Cyber Insurance Explained
How to Read a Cyber Insurance Policy: A Schedule-by-Schedule Walkthrough
Most people open their cyber insurance policy, see a 50 page booklet of capitalised terms, and file it away unread until something goes wrong. By then it is too late to find out that ransomware is sub-limited, that your own IT firm is not an approved supplier, or that the war exclusion on your endorsement schedule is the broad version. This walkthrough shows you exactly what to read, in what order, using correct British insurance language rather than the American terms that dominate most online guides.
Your policy is three documents, not one
A UK cyber insurance contract is made up of three parts, and they only mean anything when read together:
- The Policy Wording. The master booklet. It contains the insuring clauses (what is covered), the definitions, the general exclusions, and the conditions. It is generic to the product and identical for every customer who buys that wording.
- The Schedule. The bespoke page or two that names you, your period of cover, the sections you actually selected, your limits and sub-limits, your excess, and any endorsements applied. This is the British equivalent of the American “declarations page”, and it is where your specific deal lives.
- The Endorsements. Named clauses, listed by reference number on the Schedule, that change the standard Wording. Where an endorsement conflicts with the Wording, the endorsement wins.
UK wordings say this explicitly in their opening pages: read the Wording, the Schedule and any endorsements together, because together they form the contract. If you read only the glossy Wording, you will not know what you bought. If you read only the Schedule, you will not know what the words on it mean. Start with the Schedule, then check each line back against the Wording.
A standalone cyber policy from a British insurer such as Hiscox, Aviva, RSA, AIG or Beazley typically runs to 30 to 60 pages including endorsements, with the core wording around 15 to 25 pages. It is long, but you do not have to read it like a novel. You read the Schedule, then look up only the sections it switches on.
The Schedule, field by field
This is the heart of the job. Here is every line you are likely to see, and what each one decides.
Insured / Named Insured. The exact legal entity covered. Check that your subsidiaries and trading names are listed by their correct legal names. Cover for related entities is not normally automatic: claims brought by your own employees, your contractors, or a partially owned subsidiary are commonly excluded unless specifically added.
Period of Insurance. Start and end dates. The third-party liability sections are usually written on a “claims made” basis, which means the policy in force when a claim is made against you and notified responds, not the policy that was in force when the underlying act happened. A gap in cover between renewals can leave an old act uninsured.
Retroactive Date. The cut-off before which the underlying breach or wrongful act cannot have begun for cover to apply. If an attacker was sitting in your network before this date, the policy may not respond even if you only discover it today. “Retroactive Date: Inception” or “Unlimited” is the strongest position, and continuous renewal with one insurer is how you protect it. A recent retroactive date is a genuine red flag worth questioning.
Limit of Indemnity. The most the insurer will pay. Check whether it applies “any one claim” or “in the aggregate” for the whole period. Aggregate means one bad year of multiple incidents shares a single pot.
Sub-limits. Lower caps that sit inside the aggregate for particular covers. This is the single most misread part of any cyber Schedule, so be clear: a sub-limit is part of the main limit, not added on top of it. The headline figure usually applies only to the largest section. Covers that are commonly sub-limited include ransomware and cyber extortion, funds transfer fraud, social engineering and business email compromise, regulatory defence, PCI fines, business interruption and reputational harm. The sub-limit is your true worst-case recovery for that category, so read it as the real number.
Excess. The first slice of every claim you pay yourself before the insurer contributes. This is the British term; American policies call it the “retention” or “deductible”. UK mid-market excesses commonly run from around twenty-five thousand to one hundred thousand pounds, and a higher excess lowers your premium. Some markets use the business interruption waiting period as the retention for that section, with no separate monetary excess.
Time Excess / Waiting Period. Applies to business interruption. Lost income only starts accruing after a set period of downtime, typically 8 to 12 hours. Treat it as the qualifying period before the BI clock begins to run. A short outage that resolves inside the waiting period produces no BI claim at all.
Indemnity Period. For business interruption, how long lost income is covered after the waiting period ends, for example a set number of months. This is the British equivalent of the American “period of restoration”.
Covers selected / Sections operative. The Schedule confirms which sections are switched on. A cover only applies if it appears here, even if the Wording describes it in detail. Go through the Wording’s section list and tick each one against your Schedule.
Endorsements / Clauses applied. Listed by reference number. These modify the standard Wording and take precedence where they conflict. Read every single one, because this is where cover is quietly cut back or added: a specific war exclusion clause, a ransomware co-insurance clause, a sanctions clause.
Premium and IPT. Calculated on the cover selected and on the information you declared when you applied. That last point matters more than it looks, and connects directly to your duty of fair presentation, covered below.
