Cyber Insurance Explained
Cyber Insurance for UK Small Businesses: The Complete 2026 Guide
Cyber insurance sits in an awkward spot for most UK small businesses: too technical to evaluate quickly, too important to ignore once you read the breach numbers. The government’s own data shows 43% of UK businesses, roughly 612,000 of them, were hit by a breach or attack in the last year. Yet only 7% hold a standalone cyber policy, and a large share of those who do claim find the payout disputed. This guide explains what cyber insurance actually covers, what shapes the price in 2026, how to make your cover cheaper and your claim more likely to pay, and the recent UK rule changes (the ransomware payment regime, tighter underwriting) that most provider pages have not caught up with.
Throughout, we deal in drivers rather than fixed prices: brokers quote on your turnover and sector, so treat any single headline number with suspicion.
What cyber insurance actually covers
A cyber policy splits into two halves. Knowing which half is paying matters, because the exclusions and limits differ.
First-party cover pays for your own losses after an incident:
- Data and system recovery (rebuilding or restoring what was encrypted, deleted, or corrupted)
- Business interruption (lost income while you are down)
- Cyber extortion and ransomware response (negotiation, specialist response, and in some cases the ransom, subject to the rules below)
- Cybercrime and funds-transfer fraud (money tricked out of you, for example by an invoice-redirection scam)
Third-party cover pays claims made against you by others:
- Privacy liability, meaning UK GDPR civil claims brought by the people whose data leaked. This is one of the most-claimed categories.
- Regulatory defence costs, covering the legal and investigation spend when the ICO or FCA comes asking.
Policies almost always run on a 12-month term, re-assessed each year, on a claims-made basis. That last point catches people out: an incident that started before your policy began is not covered, even if you only discover it later. The NCSC’s cyber insurance guidance is a neutral starting point if you want to read past the brokers.
Do you actually need it
For most small businesses the answer is yes, and the “we’re too small to be a target” line does not survive contact with the data. The gov.uk Cyber Security Breaches Survey 2025 found:
| Measure | Figure |
|---|---|
| UK businesses breached or attacked in last 12 months | 43% (~612,000) |
| Medium firms breached | 67% |
| Large firms breached | 74% |
| Small businesses hit by phishing | 42% (down from 49% in 2024) |
| Phishing as a share of affected businesses | 85% |
| Average cost of a breach (all, including £0) | £1,600 |
| Average cost excluding £0 responses | £3,550 |
| Mean cost of cyber-facilitated fraud | £5,900 |
Phishing is the dominant attack route by a distance, and the most expensive single category is fraud, at a mean of £5,900 per affected business. Charities are not spared: 30% (around 61,000) were hit, with breaches costing them £3,240 on average, or £8,690 excluding the nil responses.
Uptake is rising but shallow. Around 45% of businesses hold some form of cyber cover, and 62% of small businesses now do (up from 49%), but only 7% hold a specific standalone cyber policy. Many of the rest have a thin add-on bolted onto another line, which is not the same thing.
What shapes the price in 2026
There is no single price, because there is no single business. The number you are quoted is built from a handful of inputs:
- Annual turnover and sector (a law firm or a payments processor pays more than a gardener)
- The volume and sensitivity of data you hold
- Your security controls (see the next section, this is where you can move the price)
- Your claims history and the limits you choose
Entry-level standalone cover for a micro-business with low limits sits at the bottom of the range; mid-market cover for a complex, data-heavy environment runs to many times that. Some online-first insurers (Superscript, for example) advertise low monthly figures, but a headline “from” price assumes a small, low-risk, well-controlled business.
On the market direction: 2025 softened slightly after a hard couple of years, but underwriting criteria tightened, so cheaper-looking quotes often come with stricter conditions. At the industry level, S&P Global Ratings has projected global cyber premium volume growing roughly 15% to 20% a year toward around US$23bn by 2026, a signal of a hardening, expanding market rather than a guarantee about your own renewal. For a full breakdown of what feeds the quote, see our cyber insurance cost guide for UK small businesses or run the numbers with the cyber insurance cost calculator.
How to cut your premium: the controls checklist
Insurers price on risk, and they reward businesses that have removed the easy risks. Several controls are now effectively mandatory: many underwriters will not even quote without them.
The controls that gate quotes and cut price:
- Multi-factor authentication (MFA). The single most-required control. No MFA, often no quote.
