Cyber insurance

Plain-English guide to cover against cyber risks

Cyber insurance protects a business against the financial and operational impact of cyber incidents such as ransomware, data breaches, business interruption, and cyber extortion. It does not prevent attacks - it helps you recover when they happen. In the UK, incidents are frequent and increasingly costly, with phishing and ransomware continuing to dominate. Premiums have recently eased as competition grows, even as claims rise, which means cover is more accessible for more sectors and sizes.

The market is growing quickly as organisations recognise that security tools alone are not enough. Insurers are responding with clearer wording and broader cover, including for sectors like manufacturing, healthcare, financial services, aviation, hospitality, and gambling. Many policies now include access to specialist incident responders, legal counsel, PR support, and credit monitoring for affected individuals. This support can reduce downtime and reputation damage after an attack.

Still, cyber insurance is not a cure-all. Policies have conditions that must be met - for example, using multi-factor authentication, patching critical systems, and maintaining secure backups. Limits, sub-limits, and exclusions apply, and certain events may not be covered. This guide sets out the essentials so you can judge whether cyber insurance fits your risk and compliance needs, how different cover levels compare, and what to check before you buy. Our goal is simple: clear information so you can make a safe, informed choice for your business.

Insurance can offer real protection when you understand both the cover - and the limits.

What is typically covered and how claims usually unfold

Most policies cover two broad areas. First-party losses include incident response, data recovery, system restoration, business interruption, extra costs to keep operating, and cyber extortion payments where lawful. Third-party liabilities cover regulatory investigations, fines where insurable by law, defence costs, and settlements arising from privacy breaches or network security failures. Many policies also provide breach coaching, forensics, legal advice, and communications support from day one of an incident.

Exclusions often include pre-existing incidents, known vulnerabilities that were not remediated, deliberate acts by senior personnel, and certain infrastructure outages beyond your control. Some policies set sub-limits for ransomware, social engineering, or data restoration. For example, a business might suffer a phishing-led funds transfer loss - cover may apply only if specific verification controls were in place. If backups were not encrypted or offline, data restoration cover could be limited.

A typical claim begins with immediate notification to the insurer or their incident hotline. They help contain the breach, coordinate forensics, and guide regulatory notifications. You will be asked for logs, evidence of controls, and details of downtime and costs. Payments are generally made after validation and subject to the excess and policy limits. The best outcomes usually follow from fast reporting, clear records, and meeting the policy’s security requirements.

Who benefits most - and when it may be optional

Cyber insurance is particularly valuable for businesses that store personal data, take online payments, operate connected manufacturing lines, or rely on cloud systems and remote work. SMEs can benefit from access to expert responders they could not easily hire during a crisis. Sectors that see higher claim activity - such as manufacturing and services handling sensitive data - will often find cover an important part of resilience planning.

Very small firms with minimal digital exposure, no stored customer data, and purely offline operations may judge the risk as low. Even then, consider how email compromise, invoice fraud, or supplier breaches could impact cash flow. If clients require specific cyber cover in contracts, insurance may be effectively mandatory regardless of size.

Choosing your cover - levels and add-ons explained

1. Essential

   • Designed for micro and small firms with straightforward risks.
   • Core first-party cover for incident response, data recovery, and business interruption with modest limits.
   • Basic third-party liability for privacy and network security events.
   • May include insurer panel responders but fewer optional services.

2. Standard

   • Suits growing SMEs using cloud platforms and handling personal data.
   • Higher limits for ransomware, data restoration, and business interruption.
   • Broader liability cover, including regulatory investigation costs and crisis communications.
   • Often includes social engineering and funds transfer fraud with defined sub-limits.

3. Comprehensive

   • Built for complex or higher-risk operations, including manufacturing and regulated sectors.
   • Highest aggregate limits, richer sub-limits for ransomware, system failure, and dependent business interruption.
   • Wider cover for suppliers and technology partners, plus extended forensic and legal support.
   • May offer tailored endorsements for sector-specific exposures.

4. Optional add-ons

   • Enhanced social engineering and invoice fraud cover with strict verification conditions.
   • System failure cover not triggered by a cyberattack, such as critical software errors.
   • Reputational harm cover with media spend limits.
   • Extended dependent business interruption for key cloud or MSP outages.
   • Higher notification and credit monitoring caps for affected individuals.

Pick a level that matches realistic loss scenarios - not best case assumptions.

