By Alex Curtis and Jemima Hall
Why protection gaps?
Protection gaps in general insurance – including cyber, wildfires or flooding (as described in ‘Explainer: What is a general insurance protection gap?’) – are an increasing focus for many regulators, central banks, and international bodies. Recent events, such as the Jaguar Land Rover ransomware attack and California wildfires, have underscored both the magnitude of these risks and the role insurance plays in supporting the real economy.
In contrast to growing concerns around insurance protection gaps, the London Market has doubled in the last 10 years and remains the world’s largest commercial and speciality (re)insurance market (London Market Group). Given this scale and position as a global (re)insurance centre, the UK insurance industry is central to domestic and international discussion on protection gaps and the evolving boundaries of insurability. Recent geopolitical developments, including events in the Middle East, have further illustrated the importance of insurance to the functioning of the global economy.
Given the Prudential Regulation Authority’s (PRA’s) role as the microprudential regulator of this sector, we recently undertook a review of protection gaps which considered:
- How do protection gaps interact with the PRA’s objectives? Although protection gaps can affect our microprudential objectives, protection gaps may be more relevant for financial stability and interact with the wider objectives of the Bank of England and its policy committees.
- How does the PRA’s approach to policy and supervision affect the risk of protection gaps arising? By promoting safety and soundness in a proportionate way, PRA policy and supervision help sustain and grow a vibrant insurance market that is able and willing to provide coverage with the resources to pay valid claims now and in the future.
- What role should the PRA play in efforts to address protection gaps? Protection gaps can often raise broader public policy issues beyond the remit of the PRA and wider Bank. As a result, while others are better placed to lead this work, the PRA can help play an important convening role, bringing together the (re)insurance industry and relevant stakeholders, to identify risks and practical ways to manage protection gaps.
Explainer: what is an ‘insurance protection gap’?
A protection gap is defined as ‘the difference between the amount of insurance that is economically beneficial, and the amount of coverage actually purchased’ (Geneva Association). In simple terms, it means not having enough (or any) insurance to cover risks that can result in economic harm.
Examples of insurance protection gaps include:
- Pandemic (business interruption): Industry estimates suggest that less than 1% of the estimated $4.5 trillion global pandemic-induced GDP loss for 2020 would be covered by business interruption insurance (EIOPA).
- Terrorism: In 2019, the Counter Terrorism and Border Security Act made legal changes to improve the supply of business interruption coverage not contingent on commercial property damage.
Protection gaps often arise when the amount of insurance the policyholder would like is too expensive (affordability) or because insurers consider certain risks outside their appetite (availability). This can pose issues for individual households and businesses (policyholders), or at a national level, should the aggregate degree of protection be insufficient.
Affordability and availability can be impacted by several factors including:
Table A: Drivers of protection gaps
Insurance supply (a) | Insurance demand |
|---|---|
Limited data for pricing/modelling | Limited finances |
Systemic and/or non-diversifying nature of some risks | Limited financial literacy, including lack of awareness/trust in insurance |
External intervention resulting in market failure | For businesses, poor risk management |
What is the impact of protection gaps on PRA objectives?
The PRA must act to advance its primary objectives of safety and soundness (general objective for all PRA-regulated firms) and policyholder protection (specific to insurers), alongside its secondary objectives on competition, and competitiveness and growth.
Figure 1: PRA objectives
Safety and soundness
At face value, protection gaps do not directly pose risks to insurers’ safety and soundness. In fact, protection gaps can arise from insurers taking prudent actions to manage risks, such as avoiding underpriced risks or those outside their risk appetite. In some cases, protection gaps may incentivise policyholders to manage their own risks more sustainably, thereby reducing moral hazard – where an economic actor has an incentive to increase its exposure to risk because it does not bear the full costs of that risk.
That said, protection gaps could still create indirect risks to the safety and soundness of both UK insurers and banks. These risks are already considered as part of our business-as-usual firm supervision. Examples include:
- Heightened concentration risk: Risks like flood or cyber already tend to be written by a few large and/or specialist insurers. The withdrawal of domestic carriers from the UK or overseas markets, reducing insurance affordability and availability, could exacerbate concentration risk in the UK market, or among UK insurers, reflecting the London market’s central role in global risk transfer. This, in turn, could also increase the risk of adverse selection.