A sample annotated Schedule
Here is an anonymised Schedule of the kind you might receive, with the meaning of each line spelled out.
| Schedule line | Example value | What it means for you |
|---|---|---|
| Insured | Example Trading Ltd and named subsidiaries | Only these legal entities are covered |
| Period of Insurance | 1 July to 30 June (claims made) | The policy live when a claim is notified responds |
| Retroactive Date | Inception | An old, undiscovered breach can still be covered |
| Limit of Indemnity | Aggregate, applies to largest section | One pot for the whole year |
| Ransomware sub-limit | Lower than the main limit | Your real ceiling for an extortion event |
| Social engineering / BEC sub-limit | Lower still | The cap if you are tricked into paying a fraudster |
| Regulatory defence sub-limit | Separate, modest cap | Funds for defending an ICO investigation |
| Excess | Per claim, you pay first | Applies to each separate incident |
| BI time excess | 12 hours | No BI loss accrues for the first half-day |
| Indemnity period | 6 months | Lost income covered for up to six months after the wait |
| Endorsement | LMA5567 war exclusion | The narrower, more generous state-attack clause |
Notice that the war exclusion is identified by a clause number. That number decides a lot, which is why it deserves its own section.
Definitions control everything
In a cyber Wording, defined terms are usually capitalised or in bold, and their meaning controls the cover. “Computer System”, “Cyber Event”, “Data”, “Privacy Breach” and “Loss” are not used in their everyday sense; they mean exactly what the definitions section says. If a definition is narrow, the cover is narrow regardless of how generous the insuring clause sounds. Whenever you read a covered item, look up every bold word in it before deciding what you actually have.
The covers themselves split into three families, which we explain in full in our guide to first-party versus third-party cyber cover:
- First-party covers your own losses: incident response and forensics, breach notification costs, cyber extortion, data and system restoration, business interruption, cyber crime and funds transfer fraud, and reputational harm.
- Third-party covers claims against you: privacy and data liability, network security liability, regulatory defence costs and insurable penalties, media liability, and PCI DSS fines.
- Incident response services are the practical help: usually a 24/7 breach response hotline and an approved panel of forensics, legal and PR specialists.
Exclusions: where cover stops
The general exclusions tell you what the policy will never pay, whatever else it says. The Association of British Insurers sets out the standard UK exclusions, and these are quote-safe because they come straight from the trade body. Cyber policies will not usually cover physical property damage or bodily injury resulting from an incident, losses caused by failure of critical national infrastructure such as electricity, gas, water, satellite or telecommunications, or cyber warfare and state-linked attacks. They also will not pay criminal, civil or regulatory fines, penalties or sanctions you are legally obliged to pay, though defence costs may still be covered. Claims by related entities and territorial limits are common too. You can read the full ABI list on common cyber exclusions.
Beyond the ABI core, carrier-dependent exclusions to look for include prior known incidents (anything you were aware of before inception, which “known” can read broadly to include open investigations or a third-party compromise notice), failure to maintain the security controls you represented at application, unencrypted data, betterment (the insurer restores systems rather than upgrading them), and outages caused by a third party rather than by an attack on your own systems. Our full breakdown of what cyber insurance covers and excludes goes through these in detail.
The territorial trap
UK-bought cyber policies usually include the EU and much of the rest of the world, but North America, meaning the USA and Canada, is often excluded outright or carries a separate higher excess or sub-limit. If you sell into the US, host data there, or have US customers, this single line on your Schedule can decide whether a major claim is paid.
The war and state-backed attack clause
Following Lloyd’s Market Bulletin Y5381, every standalone cyber policy written at Lloyd’s has been required to carry a state-backed cyber-attack exclusion since 31 March 2023. The Lloyd’s Market Association published four model clauses. LMA5564 is the broadest, excluding essentially all state-backed cyber operations. LMA5567 is the narrowest and most generous, and is the most commonly used; it does not blanket-exclude nation-state attacks and instead carves cover back only when certain thresholds are met. Attribution to a state is determined primarily, though not exclusively, by any attribution made by the government of the state where the affected computer system is physically located.
The practical step is simple: find the clause number on your endorsement schedule and read that clause. The difference between LMA5564 and LMA5567 can decide whether a NotPetya-style attack is covered. You can read the original mandate in the Lloyd’s market bulletin Y5381.
The conditions that can void or reduce your claim
The conditions section is where good policies are lost through bad handling. Read it before an incident, not during one.
Notification, and the two separate clocks. Most cyber policies require you to notify the insurer within 24 to 72 hours of discovering a potential incident, and the clock starts at discovery, not when your investigation concludes. Miss it and you can lose cover for that event. This is the policy’s own deadline, and it is entirely separate from the regulator’s. Under UK GDPR you must also report a notifiable personal data breach to the Information Commissioner’s Office without undue delay and not later than 72 hours after becoming aware of it, as set out in the ICO’s guide to personal data breaches. Two clocks, two deadlines, both running from the moment you become aware.
