INSURANCE GUIDE
Cyber Insurance UK
What cyber insurance covers for UK businesses - data breach response, ransomware, business interruption and regulatory costs.
TL;DR
- Cyber insurance covers the direct costs of a cyber incident - incident response, legal costs, ICO notification, and business interruption.
- UK GDPR requires businesses to report certain data breaches to the ICO within 72 hours.
- Ransomware attacks are one of the most common and costly cyber claims for UK SMEs.
- Standard business insurance policies do not cover cyber risks - a separate cyber policy is needed.
What Cyber Insurance Covers
Cyber insurance covers the financial impact of a cyber incident on your business. Standard covers include: incident response costs (forensic investigation to establish what happened); legal costs and regulatory advice; ICO notification costs and support; data recovery costs; business interruption losses while systems are restored; customer notification costs; PR and reputation management; and sometimes extortion payments if ransomware demands are made. The policy is designed to cover the immediate and consequential costs of a cyber event.
UK GDPR and Data Breach Obligations
Under UK GDPR, businesses that suffer a personal data breach that is likely to result in a risk to individuals must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Failure to notify can result in regulatory fines. Cyber insurance covers the legal and compliance costs of managing an ICO notification and any subsequent investigation. The ICO can impose fines up to £17.5m or 4% of global annual turnover for serious breaches.
Ransomware and Business Interruption
Ransomware attacks - where criminals encrypt business systems and demand payment for decryption - are among the most common and costly cyber incidents affecting UK SMEs. Cyber insurance covers both the business interruption losses while systems are offline and, in some policies, the ransom payment itself (subject to legal advice and insurer approval). The policy also covers the cost of system restoration and data recovery after an attack.
Which Businesses Need Cyber Insurance Most
Any business that holds customer or employee personal data, processes card payments, operates e-commerce, or relies on connected systems for its operations has meaningful cyber exposure. Professional services firms, healthcare providers, retailers, and any business processing significant volumes of personal data have the highest regulatory exposure under UK GDPR. SMEs are increasingly targeted because their defences are often weaker than large corporations.
Related Guides
Disclaimer
This guide is for general information only and does not constitute financial or insurance advice. Kaeltripton.com is not regulated by the FCA. Always read policy documents in full before purchasing cover.
Frequently Asked Questions
Does standard business insurance cover cyber attacks?
No. Standard public liability, employers liability, and commercial property insurance do not cover cyber risks. Some business insurance packages include a limited cyber extension, but the cover is typically far less comprehensive than a standalone cyber policy. Businesses with meaningful data processing or online trading should arrange dedicated cyber insurance.
How much does cyber insurance cost for a small business?
SME cyber insurance premiums vary based on turnover, industry, number of employees, and the volume of personal data processed. Sole traders and micro-businesses with modest data processing typically pay £200-600 per year for basic cyber cover. Businesses with higher data volumes, online payment processing, or regulated data categories pay more. Completing a cyber security questionnaire accurately when applying is important as underwriters use this to price the risk.
