Cyber Insurance Explained
First-Party vs Third-Party Cyber Cover: Which Sections You Actually Use
Cyber cover splits into two halves, and for most UK SMEs only one of them does the heavy lifting. First-party sections pay for your own direct losses after an attack: getting the incident contained, your data restored, and your income replaced while you are offline. Third-party sections pay claims brought against you by other people, mainly legal defence and regulatory costs after a data breach. On the typical small-business claim, ransomware or a hacked email account, it is the first-party sections you actually use. Third-party liability matters far more for firms holding large volumes of other people’s personal data or selling digital services to clients.
This guide explains which sections trigger on a real claim, where the money goes, and the first-party gotchas that catch buyers out. It is framed for UK policy wording, the ICO, and the free cover bundled with Cyber Essentials, not US coverage labels.
First-party vs third-party: the split that matters
A cyber policy is a bundle of separate insuring clauses. The cleanest way to read one is to ask, for each section: is this paying my losses, or paying someone else’s claim against me?
| First-party (your own losses) | Third-party (others’ claims against you) | |
|---|---|---|
| What it pays | Costs you incur directly after an attack | Liability to people affected by your breach |
| Typical sections | Incident response, IT forensics, data restoration, business interruption, ransomware/extortion, breach notification, PR/crisis management, sometimes cyber crime/funds-transfer fraud | Legal defence, settlements and damages, regulatory/ICO investigation costs |
| Who claims most | Almost every SME that has a serious incident | Firms holding lots of others’ personal data, or providing digital services |
| Trigger | Ransomware, email compromise, system outage | A data breach affecting customers, an ICO investigation, a lawsuit |
If you want the wider picture of what a policy includes and the standard carve-outs, our guide to what cyber insurance covers and its exclusions goes section by section. The label distinction between “cyber insurance” and “cyber liability” trips a lot of buyers up too; we untangle that in cyber insurance vs cyber liability explained.
Which sections SMEs actually claim on
The honest answer most insurer marketing skips: first-party sections do almost all the work for small firms.
The Association of British Insurers reported that UK insurers paid out £197 million in cyber claims to businesses in 2024, a 230% rise on the £59 million paid in 2023, with malware and ransomware making up over 51% of all claims (up from 32% the year before). Those are first-party events. A ransomware hit triggers incident response, forensics, data restoration, and business interruption. A hacked email account triggers forensics, notification, and often funds-transfer fraud cover. None of that is third-party liability.
Third-party lawsuits do happen, but they are the rarer event for a typical small business. They become the dominant risk when you hold large volumes of customer personal data or build software and systems for clients. For most trades, agencies, and shops, the first-party sections are what gets used. That should change how you read a quote: scrutinise the first-party limits and sub-limits first, because that is the cover you are most likely to call on.
Business interruption: the biggest cost, and the catch
Business interruption is consistently the single largest cost component in serious cyber claims. Munich Re’s analysis puts business interruption at roughly 51% of total cost in ransomware losses, and claims that trigger it run far higher in severity than those that do not. Lost income while your systems are down usually dwarfs the cost of the technical clean-up.
Two practical points buyers get caught by:
- There is a waiting period. Business interruption typically does not start paying until a retention period has passed, often 6 to 12 hours of downtime. A short outage that recovers inside that window may pay nothing on the business interruption section even though it disrupted you.
- It is the section to size carefully. Because it drives claim severity, an under-set business interruption limit or a long waiting period is where a policy quietly fails to deliver when you need it most.
Ask how the insurer calculates lost income, what the waiting period is, and whether the business interruption limit reflects what a multi-day outage would actually cost you.
The first-party gotchas
These are the details that turn a policy you thought covered you into one that does not.
Social engineering and funds-transfer fraud is usually a separate, sub-limited section. Business email compromise, where someone is tricked into paying a fraudulent invoice or diverting a transfer, is one of the most common real-world losses. It is frequently a standalone insuring clause with its own low sub-limit, not part of the main policy limit. A policy with a large headline limit can still cap funds-transfer fraud at a small fraction of it. Check this number specifically.
Ransomware payments are often sub-limited too. Many policies cap what they will pay towards an extortion demand below the overall limit. The headline figure on the schedule is rarely the amount available for a ransom.
Sub-limits apply to regulatory costs and notification as well. A sub-limit is a cap that sits inside the overall policy limit on a specific type of loss. The result is that the headline limit is the ceiling, but individual events such as ransomware, social engineering, or ICO investigation each have their own, lower cap. Read the schedule of sub-limits, not just the top-line number.