- Increased net exposure: When protection gaps emerge at the reinsurance level, direct insurers may retain more risk, increasing net exposures and potentially exacerbating concentration risk. This, may in turn, widen protection gaps for policyholders as direct insurers seek to pass on higher costs through pricing, tighter terms, or withdrawal of coverage. Reinsurance capacity, and the state of the global reinsurance cycle, are key determinants of the affordability and availability of direct insurance, particularly for catastrophe‑exposed and specialist lines.
- Insurers and banks (and their counterparties) may struggle to access insurance for their own risks: Risks such as cyber can result in material financial loss as well as operational disruption. The absence of relevant insurance, including coverage and/or limit available, means financial losses must be absorbed by firms themselves and their counterparties.
Policyholder protection
In most instances, the PRA’s work to promote the safety and soundness of insurers also helps achieve an appropriate level of policyholder protection. However, in the context of protection gaps, there could be circumstances where regulatory and supervisory activity to promote safety and soundness might unintentionally make insurance more expensive or harder for policyholders to obtain.
While the policyholder protection objective does not impose a duty on the PRA to ensure insurance coverage is available and/or affordable, the PRA seeks to take a proportionate approach to setting regulatory requirements, with the aim of avoiding unintended adverse outcomes (as described in ‘What is the role of the PRA?’).
Financial stability
The Financial Policy Committee (FPC) is the UK’s macroprudential authority and is responsible for identifying, monitoring, and taking action to remove or reduce systemic risks, with a view to protecting and enhancing the resilience of the UK financial system. These actions are often implemented in co-ordination with other regulatory bodies, including the PRA. The PRA must take financial stability considerations into account when advancing its general objective to promote the safety and soundness of the firms it regulates (The Bank’s Financial Stability Strategy).
Generally, steps taken to make insurers safe and sound also help maintain financial stability. However, some risk‑reducing actions by insurers, such as withdrawing from certain lines of insurance, could widen protection gaps over time. Such gaps might pose UK financial stability risks and disrupt the provision of vital services (as described in ‘Case study: potential flood protection gaps in the UK’). This creates a genuine tension for insurers and regulators, balancing prudent risk management by insurers against the risk of higher uninsured losses that can spill over into the rest of the system, as highlighted in a recent speech by James Talbot, the Bank’s Executive Sponsor for climate.
Although protection gaps can affect the PRA’s microprudential objectives, they may be more significant from a financial stability perspective and therefore be relevant to the remit of the Bank’s FPC. Our role as the Bank or PRA is not to direct insurers how to underwrite, but to understand and monitor these interlinkages. The Bank is already considering these risks in areas such as climate and cyber, as highlighted by its December 2025 Financial Stability Report.
Competitiveness and growth
In respect to our secondary objectives, protection gaps can hinder economic growth should there be insufficient insurance needed to support activity across the real economy (as described in ‘Case study: the cyber protection gap in the UK’). When disasters strike, insufficient insurance levels can slow recovery and increase pressure on public and private finances.
The PRA supports insurance coverage across the real economy through the proportionate promotion of safety and soundness, alongside our increasing focus on innovation as we advance our secondary objectives (as described in ‘What is the role of the PRA?’). Shoib Khan’s recent speech highlights how the PRA is continuing to support innovation in insurance markets by creating regulatory space, actively building a facilitating regulatory framework, and being innovative in our own supervisory approach.
Case study: potential flood protection gaps in the UK
In the UK, most of the projected increase in general insurance losses from physical climate risk stems from heightened inland and coastal flooding (CBES). Estimates by the Environment Agency suggest that the number of households at risk of flooding could increase from 6.3 million in 2024 to 8 million by 2050.
At present, the financial impact of flooding on households is likely to remain limited due to strong flood insurance coverage and greater affordability relative to other countries. This resilience is partly due to FloodRe – a joint initiative between the Government and insurers which aims to make the flood cover part of household insurance policies more affordable. Prior to Flood Re’s inception, the average home insurance quote for a householder with a flood claim was about £4,400. As at December 2024, the average was around £1,100 (FloodRe).
