Estimated reading time: 5 minutes
The UK Cyber Security Longitudinal Survey’s fifth iteration arrived this week. The report tracks cybersecurity changes across the same organizations, including medium- and large-sized businesses and high-income charities. The first “wave” of data came out in 2022. This new release, “Wave Five,” follows medium- and large-sized businesses and high-income charities. The study links security practices to incident likelihood and impact. The report calls itself “a multi-year longitudinal study”. We reviewed Wave Five for signals that matter to cyber insurance.
Cyber Insurance Becomes Clearer In Boardrooms
Wave Five shows that more organizations now have specific cyber liability insurance policies. The share of businesses with a policy increased to 35%, up from 29% in Wave Four. For charities, the number rose to 40%, up from 30%. Fewer respondents were unsure about their coverage. The percentage of “Don’t know” answers dropped to 13% for businesses and 7% for charities. The report connects this change to better awareness of insurance and what policies cover.
The data shows that once organizations get specific coverage, they tend to keep it. Ninety-eight percent of those with cover at the start still had some form of cover later. The report notes there is “minimal fluctuation over time” for insured organizations. Interviews highlight the value of insurer support. As one charity put it, “We can access some specialist advice and support through the insurance company.” This support can influence how organizations respond to incidents and choose vendors.
Incident Levels Stay High Across The Panel
The report describes a busy and challenging threat environment. In Wave Five, 82% of businesses and 77% of charities said they had at least one cyber incident. Most incidents were caused by phishing. As one business shared, “We get literally hundreds of phishing emails daily.” Businesses encountered a wider variety of attacks than charities. Email impersonation scams affected 56% of businesses and 46% of charities. The report also notes attempts to take over websites and social media accounts. Criminals have also started using messaging apps, such as WhatsApp, for impersonation.
Fewer organizations experienced incidents with direct consequences. The report found that 22% of businesses and 15% of charities had outcomes from incidents. This difference affects how often cyber risk insurance claims are made and influences how leaders decide on security investments.
Security Standards Improve, Yet Gaps Persist
Wave Five shows that more organizations are following recognized security standards. The number of businesses meeting Cyber Essentials rose to 30%, up from 23% in Wave Four. For charities, the rate increased to 28%, from 19%. More organizations also said they follow at least one main standard, such as Cyber Essentials, Cyber Essentials Plus, or ISO 27001.
The report also looks at governance practices. Charities were more likely to use risk registers that include cyber risks, with 78% using them compared to 64% of businesses. Many organizations are becoming more proactive, but supplier management is still a weak spot.
Risk identification improved in Wave Five. More businesses used different methods to identify risks than in Wave Four. Ninety percent used at least one method, up from 85%. The use of threat intelligence was a key factor, rising to 44% for businesses from 36% previously.
Check Our Our Podcast With UK Cybersecurity Journalist Danny Palmer
Supply chain management is still a weak area. Fewer than one-third of organizations carried out formal supplier assessments in the past year. The report says 28% of businesses and 26% of charities did so. Interviews show that organizations often choose suppliers based on cost and reliability. Financial checks are more common than technical security reviews. For cyber liability insurance, this gap means third-party risks remain high.
What Drives Behaviour Change
Wave Five combines survey results with detailed interviews. Participants talked about what prompts change, such as incidents and stories from their sector. They also emphasized the importance of people. As one participant said, “Your staff are either going to be your biggest strength or your greatest weakness.” Organizations reported closer monitoring and more training for users. Some charities used antivirus alerts along with checks in their admin portal. They also limited outside access for suppliers and contractors.
Renewal pressure is also a factor. Insurance questions can turn unclear risks into specific actions. Gaps in controls often become clear during underwriting. Support services for incidents can also guide how organizations respond.
Budgets Rise, Boards Lag In Places
Wave Five shows that many organizations are spending more on cybersecurity. Thirty-seven percent of businesses and 36% of charities reported higher budgets. Charities also faced more limits, with 10% saying their budgets were not enough, compared to 5% of businesses. Board involvement varied by sector and size. The study found that charities improved less in regular board discussions, while large businesses improved more.
Get the Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
The Cyber Insurance Takeaway
Wave Five signals a more mature discussion about cyber risk insurance. More organizations now have specific policies, and fewer are unsure about their coverage. The data shows that insured organizations tend to keep their coverage. Incident rates remain high, with phishing as the main threat. Supplier risk assessments are still uncommon. Carriers and brokers can use these trends to guide renewal discussions, while buyers can focus on controls that clearly reduce risk.
Related Cyber Liability Insurance Posts
- Cyber Essentials Tied To Fewer Cyber Insurance Claims In UK Data
- Cyber Insurance Market Size is Growing Fast But Cyber Insurance Rates Are Shrinking?
- Cyber Insurance Market Faces Slowdown as SMEs Hold the Key to Future Growth
- Cyber Insurance in 2025: Costs, Claims, and a New(ish) Playbook
- Cyber Insurance Glossary
