Cyber insurance for UK businesses covers first-party costs (incident response, data recovery, business interruption from a cyber event) and third-party liability (claims from customers or partners whose data was compromised). UK GDPR requires notification to the ICO within 72 hours of a personal data breach - incident response costs and regulatory defence costs are covered under most cyber policies. NCSC Cyber Essentials certification is increasingly required by insurers as a condition of cover or to access lower premiums. Hiscox, Beazley, CFC, Coalition, and At-Bay are the most active cyber underwriters in the UK SME and mid-market segments.
Last reviewed May 2026
Cyber insurance has moved from a niche technology sector product to a mainstream business insurance consideration for UK organisations of all sizes. The combination of increasing ransomware frequency, regulatory enforcement of UK GDPR breach notification obligations, and supply chain cyber incidents affecting businesses that would not previously have considered themselves cyber targets has driven rapid premium growth and significant underwriting scrutiny. UK businesses buying or renewing cyber cover in 2026 face a more demanding application process than five years ago - insurers now routinely ask detailed questions about multi-factor authentication deployment, endpoint detection and response tools, patch management processes, and backup strategies before quoting. This guide covers what UK cyber insurance policies cover, what regulators require in the event of a breach, and how to evaluate cyber insurers for the UK market.
UK GDPR Breach Notification and the 72-Hour Rule
Under Article 33 of UK GDPR, organisations must notify the Information Commissioner's Office of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. Notification is required where the breach is likely to result in a risk to the rights and freedoms of natural persons - in practice, this covers most breaches involving ransomware (where data may have been exfiltrated), unauthorised access to customer or employee databases, and accidental disclosure of personal data to the wrong recipients.
The 72-hour clock starts when the organisation becomes aware of the breach - not when the breach occurred, and not when the root cause has been fully investigated. A ransomware attack detected at 9am on Monday triggers a notification obligation by 9am on Thursday, regardless of whether the investigation is complete. Cyber insurance policies that include incident response retainer services - where a pre-approved forensic investigator and legal adviser can be engaged immediately on notification of an incident - are significantly more valuable than policies that require the insurer's approval before engaging response services, given the tight notification window.
Where a breach is likely to result in a high risk to individuals (for example, exfiltration of financial data, health data, or credentials that could enable identity fraud), the organisation must also notify the affected individuals directly under Article 34 of UK GDPR. The cost of individual notification - breach notification letters, credit monitoring offers, and dedicated customer service resources - can be substantial for organisations with large customer databases and is typically covered under the first-party costs section of a cyber policy.
NCSC Cyber Essentials and Underwriting Requirements
The National Cyber Security Centre's Cyber Essentials scheme defines five technical controls that protect against the most common cyber attacks: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Cyber Essentials Plus adds independent verification of these controls through vulnerability scanning and staff testing. UK government contracts involving the handling of personal data or provision of certain ICT products and services require Cyber Essentials certification as a minimum.
In the cyber insurance market, Cyber Essentials certification has become an increasingly common underwriting requirement. Insurers including CFC and Coalition use Cyber Essentials certification (or equivalent evidence of the five control areas) as a factor in determining whether to offer cover and at what premium. Businesses that cannot demonstrate basic Cyber Essentials-equivalent controls - particularly multi-factor authentication on remote access and email, and an up-to-date patch management process - face either coverage exclusions, higher premiums, or declination from the better-rated cyber insurers.
The NCSC's guidance on cyber security for small and medium-sized businesses, published as the Cyber Aware programme, provides practical implementation guidance for organisations working towards Cyber Essentials. Businesses that have not previously engaged with formal cyber security frameworks should treat Cyber Essentials certification as both a security improvement and an insurance preparation step, given the increasing underwriting relevance of the certification.
Looking for vetted cyber insurance UK business providers? Browse the Kael Tripton directory of UK-active vendors.
Browse directory →What UK Cyber Insurance Policies Cover
Cyber insurance policies vary significantly in their scope and sub-limits. The following coverage areas represent the standard structure of a comprehensive UK cyber policy, though specific inclusions and exclusions vary by insurer and policy wording.
First-party incident response costs: forensic investigation to determine the cause and scope of the breach, legal advice on notification obligations, PR and crisis communications, notification costs (letters, call centre), and credit monitoring for affected individuals. This is the coverage most frequently triggered in the immediate aftermath of a cyber incident and the area where insurer-provided response services (pre-approved forensic firms and law firms on retainer) add most practical value.
Business interruption from a cyber event: lost revenue and extra expenses incurred while systems are restored following a ransomware attack, DDoS attack, or other cyber event that disrupts trading. Most policies include a waiting period (typically 8-12 hours) before BI cover is triggered. Sub-limits for BI are often lower than for incident response costs; businesses that would suffer significant revenue loss from a system outage should ensure BI limits reflect their actual daily revenue exposure.
Cyber extortion (ransomware): ransom payment costs and the professional fees involved in negotiating with threat actors. Most UK insurers require the insured to notify law enforcement (typically the National Crime Agency) before authorising ransom payments. The NCSC advises against paying ransoms as a matter of policy, noting that payment does not guarantee data recovery and funds criminal activity - policies that cover ransom payments typically include this guidance as a condition of the coverage section.