Do you already have some cover?
Before buying anything, check what you already hold. The National Cyber Security Centre advises checking whether cyber cover is already bundled into existing policies, such as business interruption or property insurance, before taking out a standalone policy. The NCSC’s cyber insurance guidance sets out seven questions to work through before you buy. Some commercial combined policies include limited cyber extensions, so it is worth confirming rather than either double-paying or assuming a gap that is not there.
If you certify to Cyber Essentials through IASME, UK-domiciled organisations with annual turnover under £20m can opt in to free cyber liability insurance with a £25,000 limit of indemnity and a £1,000 excess per claim. It covers both first-party elements (incident response, forensics, data restoration, ransomware and extortion) and third-party/regulatory costs (data breach response, defence costs and regulatory fines where insurable). It is genuine cover, but it is baseline: a frequently cited figure for the average UK SME cyber claim is around £40,000 (a broker estimate, not a regulator figure), so a £25,000 limit is easily exhausted by one serious incident. Treat it as a floor, not a substitute for a properly sized policy.
What it costs, and reading “average” figures sceptically
Indicative UK SME premiums commonly fall in the £350 to £5,000 a year range, with low-risk microbusinesses sometimes lower. These are broker estimates and vary widely by sector, turnover, and the limits you choose, so treat them as a starting frame rather than a quote.
Be wary of scary “average cost of a breach” headlines. The UK government’s Cyber Security Breaches Survey 2025/2026 found 43% of businesses experienced a breach or attack in the last 12 months, with phishing the most common at 38%. But the median cost of the most disruptive breach was effectively £0 for businesses overall. The mean was roughly £1,600, or £3,550 once zero-cost incidents are stripped out. The “average” swings enormously depending on whether those zero-cost responses are excluded, which is exactly how insurer marketing inflates the number. Plenty of incidents cost little; a minority cost a great deal. That distribution, lots of cheap incidents and a few expensive ones, is the real case for insurance, not a single frightening average.
For a fuller walk-through of whether the cover is justified for your situation, see do I need cyber insurance and our cyber insurance UK small business guide.
Frequently asked questions
What is the difference between first-party and third-party cyber insurance? First-party cover pays your own direct losses after an attack: incident response, IT forensics, data restoration, business interruption, ransomware payments, breach notification, and crisis PR. Third-party cover pays claims brought against you by others, mainly legal defence, settlements, and regulatory or ICO investigation costs after a data breach. First-party is what you spend on yourself; third-party is what you owe other people.
Which sections of a cyber insurance policy do businesses actually claim on? For most SMEs, the first-party sections. ABI data shows malware and ransomware made up over 51% of UK cyber claims paid in 2024, and those events trigger incident response, forensics, data recovery, and business interruption rather than third-party liability. Third-party lawsuits matter most to firms holding large volumes of customer data or providing digital services.
Does cyber insurance cover business interruption and lost income? Yes, and it is usually the single largest cost in a serious claim, around 51% of total costs in ransomware losses on Munich Re’s figures. The catch is a waiting or retention period, often 6 to 12 hours, before the cover starts paying. Short outages that recover inside that window may not pay on the business interruption section, so check the waiting period and make sure the limit reflects a multi-day outage.
Is social engineering or business email compromise covered by cyber insurance? Often, but usually as a separate section with its own low sub-limit rather than as part of the main policy limit. Because funds-transfer fraud is one of the most common SME losses, this sub-limit is one of the most important numbers in the schedule. A policy with a large headline limit can still cap this loss at a small fraction of it.
What is a sub-limit and why does it matter? A sub-limit is a cap on a specific type of loss that sits inside the overall policy limit. Ransomware payments, social engineering, and regulatory costs commonly carry their own sub-limits, so the headline figure on your schedule is rarely the amount available for those events. Always read the schedule of sub-limits, not just the top-line limit.
Is the free £25,000 Cyber Essentials insurance enough? It is useful baseline cover, available free to UK-domiciled organisations with turnover under £20m who opt in, with a £1,000 excess. It covers both first-party and regulatory elements. But with the average UK SME cyber claim often cited around £40,000, a £25,000 limit is easily exhausted by one serious incident. Treat it as a floor, not a complete policy.
Do small businesses need both first-party and third-party cover? Most standalone policies bundle both, so you usually get them together. The practical question is how each is sized. Weight your attention towards the first-party limits and sub-limits, since that is the cover you are most likely to use, and check the third-party limit is adequate if you hold a lot of customer personal data or provide services to clients.