- Endpoint detection and response (EDR) on devices
- Tested, offline-capable backups you can actually restore from
- Cyber Essentials certification (the government-backed scheme)
Cyber Essentials is the single most valuable step, because it both opens up quotes and earns a discount. Reported discount bands:
| Certification | Typical premium reduction |
|---|---|
| Cyber Essentials | 10% to 25% |
| Cyber Essentials Plus | 20% to 40% |
Getting the basics certified before you shop for cover is usually the cheapest way to lower the premium. Note that an MFA requirement is also being baked into the scheme itself; our Cyber Essentials cost and MFA rule explainer covers what is changing and when.
The free £25k cover most SMEs miss
Certify for Cyber Essentials and you may get cyber insurance included at no extra cost.
IASME, the body that runs Cyber Essentials, bundles a free Cyber Liability Insurance policy with certification. The headline terms:
| Feature | Detail |
|---|---|
| Limit of indemnity | £25,000 total |
| Eligibility | Whole organisation certified, UK or Crown Dependencies domiciled, annual turnover under £20m, must opt in |
| Includes | 24-hour incident helpline, crisis management and incident response within the £25k limit |
| Covers | Digital Media Activities, Security and Privacy Liability |
| Underwriter | American International Group UK Limited (AIG) |
| Administered by | Sutcliffe & Co Insurance Brokers |
| Uplift options | Paid increase to £100,000 or £250,000 |
It is not a full programme, and £25,000 will not cover a serious incident at a data-heavy firm, but for a micro-business it is meaningful, and the 24-hour helpline alone has value. You have to opt in, and the whole organisation must be certified, not just one team. There is also a paid uplift path through brokers and insurers. Verify the current limit and underwriter on the IASME Cyber Liability Insurance page before relying on it, and see our walkthrough of free cyber insurance via Cyber Essentials.
What it does NOT cover
The exclusions are where claims die, so read this section twice.
GDPR fines. This is the most misunderstood point in the whole product. As a matter of UK public policy, a regulatory fine cannot generally be insured where the business caused or contributed to the breach. Some policies refer to “privacy regulatory awards to the extent insurable by law”, which sounds reassuring but does not change the basic position: the fine itself is generally not covered. What can be covered is the response: legal defence, the investigation, and the cost of notifying affected people and the regulator. So the policy helps you handle an ICO case; it does not pay the penalty at the end of it.
Act of war and state-backed attacks. Since 2023, Lloyd’s has mandated state-backed cyber-attack exclusions on standalone policies placed through it, and the war wording now varies widely from insurer to insurer. This is not theoretical: the 2017 NotPetya attack produced years of coverage litigation (the best-known being Merck v. ACE American and Mondelez v. Zurich) over whether an “act of war” exclusion applied. Read your war wording, because a nation-state-linked attack is exactly the kind of large loss you bought cover for.
Prior and known acts. Anything that began, or that you knew about, before the policy started. This is the flip side of the claims-made basis.
Poor security hygiene. Unpatched systems, outdated software, and missing MFA can void cover, because they often double as conditions of the policy.
The ransomware payment regime. The government has set out (in 2025) a plan to ban ransom payments by the public sector and regulated critical national infrastructure (NHS, councils, schools), plus a “payment prevention regime” requiring all other victims to notify the authorities of an intent to pay, so it can be checked against sanctions, alongside mandatory incident reporting with an initial report inside 72 hours. Around 72% of consultation respondents backed the targeted ban. As of late 2025 this was a proposal being introduced rather than settled law, but it changes how a ransomware claim works: even where a policy would fund a payment, you may be legally required to notify first, and a payment to a sanctioned entity is off the table. You can read the government response to the ransomware proposals in full. A separate Cyber Security and Resilience Bill, in progress in late 2025, is expected to widen reporting duties further.
Why claims get denied, and how to be the one that gets paid
Around 40% of cyber claims were denied or disputed in 2024. The top reasons are consistent: inadequate security controls, misrepresentation on the proposal form, policy exclusions, and late notification. The legal machinery behind the first two sits in the Insurance Act 2015, and understanding it is the difference between a clean payout and a fight.
Two mechanisms matter:
Misrepresentation. When you fill in the proposal form, you have a duty of fair presentation. If you misrepresent something:
- Deliberate or reckless misrepresentation lets the insurer void the policy, refuse all claims, and keep your premium.
- Non-deliberate misrepresentation triggers a “proportionate remedy”: the insurer pays out as if you had been charged the premium your true facts warranted, or applies the terms it would have set. So if you said you had MFA everywhere and you did not, you may not lose everything, but the claim can be cut down.
