HISCOX | Business Insurance
Hiscox cyber cover for SMEs, examined closely
This review looks at Hiscox cyber insurance for UK small businesses: what it covers, the conditions attached, what it costs, and how the firm is regulated. It draws on FCA register data, FOS complaint context and ABI framing.
TL;DR
Hiscox cyber insurance covers UK SMEs against the financial and operational fallout of cyber incidents such as ransomware, data breaches and business email compromise, typically including incident response, business interruption and liability. It is offered by an FCA-authorised insurer and can carry security conditions that affect cover. Sector-wide general insurance uphold rates commonly sit around 30 to 40 percent per FOS, with firm-level data available at the source.
Last reviewed: 22 June 2026
|
Key Facts
|
What Hiscox cyber insurance covers
Cyber insurance addresses the financial and operational consequences of digital incidents, an exposure that has grown sharply for smaller firms as more business moves online. Hiscox offers cyber cover as a distinct strand of its SME proposition, typically combining first-party costs (those the business itself incurs) with third-party liability (claims from others affected by an incident). The aim is to help a firm respond to and recover from an attack as much as to pay for its consequences.
Common cover elements include incident response and forensic investigation to identify and contain a breach, the costs of restoring data and systems, business interruption losses where systems are down, and notification and credit-monitoring costs following a data breach. Cyber extortion cover responds to ransomware demands, while cyber liability addresses claims from customers or third parties whose data was compromised. Some policies also cover financial loss from social-engineering fraud such as business email compromise, where staff are tricked into transferring funds.
A notable feature of cyber cover, and one that distinguishes it from many traditional policies, is the emphasis on rapid response. Access to a breach-response team in the critical hours after an incident can materially reduce the eventual loss, which is why the service element of cyber cover is often as valuable as the indemnity.
Conditions and what Hiscox cyber cover may not pay
Cyber policies frequently attach conditions tied to the security posture of the insured business, and these are important to understand. Cover can depend on the firm maintaining reasonable controls such as regular software patching, secure and tested backups, and multi-factor authentication on key systems. Where a claim arises from a failure to meet a stated condition, the insurer may be entitled to decline or reduce it, so the security requirements in the wording are not box-ticking; they affect whether cover responds.
Standard exclusions also apply. Losses from known vulnerabilities that were not addressed, deliberate or dishonest acts by the business, and prior incidents that existed before the policy started are commonly excluded. Bodily injury and physical property damage usually sit outside cyber cover and belong with other policies. Fines and penalties may be uninsurable in some circumstances depending on the law, and the wording will set out how regulatory costs are treated.
As with all commercial cover, the schedule defines limits, sub-limits, excesses and waiting periods, particularly for business interruption. Reading these carefully, and being honest about the firm's actual security controls at the application stage, are the steps that keep cover effective.
What Hiscox cyber insurance costs SMEs
Cyber premiums are rated on the individual risk and have been a dynamic area of pricing as the threat landscape evolves. The main factors are the size of the business, its sector and the sensitivity of the data it holds, annual turnover, the limit of indemnity, the security controls in place, and any history of incidents. A firm holding large volumes of personal or payment data will generally face a higher premium than one with minimal data exposure.
Hiscox competes on the breadth of cover and the quality of its incident-response service rather than on being the cheapest. When comparing quotes, businesses should look at what is actually included, particularly the response service, the business-interruption terms and the sub-limits for items like extortion and social engineering, because a lower premium can reflect narrower cover. Improving security controls can both reduce premium and reduce the likelihood of a claim.
- Business size, sector and data sensitivity
- Annual turnover and limit of indemnity
- Security controls such as MFA, patching and backups
- Incident and claims history
- Scope of cover and sub-limits selected
How Hiscox performs on complaints
Complaint data offers an objective view of how an insurer handles disputes. Where a policyholder cannot resolve a matter directly, eligible micro-enterprises and individuals can refer it to the Financial Ombudsman Service, which publishes complaint volumes and uphold rates by firm twice a year. General insurance uphold rates commonly fall in the 30 to 40 percent range sector-wide according to FOS, though this varies by product and firm.
