If your business turns over less than £20 million, there is a real cyber insurance policy you can have for nothing. It comes attached to Cyber Essentials, the government-backed certification scheme, and most eligible firms either do not know it exists or assume there must be a catch. There is no catch, but there are conditions, and getting it wrong at the assessment stage is the easiest way to miss out.

This guide walks through exactly who qualifies, what the £25,000 cover actually pays for, the one box you have to tick during certification, and where the free policy stops being enough.

What the free insurance actually is

When a UK-domiciled organisation with turnover under £20 million passes the basic level of Cyber Essentials covering its whole organisation, it becomes entitled to free cyber liability insurance arranged through IASME, the NCSC’s official Cyber Essentials delivery partner.

The cover carries a £25,000 limit of indemnity. It is underwritten by American International Group UK Limited (AIG) and administered by Sutcliffe & Co Insurance Brokers, who handle the scheme on behalf of IASME. So this is a genuine policy from a recognised insurer, not a marketing gesture.

The headline figure people fixate on is the £25,000, but the part that earns its keep day to day is the 24-hour incident response helpline. If you are hit by ransomware or a data breach, you call one number and get access to technical, legal and crisis-management support straight away, with the associated costs paid up to the policy limit. For a five-person or fifty-person firm with no in-house security team, that phone number is often worth more than the cash limit itself, because it gets competent people working on the problem in the first hour rather than the first week.

The cover is associated with both Cyber Essentials and Cyber Essentials Plus. You do not need the more expensive Plus audit to get it. The basic self-assessment certification is what triggers eligibility.

Who qualifies, and the conditions that catch people out

Four conditions decide whether you get the policy, and all of them have to be true:

  • Turnover under £20 million. This is measured at group level. If your company is part of a larger group whose combined turnover exceeds £20m, you do not qualify even if your own entity is small.
  • UK domiciled. Your head office needs to be in the UK or the Crown Dependencies.
  • Whole-organisation certification. This is the one that trips firms up. Cyber Essentials lets you certify a defined scope, and some businesses deliberately scope out part of the network to make the assessment easier or cheaper. If you certify only a sub-set of your organisation rather than the whole thing, the free insurance does not apply.
  • You opt in. The insurance is opt-in, so eligible firms still have to actively say yes to it during the assessment.

The whole-organisation point matters more than the others because it is a decision you make during the assessment, not something fixed by your size. Plenty of firms scope down to a single department or office to get through the questions faster, then find they have quietly forfeited the insurance. If the cover is part of why you are certifying, certify the whole organisation.

On the opt-in itself: the cost of the certification is exactly the same whether you opt in or not, so for most firms there is no reason to decline. If you already hold a commercial cyber policy that you are happy with, you can opt out and avoid having two policies that might complicate a future claim. That is a conversation worth having with your existing broker before you tick the box either way.

Step by step: how to claim it

The insurance is not a separate application. You get it by certifying correctly. Here is the sequence.

1. Pick an IASME-licensed certification body

Cyber Essentials can only be issued through IASME or one of its licensed certification bodies. The insurance is tied to that route, so a certificate obtained any other way will not carry the cover. IASME runs a network of certification bodies across the UK, and many IT providers and security specialists are part of it.

2. Scope the assessment across the whole organisation

Before you start the questionnaire, define your scope as the entire business, including all the devices, cloud services and people that connect to your data. Resist the temptation to carve out the awkward parts. Whole-organisation scope is the condition for the free insurance, and it is also the version of Cyber Essentials that actually protects you.

3. Meet the five technical controls

The assessment checks five areas of basic security hygiene, as defined by the National Cyber Security Centre:

  • Firewalls protecting your network boundary and individual devices
  • Secure configuration so devices and software are not left on insecure defaults
  • Security update management to keep operating systems and applications patched
  • User access control so people only have the access they need, with admin rights tightly held
  • Malware protection on all in-scope devices

None of these require expensive tooling for a typical SME. Most are settings and policies you can fix in a few days. The hardest part is usually patching and access control, because they expose how loosely accounts and updates have been managed.

4. Submit, fix, resubmit

You complete the questionnaire through the certification portal, an assessor reviews it, and if anything falls short you get the chance to correct it. Pass, and the certificate is issued.

5. Confirm the insurance is in place

Once certified, the cover is arranged through Sutcliffe & Co. Keep the policy documents with your other certificates so that, if an incident happens, whoever picks up the phone knows the helpline number and the policy reference. For exact wording and the upgrade options, the Cyber Essentials insurance details on the Sutcliffe & Co site set out what is and is not covered.