Third-party liability: claims from customers, partners, or other third parties whose personal or confidential data was compromised as a result of the cyber incident. Includes legal defence costs and damages. This coverage is particularly important for businesses holding large volumes of personal data (retailers, healthcare providers, financial services firms) or confidential client data (professional services firms, outsourced IT providers).
| Insurer | Market segment | Key strength | Response services |
|---|---|---|---|
| Hiscox | SME to mid-market | Brand recognition, SME reach | Yes (CyberClear) |
| Beazley | Mid-market to large | Claims handling depth | Yes (BBR) |
| CFC | SME to mid-market | Policy clarity, underwriting speed | Yes (24/7 response) |
| Coalition | SME | Active monitoring, risk scanning | Yes (Coalition Control) |
| At-Bay | SME to mid-market | Continuous exposure monitoring | Yes |
Exclusions and Coverage Limitations UK Buyers Must Understand
Cyber policy exclusions have tightened significantly since 2020. The following exclusions appear in most UK cyber policies and represent material coverage limitations that buyers should understand before purchasing.
War and state-sponsored attack exclusions: following the Lloyd's of London market directive from 2023, most cyber policies exclude losses arising from state-sponsored cyber attacks. The practical challenge is attribution - determining whether an attack is state-sponsored can take months, and insurers have sought to rely on broad exclusion language to decline claims arising from major incidents such as NotPetya. The Merck v ACE Insurance litigation in the US, and equivalent UK cases, have tested the boundaries of war exclusions in the cyber context. UK buyers should request that their broker explain the specific war/state-actor exclusion wording in any policy under consideration.
Unencrypted data: many policies exclude or sub-limit claims arising from the loss of data that was not encrypted when it could reasonably have been encrypted. For businesses storing large volumes of personal data, ensuring encryption at rest is both a UK GDPR obligation and an insurance condition.
Prior acts and known circumstances: cyber policies are typically written on a claims-made basis, covering claims made during the policy period for incidents that occurred after the retroactive date. Businesses that have experienced a breach or have a known vulnerability before the policy inception date will not be covered for claims arising from that known circumstance.
Buying Cyber Insurance: What Underwriters Ask
Cyber underwriting applications in 2026 routinely ask about: multi-factor authentication deployment (on email, remote access VPN, and privileged accounts); endpoint detection and response (EDR) tools; offline or immutable backups tested within the past 12 months; patch management processes for critical and high-severity vulnerabilities; privileged access management; and whether the business has experienced a cyber incident in the past three years. Incomplete or inaccurate answers on these questions can constitute a breach of the duty of fair presentation under the Insurance Act 2015 and provide grounds for claim dispute.
Businesses that cannot affirm MFA on email and remote access are finding it increasingly difficult to obtain cyber cover from the better-rated insurers at standard terms. Where MFA cannot be implemented (typically due to legacy system constraints), this should be disclosed to the broker and alternative controls documented, rather than left unanswered or misrepresented.
FAQ
Is cyber insurance compulsory for UK businesses?
No. There is no legal requirement for UK businesses to hold cyber insurance. However, UK GDPR imposes notification and remediation obligations that create significant costs in the event of a breach - costs that cyber insurance is designed to cover. Some client contracts and public sector frameworks specify minimum cyber insurance limits as a condition of contract. Businesses holding significant volumes of personal data or operating critical systems should treat cyber cover as a material risk management decision.
Does a standard business insurance policy cover cyber attacks?
Standard public liability and commercial property policies do not cover cyber losses. Property policies typically exclude loss of or damage to electronic data. PL policies cover bodily injury and physical property damage to third parties but not financial loss arising from a data breach. Standalone cyber insurance is required to cover the incident response costs, business interruption, and third-party liability arising from a cyber event. Some package business insurance products include a small cyber extension, but these typically have sub-limits (£25,000-£50,000) that are inadequate for a material incident.
What is the 72-hour ICO notification requirement and what happens if it is missed?
Article 33 of UK GDPR requires notification to the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Late notification is a breach of UK GDPR and can result in ICO enforcement action. The ICO considers whether the delay was justified, whether the organisation cooperated, and whether it has a history of compliance issues when determining the response to late notifications. Fines for UK GDPR breaches can reach £17.5 million or 4% of global annual turnover.
Does paying a ransom violate UK law?
Paying a ransom is not itself illegal under UK law in most circumstances. However, payments to individuals or entities on OFSI (Office of Financial Sanctions Implementation) sanctions lists would constitute a sanctions violation. Threat actors linked to sanctioned states or organisations create sanctions risk in ransom payments. The NCSC and NCA advise against ransom payments on policy grounds. Businesses considering ransom payment should seek legal advice and notify the NCA before paying, regardless of insurer requirements.
What does Cyber Essentials certification involve and how long does it take?
Cyber Essentials involves completing a self-assessment questionnaire covering the five technical control areas (firewalls, secure configuration, access control, malware protection, and patch management) verified by an NCSC-approved certification body. Basic Cyber Essentials certification typically takes one to four weeks for a small business with controls in reasonable order. Cyber Essentials Plus adds external vulnerability scanning and internal testing and takes longer. Certification is valid for 12 months and must be renewed annually.
How We Verified
This article draws on ICO guidance on UK GDPR breach notification, NCSC Cyber Essentials scheme documentation, FCA ICOBS sourcebook, and Insurance Act 2015. Insurer capability descriptions are based on publicly available product documentation and Lloyd's market guidance as of May 2026. No insurer paid for inclusion in this article.
