INSURANCE GUIDE Cyber Insurance UK - what it covers and whether your business needs it |
TL;DR
- Cyber insurance covers financial losses from data breaches, ransomware attacks, business email compromise, and cyber business interruption.
- Standard business insurance (office, shop, professional indemnity) explicitly excludes most cyber losses - a standalone cyber policy is required for meaningful protection.
- UK businesses are legally required to notify the ICO of certain personal data breaches within 72 hours under UK GDPR - cyber policies cover the cost of breach response including notification.
- Premiums are strongly influenced by the business cyber security posture - multi-factor authentication (MFA), endpoint detection, and patching practices all reduce premiums.
- Business email compromise (BEC) and invoice fraud are excluded from many cyber policies as they are classified as social engineering or crime rather than cyber events - check the policy wording carefully.
Last reviewed: June 2026
KEY FACTS | |
| What it covers | First-party costs: incident response, system restoration, data recovery, ransom payment (some policies). Third-party: regulatory fines (limited), legal costs, client notification costs |
| Standard policy exclusions | War and state-sponsored attacks (Lloyd of London war exclusion); bodily injury and property damage (covered by PL/EL); prior known incidents |
| ICO notification duty | UK GDPR Article 33: personal data breaches must be reported to the ICO within 72 hours where likely to result in risk to individuals |
| BEC and invoice fraud | Often excluded from cyber as crime/social engineering - check for specific social engineering extension |
| MFA impact on premium | Multi-factor authentication on email and remote access is now commonly required by cyber insurers and significantly reduces premiums |
| Annual premium range | GBP 500 to GBP 3,000 for SMEs; GBP 5,000 to GBP 50,000+ for larger businesses |
What Is Cyber Insurance?
Cyber insurance (also called cyber liability insurance or cyber risk insurance) covers financial losses arising from digital attacks, data breaches, and technology failures that affect a business. It addresses a category of risk that is almost entirely absent from standard business insurance policies and has become one of the most rapidly growing commercial insurance products as cyber threats have intensified.
The two broad categories of cyber insurance cover are first-party cover (losses to the insured business itself) and third-party cover (claims from other parties - clients, regulators, affected individuals - against the insured business).
KEY FACTS
|
First-Party Cyber Cover
First-party cyber cover protects the insured business for its own losses following a cyber incident:
- Incident response costs: The cost of engaging a specialist cyber incident response firm to contain and investigate a breach, including forensic investigators, PR firms, and legal advisers specialising in data breach response.
- System restoration: The cost of restoring corrupted or encrypted systems and data following a ransomware attack or other destructive cyber event.
- Business interruption: Revenue lost while the business cannot operate normally due to a cyber incident. This can be the most significant financial loss in a major ransomware attack.
- Ransom payments: Some cyber policies cover ransom payments to cybercriminals, subject to conditions. Insurers are increasingly cautious about this cover given regulatory concerns about funding criminal enterprises.
- Data breach notification: The cost of notifying affected individuals and regulators following a personal data breach, as required by UK GDPR.
Third-Party Cyber Cover
Third-party cyber cover responds to claims made against the insured business by clients, individuals, or regulators:
- Privacy liability: Claims from individuals whose personal data was compromised in a breach
- Regulatory defence costs: The cost of responding to an ICO investigation following a data breach
- Network security liability: Claims from clients whose systems were affected because they were connected to the insured network
- Media liability: Claims arising from digital content published by the business
The War Exclusion
Following guidance from Lloyd of London, most standalone cyber policies now include a war exclusion that limits or excludes cover for cyberattacks attributed to state actors (government-sponsored hacking). This is significant because major ransomware groups and advanced persistent threats (APTs) are increasingly attributed to nation-state actors, particularly from Russia, China, North Korea, and Iran. The scope of the war exclusion varies by policy and should be reviewed carefully for businesses that might be targeted by state actors.
How Much Does Cyber Insurance Cost?
Annual indicative costs for 2026 UK businesses:
- Small business, turnover under GBP 1 million, basic IT, limit GBP 250K: approximately GBP 500 to GBP 1,200
- Medium business, turnover GBP 1-5 million, good security controls, limit GBP 1 million: approximately GBP 1,500 to GBP 4,000
- Larger business, turnover GBP 5-25 million, comprehensive controls: approximately GBP 4,000 to GBP 15,000
Key factors reducing premiums: MFA on email and remote access; regular patching; endpoint detection and response (EDR); staff phishing training; cyber essentials certification; tested backups stored offline.
Related Guides |
Disclaimer: This guide is for general information only. Kael Tripton Ltd is not authorised or regulated by the FCA. Always verify details with an FCA-authorised insurer or broker before purchasing. |
Frequently Asked Questions
Does my business insurance cover ransomware?
Standard business insurance (office, shop, public liability, professional indemnity) does not cover ransomware, data breach costs, or cyber business interruption. These are explicitly excluded. A standalone cyber insurance policy is required to cover these losses.
Does cyber insurance cover me if I pay a ransom?
Some cyber policies include ransom payment cover, subject to conditions including insurer approval before payment and compliance with sanction screening (payments to designated parties are prohibited). Insurers are increasingly cautious about ransom cover given regulatory concerns and the risk of incentivising attacks. Check the specific policy terms and confirm with the insurer before any payment is made.
What is business email compromise and is it covered?
BEC (Business Email Compromise) is where attackers spoof or compromise an email account to direct fraudulent payments - for example, an attacker impersonating a supplier to redirect a payment to a criminal bank account. Many cyber policies classify BEC as crime or social engineering fraud rather than a cyber event and exclude it under the standard cyber cover. A specific social engineering or crime extension is required. Check the policy carefully.
Does cyber insurance cover GDPR fines?
Cyber policies typically cover the costs of an ICO investigation (legal fees, forensic investigation, PR) but the coverage of the regulatory fine itself varies. UK public policy generally restricts the insurability of punitive fines, and not all cyber policies cover ICO fines. Check the regulatory penalties section of the policy wording. The costs of notifying affected individuals and the investigation itself are more reliably covered.
What is Cyber Essentials and does it reduce my premium?
Cyber Essentials is an NCSC-backed certification scheme covering five basic security controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. Cyber Essentials Plus involves independent verification of these controls. Many UK cyber insurers offer premium discounts for Cyber Essentials Plus certification. The scheme costs from approximately GBP 300 to GBP 1,000 for certification.
Sources |
