Minister Lloyd cyber security speech at BIBA insurance conference
Digital Minister Liz Lloyd spoke about cyber security and cyber insurance at the British Insurance Brokers Association (BIBA) manifesto launch.
Hello and happy new year.
Thank you to the British Insurance Brokers’ Association (BIBA) for inviting me to speak at their Manifesto Launch here in Westminster today. BIBA’s leadership, expertise and partnership with government is vital to strengthening the UK’s resilience in an increasingly challenging digital landscape. The emphasis of today’s session is economic growth and resilience.
These topics are central to the work this government is engaged in. Growth is at the core of this government’s mission. In an increasingly digital world, cyber security is not optional. It is foundational to our national security, our economy, and our way of life. We want to nurture and grow the UK’s exceptional talent to create new jobs and to put more money in working people’s pockets. But this can only be achieved through delivering a secure, resilient and prosperous digital future for Britain.
I will discuss the important role of the insurance industry in addressing these challenges, but first I want to answer: ‘what has the government done so far?’
Over the past year, we have taken decisive action to strengthen the UK’s cyber resilience posture – because we know resilience is not a luxury. It is the foundation of national security, economic stability, and long-term growth. An economy is only as resilient as the organisations that contribute to it.
We have already committed to introducing a series of measures designed to raise the resilience of organisations across the economy:
The new Cyber Security and Resilience Bill had its second reading in the House of Commons last Tuesday. It will require more essential and digital services to have robust cyber security measures in place. It will strengthen incident reporting and empower companies, regulators and government to respond rapidly to emerging threats. Above all, it will protect the public, underpin stronger economic stability, and strengthen our national security.
We also published the Government Cyber Action Plan last week which sets out how government will address the growing range of online threats. Driven by a new Government Cyber Unit and supported with an investment of £210 billion pounds, the plan will rapidly improve cyber defences and digital resilience across government departments and the wider public sector, so people can trust that their data and services are protected.
We launched the Cyber Governance Code of Practice last year. Developed with industry leaders, it sets out critical actions Boards and directors should take to govern cyber risk effectively. It offers clear, practical steps for organisations to guard against, and respond to, cyber-attacks. Your organisations should be using these tools to ensure you are adequately protected against the current cyber threat.
Our Cyber Essentials scheme continues to set an effective baseline for good practice, both for an organisation’s own systems, and providing assurance of its supply chains. I want to be clear that Cyber Essentials is highly effective at preventing damaging cyber incidents: certified organisations are 92% less likely to make a claim on their cyber insurance.
However, as high-profile attacks on UK businesses have shown, resilience is not just about prevention. It is about response and recovery. When a cyber attack strikes, the ability of a business to recover quickly - to protect its customers, restore operations, and safeguard jobs - is critical. A cyber incident isn’t just a statistic – it’s people, livelihoods and community services at risk.
A holistic approach to cyber resilience, addressing prevention, response and recovery was addressed in the ministerial letter we recently sent to leading UK companies. This letter called on business leaders to make cyber risk a board-level priority, to sign up the National Cyber Security Centre’s Early Warning Service, and to require Cyber Essentials throughout their supply chains. Crucially, it emphasised that organisations recover better from incidents when they have planned for the worst and rehearsed their business continuity and recovery strategies.
The message is clear: resilience is not just about defence, but about readiness to respond and rebuild. By embedding cyber risk into strategic decision-making and rehearsing recovery plans, businesses can minimise disruption, protect their customers, and safeguard jobs - even in the face of sophisticated attacks.
The response from industry has been overwhelmingly positive and UK businesses are stepping up to the challenge. This collective effort is vital for building a more resilient economy, where recovery is as much a priority as prevention.
The UK has a strong and growing cyber sector which supports our cyber resilience. The sector currently generates annual revenue of over £13 billion pounds, and continues to expand year on year, creating thousands of jobs and attracting investment across the globe. For the insurance sector, this presents clear opportunities: to develop products that support innovation and help companies manage risk effectively. This will ultimately underpin confidence in a thriving digital economy, supporting secure growth across the UK.
Cyber insurance is an important part of the toolbox organisations can use to manage their cyber risks. It’s importance in improving cyber resilience is demonstrated in the UK Cyber Growth Action Plan report which we published last summer. When combined with effective cyber security measures, insurance serves as a practical tool to mitigate the financial and operational impacts of cyber incidents across the economy. It can be vital for managing risk, supporting recovery, and driving up standards across the economy.
On an individual level, if you suffer a cyber attack, insurance can be the difference between recovery and ruin. On a national level, the cost to businesses of cyber attacks in the UK is estimated at over £14 billion - which doesn’t include knock on effects and disruption in the economy. Insurance can help to lower this impact by helping them get back on their feet quicker.
There is therefore more that can be done, and that is why I’m so pleased to be speaking here today with BIBA members.
The UK cyber insurance market is growing – according to the Association of British Insurers, UK businesses are clearly prioritising protection against emerging digital threats, as evidenced by a 17% increase in policies taken out in 2024 compared to the previous year. Moreover, £197 million was paid out to help businesses recover from cyber incidents in 2024.
The Customer Business Interruption product launched by insurance firm CFC last week is an example of the innovative ways in which the insurance industry is looking to help businesses back on their feet - helping firms recover not just from direct attacks, but from the ripple effects across supply chains.
Insurance brokers are uniquely placed to advise businesses on both risk and resilience, helping them to understand the threats they face and the measures they need to take. I encourage brokers to continue working with us to tackle this issue.
Uptake of cyber insurance among SMEs remains a challenge, with barriers including cost, complexity, and awareness. That is why government and industry must collaborate to help smaller firms understand the value of cyber insurance and how it can be an important tool to in managing their cyber resilience.
I want to pay particular tribute to the work our colleagues across the cyber insurance industry are engaging in, alongside my department:
The joint government/industry Cyber Insurance Industry Working Group is identifying opportunities for ongoing collaboration to help businesses in better understanding their own cyber risk management and the role cyber insurance can play in this. To do so Department for Science, Innovation and Technology (DSIT) is working closely with insurers to provide customers with clear and effective guidance, to help them make informed judgements and improve their cyber resilience.
DSIT is also working with BIBA to equip cyber insurance brokers with the skills to better explain cyber security and cyber insurance to potential customers. Evidence shows that SMEs struggle to understand cyber insurance, with only 8% of SMEs finding information from insurers or brokers ‘very clear.’ Given that 76% of insured SMEs obtained their advice through a broker, it is clear they play a key role in explaining the relevance of cyber security and insurance to organisations. This is a vital area that can help drive uptake of cyber insurance in the UK, helping organisations respond and recover to cyber-attacks.
This partnership is a model for how government and industry can work together to build a safer, more resilient digital economy.
Let me be clear: cyber resilience is not optional. It is the bedrock of our national security, our economic stability, and our future growth. As we look ahead, our challenge is to embed resilience at the heart of every policy, every business decision, and every customer interaction.
The insurance industry has an important role to play here. I urge all of you: brokers, insurers, business leaders, to continue working with us. Please share your insights, challenge us to do better, and help us build an innovative and inclusive insurance market that supports the UK’s growth ambitions.
Together, we can ensure that the UK remains not just a leader in adoption of digital technology and cyber security, but a global hub for growth, opportunity, and trust.
Thank you.