拟议的英国网络安全和弹性法案如何解锁国家网络保险市场的增长

SAMUEL AGYARKO KORANTENG AND AYESHA BHATTI|DECEMBER 2025 The UK’s proposed Cyber Security and Resilience Bill presents a much-needed opportunity tokickstart the growth of the UK’s lagging cyber insurance market, which will make businessesmore resilient to the increasing frequency and significance of cyberattacks. KEY TAKEAWAYS Cyber insurance represents a key tool for firms to boost their cybersecurity practices andresiliency during a period of increasingly sophisticated, widespread, and damaging cyberthreats. A lack of regulatory pressure within the UK’s data protection laws and cybersecurityregulations has led to a slow uptake in cyber insurance and an underdeveloped cyberinsurance market. The UK government’s proposed Cyber Security and Resilience (Network and InformationSystems) Bill (CSRB) is a promising start to develop the UK’s cyber insurance market butrequires further improvements to encourage firm adoption of cyber insurance. These improvements to the CSRB should include measures to improve informationsharing between organizations and institutions, promote the widespread uptake of cyberinsurance, and foster innovation in cyber insurance. Greater adoption of cyber insurance will reduce interruptions and financial losses fromcyber incidents. CONTENTS Key Takeaways ................................................................................................................. 1Introduction ..................................................................................................................... 2The UK Faces More Sophisticated, Frequent, and Expensive CyberAttacks .............................. 3The UK’s Underdeveloped Cyber Insurance Market Exacerbates Risks..................................... 5The UK’s Cyber Insurance Market is Underdeveloped Because of its Current RegulatoryPolicies and Inconsistent Industry Practices......................................................................... 6Limited Regulatory Pressure Contributes to an Underdeveloped UK Market .......................... 6Inconsistent UK Cyber Insurance Industry Practices Have Stifled Insurance Uptake .............. 8Recommendations .......................................................................................................... 10Establishing a Confidential Cyber Incident Information Exchange Platform......................... 11Creating Model Cyber Insurance Wording and an Underwriting Glossary ............................. 12Introducing Clearer, Objective Definitions for Firms the Bill Captures ................................ 12Prioritizing Risk-Based Over Size-Based Classifications .................................................... 13Establishing a State-Backed Cyber Reinsurance Pool ....................................................... 14Launching a Cyber Insurance Sandbox ........................................................................... 15Conclusion..................................................................................................................... 16Endnotes ....................................................................................................................... 17 INTRODUCTION Cyber insurance is an effective tool to boost the cybersecurity and resiliency of businesses. Itshifts cyberattack risk to insurers, allowing businesses to operate normally while aligning theircybersecurity practices with insurer requirements to secure coverage. The UK is experiencingmore cyberattacks; however, compared with global peers such as the United States, it has anunderdeveloped cyber insurance market with poor demand and adoption, leaving UK businessesexposed and insufficiently protected. This underdevelopment is the result of laws and regulationsthat have created fragmented cyber risk data, high cyber insurance premium rates, and a lack ofcommon cybersecurity standards. The UK’s proposed Cyber Security and Resilience (Network and Information Systems) Bill(CSRB) presents an opportunity for course correction. This legislation would promote better cyberrisk management practices, reduce cyber insurance coverage gaps, ensure that organizationsrecover more effectively from cyber incidents, and boost the growth of the U.K. cyber insurancemarket that makes the United Kingdom globally competitive and on par with current cyberinsurance leaders such as the United States. The bill contains deficiencies that will reduce its ability to achieve a thriving U.K. cyberinsurance market. These deficiencies include vague criteria that would capture entities beyondthe intended scope of the bill and a reliance on size-based enforcement that blurs accountability for third-party risk. This type of enforcement could introduce hidden vulnerabilities within supplychains, undermining the growth of a much-needed UK cyber insurance sector that underminesthe objectives of the bill to boost security and resiliency. With these measures, the CSRB willenhance UK organizational resilience, redu