Panel and consent. UK insurers require you to use their approved breach response panel for forensics, legal counsel, PR and ransomware negotiation. Instructing your own lawyers or IT firm, or paying a ransom, without prior insurer consent can leave those costs uninsured. Call the policy’s 24/7 incident hotline first, before you do anything else.
Defence costs and the limit. In many cyber policies, defence and response costs sit inside the limit and erode it. Every pound spent on lawyers and forensics is a pound less available for the ransom, the business interruption loss or the settlement. Some sections provide costs in addition to the limit. Check which applies, because it materially changes the real value of your headline figure.
Fair presentation of the risk. Under the Insurance Act 2015, UK commercial buyers owe a duty of fair presentation. The answers you gave on the proposal form or self-attestation, about multi-factor authentication, backups, patching and end-of-life software, form part of the contract. If you attested to MFA and it later lapsed, the insurer can reduce or avoid the claim proportionately. This is the warranty trap that catches more businesses than the headline exclusions.
Callout: the controls you attested to are part of the contract. If your application said you had MFA, tested backups and a patching regime, keep them in place all year. Under the Insurance Act 2015, letting them slip can turn a paid claim into a declined one.
Sanctions. Claims involving sanctioned entities or jurisdictions will not be paid, which is directly relevant to ransomware payments. Screening against sanctions lists is a precondition of any ransom decision.
A pre-renewal checklist
Run through this before you renew, and keep it with your policy.
- Read the Schedule, the Wording and every endorsement together.
- Confirm your legal entities and trading names are all listed.
- Check the retroactive date is inception or unlimited.
- Identify every sub-limit and treat it as your real ceiling for that cover.
- Confirm whether defence costs erode the limit.
- Note your excess and the BI time excess and indemnity period.
- Find the war exclusion clause number and read it.
- Confirm North America is included or note its separate terms.
- Save the 24/7 incident hotline number where staff can find it at 3am.
- Make sure your real security controls match what you attested.
Frequently asked questions
What is the difference between the policy wording and the schedule? The Wording is the standard booklet of insuring clauses, definitions and exclusions, identical for every customer. The Schedule is your bespoke page listing your selections, limits, sub-limits, excess and endorsements. Neither makes full sense alone; read them together as one contract.
What does “excess” mean and how much is typical? The excess is the first part of each claim you pay yourself before the insurer contributes. It is the British term for what American policies call a retention or deductible. UK mid-market excesses commonly run from around twenty-five thousand to one hundred thousand pounds, and a higher excess lowers your premium.
Is a sub-limit on top of my main limit? No. A sub-limit sits inside the aggregate limit, not in addition to it. The headline figure usually applies only to the largest section, so the sub-limit is your true worst-case recovery for covers like ransomware or funds transfer fraud.
What is a retroactive date and why does it matter? It is the cut-off before which the underlying breach or wrongful act cannot have begun for cover to apply. If an attacker was in your network before that date, the policy may not respond even if you only discover the breach now. Inception or unlimited is best.
Are defence and legal costs included in my limit or on top? Often inside the limit, where they erode it, meaning legal and forensic spend reduces what is left for the ransom, business interruption or settlement. Some sections provide costs in addition. Check which your Schedule and Wording specify.
Does cyber insurance cover ICO or GDPR fines? Defence costs are usually covered, but the fine itself is uncertain under English law and often excluded. The FCA Handbook forbids regulated firms from insuring their own FCA penalties, no court has directly ruled on whether ICO fines are insurable, and insurability is assessed case by case, with deliberate or punitive conduct generally uninsurable. The ICO’s maximum fine guidance sets the higher tier at up to 17.5 million pounds or 4% of global annual turnover, whichever is higher.
Can I just pay a ransom myself? No. Paying without prior insurer consent can make the cost uninsured, ransomware is usually sub-limited, and a payment to a sanctioned entity will not be covered at all. Call the insurer’s incident hotline and complete sanctions screening first.
Is my US business or US customers covered? Often not, or only on separate terms. North America is frequently excluded from UK-bought policies or carries a higher excess or sub-limit. Check the territorial line on your Schedule if you sell into, or host data in, the USA or Canada.
What happens if my security controls lapsed after I applied? The insurer can reduce or decline the claim. Under the Insurance Act 2015 your application answers about MFA, backups and patching form part of the contract, so the controls you attested to must stay in place all year.
Who do I call first when attacked? The 24/7 incident response hotline named in your policy, not your own IT firm or solicitor. The insurer’s approved panel handles forensics, legal counsel, PR and negotiation, and using your own suppliers without consent can leave those costs uninsured.
This is general guidance for the UK market, not regulated insurance advice. Cyber wordings differ by insurer, so check your own Schedule and Wording and speak to your broker about your specific cover. For wider context, see our UK small business cyber insurance guide and whether you need cyber insurance.
