll continue exploring the key topics shaping cyber resilience in Scotland.
Cyber and Fraud Centre – Scotland
ICO
Coalition
Brodies
With tickets selling quickly to our Edinburgh, Glasgow and Aberdeen Cyber Executive Education events, we’re offering two lucky organisations the chance to attend each event,…
The Scottish Cyber Awards 2026 returns to the EICC on 26th March 2026 celebrating the excellence, diversity and resilience in the sector. Now in its…
See It Be It: Women and Girls in Cyber Conference, hosted by the Cyber and Fraud Centre – Scotland, and supported by Accenture, Fortinet and…