Costs and pricing - what typically drives your premium

Typical annual premium ranges vary widely by size and risk profile. Recent UK market competition has nudged average rates lower while coverage breadth improves. Prices are not guaranteed and can change at renewal.

Approximate guideposts only: micro businesses might see three to low four-figure annual premiums, SMEs low to mid four figures, and larger firms higher. Excess levels materially affect pricing.

Who can apply - and what insurers usually require

Most UK-registered businesses can apply, from sole traders to large enterprises. Insurers typically ask for details of your systems, data types, revenue, key suppliers, and prior incidents. Expect questionnaires on security controls such as multi-factor authentication for remote access and email, privileged access management, critical patching timelines, endpoint protection, and backup practices including offline copies and recovery testing.

Common reasons for decline include lack of MFA, unsupported or unpatched legacy systems, inadequate backups, repeated incidents without remediation, and incomplete disclosures. Some risks may be accepted with conditions, sub-limits, or higher excesses. Regulated firms should be ready to evidence compliance with sector-specific requirements. Providing accurate, complete information helps avoid delays and ensures the cover you buy reflects your actual risk.

From quote to claim - a simple path

1. Gather business details, data types, revenues, and current security controls.
2. Request quotes and wordings from multiple UK-regulated insurers or brokers.
3. Compare limits, sub-limits, exclusions, excesses, and incident response services.
4. Confirm security requirements and remediate any control gaps before binding.
5. Purchase the policy, store documents securely, and brief your incident team.
6. Test backup restoration and incident contacts to confirm response readiness.
7. If an incident occurs, notify the insurer immediately and follow the playbook.
8. Keep records of costs and downtime to support a prompt, accurate claim.

Weighing it up - strengths and watch-outs

Insurance works best alongside tested backups, MFA everywhere, and staff training.

Key checks before you commit

Read the full policy wording, schedule, and endorsements. Note the overall aggregate limit and any sub-limits for ransomware, data restoration, social engineering, and dependent business interruption. Check the waiting period for business interruption and confirm how lost income is calculated. Understand the excess for each cover section and any co-insurance that could share costs. Review claim notification deadlines and the approved incident response panel. Confirm regulatory cover scope, including jurisdiction. Finally, compare renewal terms and any conditions precedent that could affect validity if not met throughout the policy period.

Alternatives and related options

1. Technology errors and omissions - covers failures in professional tech services or software where clients allege negligence.
2. Crime and fidelity cover - focuses on employee dishonesty and certain external frauds outside cyber triggers.
3. Business interruption from property policies - may respond to physical perils but usually not cyber events.
4. Data protection services - monitoring, encryption, and backup solutions that reduce risk but are not insurance.
5. Incident response retainers - pre-arranged forensics and legal support without transfer of financial risk.

Frequently asked questions

Q: Does cyber insurance cover ransomware payments? A: Many policies cover cyber extortion costs where lawful and proportionate, subject to sub-limits and due diligence. Insurers will not facilitate payments that breach sanctions or law.

Q: Will my policy pay regulatory fines? A: Some fines are uninsurable in the UK. Policies may cover legal defence and investigation costs, but payment of fines depends on legality and the policy wording.

Q: Do I need cyber insurance if I already use strong security tools? A: Tools reduce likelihood and impact but cannot eliminate risk. Insurance helps fund recovery, legal costs, and interruption losses when controls are bypassed or human error occurs.

Q: How have UK premiums moved recently? A: Average prices have eased due to market competition, while claims for ransomware have increased. Pricing still varies by sector, security posture, and claims history.

Q: Are cloud outages covered? A: Some policies include dependent business interruption for third-party providers, often with sub-limits and defined providers. Check wording and ensure critical suppliers are listed if required.

Q: What evidence will I need during a claim? A: Expect to provide system logs, proof of controls, incident timelines, costs, and revenue impact details. Keeping accurate records supports faster, more complete settlements.

What to do now

If cyber risk matters to your business, compare a few policies side by side. Focus on limits, sub-limits, exclusions, and security conditions. Ask for sample wordings and confirm incident response partners. Take your time - a measured comparison now reduces surprises later.

Try this next: list your top three digital risks, then map cover to each.

Important note

This guide provides general information, not personal financial advice. Policy terms, limits, and exclusions vary by insurer. Always read the full wording and seek regulated advice if you need help matching cover to your specific circumstances.