That said, FloodRe (eligibility criteria) excludes homes built after 2008, blocks of more than three flats and all commercial properties, meaning some households and businesses might already face protection gaps. Despite this, construction in flood-prone areas continues, with nearly 110,000 new homes built in flood zones in England over the past decade (Aviva). Although, these figures includes areas where flood defences may be in place, highlighting potential data challenges for sizing risks (Ministry of Housing, Communities and Local Government (MHCLG)).
Further, Flood Re was designed as a temporary measure and will end in 2039. While its fixed end date aims to promote efforts to manage flood risk in a long-term sustainable way, concerns about future affordability and availability remain. FloodRe’s most recent Transition Plan, which outlines its approach to exiting the market, highlights that, although progress has been made – including spending on flood defences – significant challenges remain. This, coupled with increasing physical risks, could lead to lower insurance coverage, potentially shifting risks to households, businesses, banks, and governments as highlighted in the December 2025 Financial Stability Report.
More broadly, inadequate insurance coverage may deter investment or raise return requirements in commercial property and infrastructure if capital providers view insurance coverage as insufficient. In turn, returns and availability of investment opportunities for savings, pensions, and annuity products could also be affected.
Incentivising and investing in risk prevention and reduction can be an achievable and cost-effective means of supporting, or even expanding, insurability as physical risks increase. For example, collaboration between the insurance industry, households and government to facilitate investment in physical resilience – such as the FloodRe Build Back Better scheme or low‑cost property‑level flood resilience measures – can reduce the financial impact of flooding, improve insurance affordability and availability, and help limit risks to financial stability. Updates to planning rules and building regulations could further mitigate the impact of increased physical hazards on UK households and businesses.
What is the role of the PRA?
As a microprudential regulator, in advancing its objectives the PRA’s policymaking and supervisory approach can impact insurance supply, both positively and negatively.
Primary objectives
At its core, the PRA supports insurance availability and affordability by fostering a safe, sound, and competitive market, where insurers have the resources to pay policyholders’ claims now and, in the future. The PRA does this by proportionately promoting the safety and soundness of firms, balancing the need to address market failures while avoiding unnecessary restrictions on insurance supply. Furthermore, if deemed a proportionate way of advancing its primary objectives, the PRA could moderate regulatory requirements to make it more economical for firms to offer particular types of cover.
Where PRA policymaking may affect the availability or affordability of insurance and/or have implications for financial stability, such impacts may be assessed through the cost-benefit analysis (CBA) process set out in SOP14/24. PRA CBA may consider potential impacts on regulated firms, markets for financial services (such as pricing, transaction volumes, and product variety), and the wider UK economy.
The pursuit of financial stability – ensuring the system provides vital services even as shocks occur – highlights the importance of striking the right regulatory balance: robust enough for firms to withstand plausible shocks, but not so stringent that it risks reducing insurance provision or dampening economic growth, as reflected in a recent speech by Sarah Breeden, Deputy Governor for Financial Stability. To achieve this, PRA supervision colleagues work closely with Bank and wider counterparts to co-ordinate and identify where unintended consequences may arise.
Secondary objectives
PRA initiatives to advance secondary objectives can also help expand insurance availability by supporting market growth and innovation. For example, the PRA is currently preparing for its summer 2026 consultation on a new captive regime. Such a regime could enable better management of risks like cyber where organisations may seek bespoke coverage not available in the traditional market, and over time stimulate development of that capacity in the wider market.
Similarly, the PRA’s insurance special purpose vehicle reforms should facilitate further innovation in risk transfer, including insurance‑linked securities, to help address protection gaps in areas like cyber and natural catastrophe. Further detail on how the PRA is advancing its secondary objectives is set out in Competitiveness and growth: the PRA’s second report.
Wider stakeholders
Although the supply of insurance is an integral component of protection gaps, increases in insurance capacity alone cannot mitigate all protection gaps, particularly where a risk is deemed uninsurable or where risk is self-insured (knowingly or unknowingly). Management of protection gaps generally requires insurance to be a part of more holistic initiatives, for example resilience building and risk reduction. Such initiatives are generally outside of the PRA’s direct mandate. However, we can, and do, collaborate with and connect relevant stakeholders to support such work (as described in ‘Explainer: what mechanisms are available to close protection gaps?’).