What it costs to get certified

The insurance is free, but the certification that unlocks it is not. The IASME assessment fee for the basic self-assessment, by organisation size, is:

  • Micro (1 to 9 staff): £330 + VAT
  • Small (10 to 49 staff): £400 + VAT
  • Medium (50 to 249 staff): £450 + VAT
  • Large (250+ staff): £500 + VAT

That fee covers the assessment for a year and includes a free re-submission if you do not pass first time. It does not cover the work to actually meet the controls. For a typical small firm, the realistic first-year total including any remediation, tooling and time tends to land somewhere between £1,500 and £3,500 once everything is accounted for. The £25,000 policy comes on top of all that at no extra charge, which is why certifying through the IASME route rather than chasing a standalone certificate makes financial sense for most eligible businesses.

Where the free £25,000 runs out

Be honest with yourself about what £25,000 buys. A contained incident at a micro business, where the helpline gets you back on your feet and there is no large third-party liability, sits comfortably inside the limit. A ransomware event that takes out your systems for a fortnight, triggers a regulatory investigation, and forces you to notify hundreds of customers will blow through £25,000 long before the dust settles.

This is the gap between the free cover and a proper commercial cyber policy. Standalone cyber insurance for an SME commonly runs to £1 million or more of cover, with business interruption, ransom negotiation and far higher limits for legal and notification costs. The free policy is a sensible floor, not a ceiling. If you carry meaningful customer data or could not survive a week offline, treat it as a starting point and price up a commercial policy alongside it. You can also increase the IASME-arranged cover to £100,000 or £250,000 for an annual premium through Sutcliffe & Co, which bridges some of the gap without moving to a full standalone policy.

Cyber Essentials gets you certified. Insurers want more.

Passing Cyber Essentials and collecting the free insurance is the easy win. Holding onto affordable cyber insurance over the next few years is the harder one, because underwriters have moved the goalposts well past the five Cyber Essentials controls.

Across the UK market in 2026, insurers now treat three controls as near-mandatory before they will quote, and certainly before they will renew:

  • Multi-factor authentication (MFA) on email, remote access, VPNs and every administrator account. Insurers increasingly want full coverage, not “most accounts”, and many now discount SMS codes in favour of authenticator apps or hardware keys.
  • Endpoint detection and response (EDR) on every laptop, desktop and server. Traditional antivirus no longer satisfies underwriters, who expect active monitoring and the ability to respond to threats, not just detect them.
  • Tested backups, ideally offline or immutable so ransomware cannot reach them, with evidence that you have actually restored from them recently rather than just running the job.

A large share of first-time cyber insurance applications are now declined, and the two most common reasons are missing MFA and inadequate endpoint protection. Cyber Essentials nudges you towards access control and malware protection, but it does not, on its own, prove MFA everywhere or EDR on every device. If you want both the free policy and a renewable commercial one, build those three controls in early.

For the full picture of what a renewal pack needs to contain, see our guide to the cyber insurance controls insurers now demand.

Frequently asked questions

Is the £25,000 cyber insurance with Cyber Essentials genuinely free? Yes. It is included at no extra cost for eligible UK organisations with turnover under £20 million that certify their whole organisation. The certification fee is the same whether or not you opt in to the insurance, so there is no hidden charge for the cover itself.

Do I need Cyber Essentials Plus to get the insurance, or is the basic level enough? The basic self-assessed Cyber Essentials is enough. The free cover is associated with both Cyber Essentials and Cyber Essentials Plus, so you do not need to pay for the more expensive Plus audit to qualify.

Why would my certification not include the insurance? The most common reasons are exceeding £20 million in group turnover, not being UK domiciled, or certifying only a sub-set of your organisation rather than the whole thing. Scoping down the assessment to part of your network removes the entitlement, so certify the whole organisation if you want the cover.

Can I opt out if I already have a cyber insurance policy? Yes. The cover is opt-in, and if your existing commercial policy already gives you what you need you can decline it. It is worth checking with your current broker first, because holding two overlapping policies can complicate a claim.

Is £25,000 enough cover for my business? For a small, contained incident it can be. For a serious ransomware attack with system downtime, regulatory costs and customer notifications, £25,000 will not stretch far. Treat it as a baseline and consider either upgrading the IASME-arranged limit to £100,000 or £250,000, or taking a separate commercial policy with £1 million or more of cover.

How long does it take to get certified and receive the insurance? If your controls are already in reasonable shape, the self-assessment can be completed and passed in a matter of days to a couple of weeks. The insurance is arranged once the certificate is issued, so the timeline is driven mainly by how quickly you can meet the five controls and submit the questionnaire.