Nathan Hankin (pictured) has lived and breathed insurance since he left school, spending the last decade immersed in cyber and technology risks. Now leading Aon’s UK retail team for cyber and tech errors and omissions, he and his colleagues bring nearly five decades of combined experience to helping UK-domiciled clients of up to £1 billion in revenue, understand and manage their exposure.
"We don’t just speak the language of insurers," Hankin said. "We can talk tech with the chief information security officer and IT teams, and the financial impact with the financial directors and the board. We bring multiple stakeholders into the conversation as cyber risk is far greater than just an IT issue.”
Hankin follows cyber risk developments obsessively, posting news daily across Aon and engaging directly with underwriters, managing general agents’, and ransomware negotiators. One trend he's watching closely is the shift in ransomware tactics.
"Physical threats are increasingly part of the playbook," he said, referencing a case where lilies were sent to executives’ homes as a veiled death threat. "Around 40% of ransom negotiations now include some form of physical intimidation."
According to Hankin, one of the biggest broker responsibilities is education. Many SMEs still believe they’re too small to be targeted.
"Bots don’t discriminate," he said. "They’re not looking at your company size or sector. They’re scanning for open ports and misconfigured or inadequate controls."
Another misconception: outsourcing IT means outsourced liability. Hankin points to an ongoing claim in the United States, where a multinational manufacturer is pursuing legal action against its Managed Services Provider (MSP) for allegedly failing to verify a password reset request, amounting to losses of several hundred million dollars.
"Even if you outsource, the liability often sits with you. And most MSP contracts exclude significant liability. That’s a gap we help clients understand."
Insurance alone isn't a strategy, Hankin warns. Insurance is a method of transferring risk from the balance sheet. It does not replace a plan for, assessing, mitigating or recovering from a cyber event.
"Continuity planning has to come first," he said. "If cyber is the top board-level risk, why don’t we quantify it the way we do property? Properties are surveyed every two years. Businesses rarely do the same for cyber."
He urges uninsured businesses to invest in business continuity and incident response plans, complete with named forensic firms, crisis PR contacts, and tabletop exercises. Waiting until an attack happens to find help, he said, is a recipe for disaster.
"Most clients have no idea who to call. Rates can double during an incident if rates aren’t pre agreed. Response times drag. It’s avoidable with some forward planning."
Asked about the most effective tools for SMEs to keep cyber cover affordable, Hankin doesn’t hesitate: "Multifactor authentication is still a key control for insurers.”
He also highlights endpoint detection and response (EDR), email attachment scanning, password managers, strong backup process, and privileged access management as critical, budget-conscious controls.
"We also push clients to review government standards like Cyber Essentials against insurer expectations. Most SMEs think they’re compliant, but Cyber Essentials only meets about half of what insurers look for."
Looking ahead, Hankin says artificial intelligence will reshape the landscape rapidly.
"Voice and video deepfakes are already driving multimillion-pound frauds," he said. "We’re also seeing a return to data theft without encryption. Ransomware gangs are evolving again."
In response, he calls for security baselines to become non-negotiable: "Like locks on your doors, basic cyber controls should be standard."
He also sees value in brokers leaning into their advisory role, especially around evidence-led submissions and proactive claims insight.
"The best brokers aren’t just quoting," Hankin said. "They’re working with underwriters, guiding controls, and preparing clients for the worst. And when that happens, helping them respond fast – before a threat becomes a catastrophe."