While the specific stakeholders will vary depending on the nature of the gap (refer to ‘Case study: potential flood protection gaps in the UK’ and ‘Case study: the cyber protection gap in the UK’), it may fall to government (implicitly or explicitly) to assume risks that the private market cannot, both to protect the population and provide stability when unforeseen events occur. In doing so, governments effectively act as the insurer of last resort and are therefore key stakeholders in any discussion of protection gaps given their potential contingent liabilities.
Explainer: what mechanisms are available to close protection gaps?
Reducing and/or closing protection gaps can be achieved through a range of policy initiatives and investments, often in combination with each other. A recent industry report identified three complementary strategic pillars that can narrow protection gaps (Geneva Association):
- Investment in risk reduction, such as investment in flood defences, incentives for individuals and businesses to reduce their own risks or cyber security education for SMEs.
- Enhanced private insurance markets, such as supportive regulation to help private capacity and demand grow without distorting markets.
- Public-private risk-sharing mechanisms: For certain perils and in specific markets, well‑designed, explicit public–private schemes can play an important role in maintaining insurability and controlling moral hazard.
Looking forward
Protection gaps, such as those in climate and cyber, will continue to present a risk and an opportunity for UK (re)insurers and the wider economy. While the microprudential risks arising from protection gaps are currently limited, the PRA’s work, particularly relating to competitiveness and growth, can help to improve the availability and affordability of insurance. For example, by enabling innovation that unlocks additional risk-transfer opportunities, both domestic and global.
Given our statutory objectives, there are limits to the role we can play. Fully addressing protection gaps requires co-ordinated action across domestic and international stakeholders. Where the underlying drivers relate to insurability and underlying resilience, a multilateral, system-wide response is required. Although others are better placed to lead this work, the PRA can play an important convening role, helping to improve resilience by leveraging the expertise of the UK (re)insurance industry to support better understanding and management of risk.
Case study: the cyber protection gap in the UK
Cyber as a risk to economic security
Cyber is a risk frequently cited by policymakers and private organisations, across a diverse range of industries and countries, as one of the most material and difficult to manage. Recent cyberattacks impacting household names have further underscored the threat cyber poses to UK economic security; as highlighted by the National Cyber Security Centre writing to chief executive and chairs of leading British companies including all FTSE 350 companies to highlight the risk to business and wider economy.
In 2023 Lloyd’s, a global hub for cyber (re)insurance, published a systemic risk scenario which found that a hypothetical but plausible cyberattack on a major financial services payments system could result in $3.5 trillion of global economic losses over a five-year period (Lloyd’s). For the UK specifically, it is estimated that the average cost of a significant cyberattack for an individual business is almost £195,000. When scaled to an annual UK cost, this generates an estimate of £14.7 billion, equivalent to 0.5% of the UK’s GDP (KMPG).
Insurance landscape
Forms of cyber insurance cover have been available since the 1990s (Association of British Insurers (ABI)). However, the global cyber insurance market remains small relative to overall risk; for example, in 2025, it was estimated that less than 5% and possibly as little as 1% of cyber risks are currently insured globally (Munich Re).
Within the UK, only 7% of UK businesses surveyed had a specific cyber security insurance policy in 2025, although 45% reported being insured against cyber security risks in some way (Department for Science, Innovation and Technology (DSIT)). This low insurance coverage can be driven by a range of factors. On the demand side, drivers include limited awareness of product availability and difficulties with affordability. For example, a 2025 report found that for UK small and medium businesses, insurance may be unaffordable, especially for firms with already limited security budgets (DSIT).
More generally for cyber, supply-side factors such as limited appetite for systemic risk will be a factor limiting availability and/or affordability for some aspects of coverage.
Current initiatives
There are have been several recent initiatives exploring how to improve cyber insurance penetration in the UK (for examples see ABI and DSIT). As well as highlighting the role of insurance in limiting catastrophic financial losses from cyber, several consider how to leverage cyber insurance to improve overall cyber resilience. This includes where insurance can be a means for UK businesses to access to guidance and in many instances, a panel of experts providing pre and post-incident support.
Share your thoughts with us at Bankinsights@bankofengland.co.uk