Cyber claims can be technically complex, often turning on whether security conditions were met and how losses are quantified, so the clarity of the original policy setup matters. Anyone assessing Hiscox should consult its latest published complaint figures at financial-ombudsman.org.uk and weigh trends over time rather than a single period.
How to make a cyber claim with Hiscox
Speed is central to cyber claims. The policy will set out an incident notification process, and many cyber covers provide a dedicated response line to call as soon as an incident is suspected. Early contact allows the breach-response team to begin containment, preserve evidence and guide the business through immediate steps, which can limit the eventual loss. Delaying notification can both worsen the damage and prejudice the claim.
Practical steps usually include isolating affected systems where advised, preserving logs and evidence, not paying any ransom without insurer involvement, and documenting the timeline and impact. For data breaches, there may also be regulatory obligations to report to the Information Commissioner's Office within set timeframes, which the response team can help navigate. Keeping the insurer informed before incurring significant costs helps ensure they fall within cover.
Is Hiscox FCA authorised
Hiscox cyber insurance is provided by an FCA-authorised insurer operating within the UK regulatory framework. The authoritative way to confirm status is to search the FCA register at fca.org.uk/register, which shows the permissions the firm holds and whether authorisation is current. This review does not reproduce a reference number, because the register is the live and definitive source and figures copied elsewhere can fall out of date.
FCA authorisation brings the insurer within the FOS and Financial Services Compensation Scheme frameworks and subjects it to conduct rules on fair treatment of customers. For cyber policyholders, that framework underpins the routes to redress if a claim or service issue cannot be resolved directly.
|
What the Data Shows | |
| FCA authorisation | Authorised - confirm at fca.org.uk/register |
| Core cyber cover elements | Incident response, breach costs, business interruption, liability, extortion |
| Common policy condition | Security controls such as MFA, patching and backups |
| Sector-wide uphold rate | Commonly around 30-40% per FOS; verify firm-level at source |
|
Sources: FOS annual data 2024/25, FCA register, ABI. | |
Disclaimer: This review is based on publicly available information and primary regulatory sources. Kaeltripton is not FCA-authorised and does not provide financial advice. Always verify current cover details directly with the insurer and check the FCA register before purchasing.
Frequently asked questions
What does Hiscox cyber insurance actually cover?
It typically combines first-party costs such as incident response, data restoration and business interruption with third-party cyber liability. Many policies also cover extortion from ransomware and financial loss from social-engineering fraud, though the exact scope depends on the wording and the limits chosen.
Does my business need security measures in place to be covered?
Cyber policies often attach conditions tied to the firm's security, such as multi-factor authentication, regular patching and tested backups. A claim arising from a failure to meet a stated condition may be declined or reduced, so meeting and maintaining those controls is important.
Will cyber insurance pay a ransomware demand?
Cyber extortion cover can respond to ransomware, but policyholders should involve the insurer and its response team before taking any action rather than paying a demand directly. The response team helps assess options, and acting without involving the insurer can affect the claim.
How much does Hiscox cyber insurance cost?
Premiums are rated on the individual risk, drawing on business size, sector, data sensitivity, turnover, the limit chosen and the security controls in place. There is no flat rate, and stronger security can both lower the premium and reduce the chance of a claim.
What can I do if Hiscox declines a cyber claim?
Raise a formal complaint with the insurer first and allow it to respond. If the dispute is unresolved and the business is an eligible complainant, it can be referred to the Financial Ombudsman Service for a free independent review. The eligibility rules and process are set out at financial-ombudsman.org.uk.
Sources:
- Financial Conduct Authority register: fca.org.uk/register
- Financial Ombudsman Service annual data 2024/25: financial-ombudsman.org.uk
- Association of British Insurers: abi.org.uk
