Simon Glairy is a recognized expert in the fields of insurance and Insurtech, with a specialized focus on risk management and AI-driven risk assessment. He has spent years analyzing how digital threats evolve from minor data leaks into catastrophic operational failures that can paralyze a corporation’s core functions. In this discussion, we explore the shifting paradigm of cyber risk, examining why the traditional view of it as a technical IT problem is being replaced by a more holistic financial perspective. Glairy shares his insights on the growing vulnerability of supply chains, the critical protection gap facing small businesses, and how insurance products are transforming to provide proactive defense in an increasingly volatile digital landscape.
We have seen a dramatic shift in how boards view digital threats, moving from seeing them as back-office technical issues to fundamental risks to the company’s balance sheet. What is driving this massive evolution in corporate thinking?
The catalyst for this shift is the visceral realization that the most acute exposure a company faces today isn’t just about losing some confidential files; it is the total, grinding inability to operate. When you look at high-profile incidents like those affecting M&S or Jaguar Land Rover, the narrative changes from a simple data privacy concern to a story of systemic paralysis. A manufacturing plant sitting idle or a complex logistics platform frozen in time creates a bottom-line impact that no chief financial officer can ignore for a second. We are moving far beyond the immediate costs of a breach to a much wider appreciation of the long-term operational implications and the massive expenses associated with trying to recover lost time. It is no longer just an IT problem to be handled by the tech team; it is a fundamental threat to the solvency and functional continuity of the entire business.
Despite the constant headlines about major hacks, there seems to be a persistent gap in how smaller organizations perceive their own level of vulnerability. Why do small and medium-sized enterprises continue to lag so far behind in cyber insurance adoption?
There is a staggering and dangerous disconnect here, evidenced by the fact that UK cyber insurance penetration currently sits at a mere 10% for these businesses. Much of this stems from the way our industry discusses these incidents publicly; by focusing almost exclusively on the documented big breaches of multinational giants, we have inadvertently taught smaller business owners that they simply are not targets. They often operate under the comforting but false belief that it is not going to happen to them because they lack the prestige or the deep pockets of a global brand. In reality, attackers are not always looking for a trophy; they are looking for scale and the opportunity to launch thousands of automated attacks simultaneously to see where they can find success. For a hacker, success is often about finding the path of least resistance, which frequently leads them straight to the SME market where defenses might be less robust.
You mentioned the “path of least resistance” for modern attackers. How does this strategy play out when we consider the sprawling, interconnected nature of modern supply chains and logistics?
The supply chain has become the soft underbelly of corporate security because attackers have realized they do not need to batter down the front door of a heavily defended multinational corporation. Instead, they can exploit weaker controls in a smaller supplier or an outsourced technology partner and use that interconnected relationship as their entry point. This widening risk landscape means that a small business’s poor security posture can suddenly become a massive liability for every major partner they work with in a digitally integrated environment. We are seeing a shift where larger corporates are forced to develop much more sophisticated financial modeling to account for these external vulnerabilities. It creates a domino effect where a single failure in a logistics platform or a manufacturing component supplier can ripple through the entire chain, causing disruption that is far more severe than the initial point of entry would suggest.
If we look at how the insurance market has responded to these threats, how have cyber policies changed to address the more aggressive ransomware and business interruption scenarios we see today?
If you look back to the period prior to 2018 or 2019, the insurance market was a very different place; the operational and business interruption aspects of a cyber incident were not nearly as well known or understood. Since the rise of sophisticated ransomware, the industry has had to evolve materially from a reactive safety net into a proactive management and response tool. Modern policies have shifted away from just paying out after a loss and now place a massive emphasis on operational recovery, offering forensic support, ransomware negotiation, and active resilience guidance as standard features. This reflects a deeper market understanding of loss, acknowledging that getting the business back on its feet quickly is just as important as the regulatory costs associated with a data leak. We have moved from a very static policy model to one that is essentially a live service providing specialized teams to handle the chaos of a recovery in real-time.
Even with better insurance products and increased awareness, many businesses still struggle to quantify the potential damage of a digital attack. Why is it still so difficult for executives to model the true financial implications of a major disruption?
The difficulty lies in the fact that not all cyber threats or incidents are created equal, and their impacts are rarely linear or easy to map on a spreadsheet. While a standard data breach has a somewhat predictable cost per record, a total operational outage in a manufacturing environment creates a complex web of compounding losses that are hard to predict. Large corporations are trying to use sophisticated modeling to get ahead of this, but the pace of change in the threat landscape often outstrips the historical data we have available. Businesses that are consistently better positioned when disruption occurs are the ones that stop trying to predict the exact dollar amount and instead focus on tested contingency and response plans. Having a response plan that has been physically put through its paces is the only real way to mitigate the unpredictable financial fallout that follows a major incident.
What is your forecast for the future of cyber risk management?
I anticipate that we will see a much tighter and more aggressive integration between insurance underwriting and real-time security monitoring. We are rapidly moving toward a world where your premiums and coverage are dictated not by a yearly questionnaire filled out by an IT manager, but by the actual, measurable health of your digital ecosystem and the security of your supply chain. As attackers use more automated tools to find the lowest-hanging fruit, companies will be forced to adopt the same level of technological sophistication just to remain insurable in a tightening market. The “set it and forget it” mentality is effectively dead; the future belongs to organizations that treat cyber resilience as a living, breathing part of their daily operational strategy rather than an annual checklist.
