Under attack
Alongside high-profile attacks on high street names, the public sector has suffered at the hands of cyber criminals over the last year.
For example, multiple London councils were targeted in cyber attacks in November 2025. This caused significant and long-lasting disruption to services.
Government research shows just how common attacks are in the public sector. While 43% of all businesses identified a breach or attack, its focus on the education sector saw this percentage rise to 60% among secondary schools, 85% for further education colleges and 91% among higher education institutions.
Security strategy
Organisations must assess risk exposures and ensure appropriate mitigation and recovery strategies are in place.
This risk analysis is important ahead of public sector restructuring programmes such as local government reorganisation and the proposed police force mergers. As organisations come together, each with IT and cyber security at different levels of maturity, this insight helps keep integrated systems resilient.
Insurance opportunities
Risk transfer through cyber insurance is an option for a growing number of organisations too. Although many have struggled to meet underwriters’ cyber security requirements in the past, the cyber insurance market has softened considerably over the last couple of years.
Insurers still expect to see controls such as multi-factor authentication (MFA), endpoint detection and response (EDR), and incident response planning but most organisations have either reached the levels required or are working towards them. Where there’s still a gap, an insurer may be happy to provide support to help an organisation meet the requirements.
Rates have improved significantly too. Increases of up to 40% were not unusual back in 2022/23, but, thanks to increased competition and new entrants, rates as seen in March 2026 have plateaued. Where strong cyber hygiene and controls are in place, rate reductions are possible too.
First-time tips
With cyber insurance within reach of more organisations, here are some tips if you’re considering cover for the first time.
Speak to your executive team
Cyber insurance used to be regarded as an IT issue, but increasingly it’s being seen as part of good governance. The potential damage a cyber attack can have to an organisation means senior executives are driving take-up of cover.
Collaborate to get the best results
Work with your IT colleagues and your insurance broker to assess cyber security and quantify the risk within your organisation. This can help to determine the level of cover required and, by sharing this insight with your underwriter, will secure the best possible results.
Test your limits
It’s a new area of cover for many organisations, so understand how it would respond in the event of a cyber event. Test the limits and any sub-limits and exclusions against realistic cyber scenarios.
Remember cover is more than financial protection
As well as providing financial protection, cyber insurance also gives access to a wide range of support and expertise in the event of a cyber attack. Where resources and expertise are limited, this can be invaluable.
Don’t be defeated if you’re declined
Insurer positions and appetites are shifting across the market and, providing you are at least close to the required standards set by insurers, it’s likely that you will find an underwriter who is comfortable to offer cover.
With the risk of a cyber attack increasing, speak to your insurance broker about how your organisation could benefit from improved appetite in the cyber insurance market.