Breach of warranty. A warranty is a promise about something you will do or maintain (keep backups, run MFA, patch within a set window). Breaching a warranty suspends the insurer’s liability rather than voiding the policy, and crucially, cover is reinstated if you fix the breach before any loss happens. So a lapsed control that you correct in time does not necessarily sink a later, unrelated claim.
The businesses that get paid share three habits:
- They documented their controls before the incident, so the proposal form was accurate and provable.
- They notified the carrier within 24 to 72 hours, inside the policy window.
- They followed a tested incident response plan rather than improvising.
The practical lesson: answer the proposal form precisely, keep evidence that you do what you said, and treat every control on the form as a live promise. For background on the legal mechanism, Get Indemnity’s explainer on the Insurance Act 2015 sets out the warranty and proportionate-remedy rules.
First 72 hours: your incident playbook
Insurance only works if you trigger it correctly, and the clock starts the moment you suspect something. A workable sequence:
- Contain, do not destroy. Isolate affected systems, but preserve evidence: do not wipe and rebuild before the responders have looked, or you may breach a policy condition.
- Call your insurer’s breach line first, not your IT person’s mobile. Most policies require notification within 24 to 72 hours and route you to an approved incident response (IR) team. Calling the wrong people first can prejudice the claim.
- Engage the IR retainer. Many policies include or require a named IR provider. The NCSC maintains a list of assured Cyber Incident Response providers if you need to vet one.
- Assess the reporting duties. A personal-data breach with risk to individuals must be reported to the ICO within 72 hours. The emerging ransomware regime adds its own initial-report requirement, and notification may be required before any payment is even considered.
- Document everything as you go. Times, decisions, who you spoke to. This is what makes the claim provable later.
If ransomware is on the table, factor in the cost of a ransomware incident beyond the ransom itself: downtime, recovery, and notification usually dwarf the demand.
Frequently asked questions
Does cyber insurance cover GDPR fines? Generally no. UK public policy means a regulatory fine cannot usually be insured where your business caused or contributed to the breach. Some wordings mention “regulatory awards to the extent insurable by law”, but the fine itself is normally excluded. What a policy can cover is the response: legal defence, the investigation, and the cost of notifying affected people and the regulator.
Do I need Cyber Essentials to get cyber insurance, and does it cut the premium? You do not strictly need it everywhere, but many underwriters now treat controls like Cyber Essentials, MFA, EDR, and tested backups as a precondition to quote at all. It also pays you back: Cyber Essentials is commonly worth a 10% to 25% premium discount, and Cyber Essentials Plus 20% to 40%. Certifying before you shop is usually the cheapest way to lower the price.
Is there any free cyber insurance? Yes, within limits. IASME bundles a free Cyber Liability Insurance policy with Cyber Essentials certification: a £25,000 total limit, a 24-hour incident helpline, and crisis management within that limit, underwritten by AIG and administered by Sutcliffe & Co. You must opt in, the whole organisation must be certified, you must be UK or Crown Dependencies domiciled, and turnover must be under £20m. There is a paid uplift to £100,000 or £250,000.
Does cyber insurance cover ransomware payments, and is paying even legal? Many policies fund ransomware response, sometimes including the payment, but the legal picture is shifting. The government has set out a ban on ransom payments for the public sector and regulated critical infrastructure, plus a regime requiring other victims to notify the authorities of an intent to pay so it can be checked against sanctions, with mandatory incident reporting inside 72 hours. As of late 2025 this is being introduced rather than fully in force, but a payment to a sanctioned entity is already off the table.
Why do cyber insurance claims get denied? The common reasons are inadequate security controls, misrepresentation on the proposal form, policy exclusions, and late notification; roughly 40% of claims were denied or disputed in 2024. Under the Insurance Act 2015, deliberate or reckless misrepresentation lets the insurer void cover entirely, while an innocent error triggers a reduced “proportionate” payout. The businesses that get paid documented their controls beforehand, notified within 24 to 72 hours, and followed a tested response plan.
I’m a sole trader. Am I really a target? Size is not protection. Phishing hit 42% of small businesses last year and accounts for 85% of attacks on affected businesses, and most of it is automated and indiscriminate. The single most expensive category, cyber-facilitated fraud, averaged £5,900 per affected business, which is enough to end a small operation. Entry-level cover is cheap, and the free IASME £25,000 policy can be a sensible floor for a micro-business.
