Cyber insurance for businesses

Cyber insurance is a specialist policy that covers the costs your business faces after a cyber attack, data breach, or IT system failure. It sits alongside your other business insurance but addresses risks that general liability policies typically exclude.

Unlike most traditional insurance, cyber cover protects against both the direct costs to your business (first-party losses) and claims brought against you by others (third-party liability). For any business that holds personal data, processes payments, or depends on IT systems to trade, it is increasingly a core part of risk management rather than a nice-to-have.

Why cyber insurance matters now

The scale of the threat to UK businesses is significant. According to the Department for Science, Innovation and Technology's Cyber Security Breaches Survey, 39% of UK businesses identified a cyber security breach or attack in 2023. Small businesses are not exempt — attackers increasingly target them because they tend to have weaker defences.

At the same time, UK data protection law creates real financial exposure. Under UK GDPR (via the Data Protection Act 2018), the Information Commissioner's Office (ICO) can impose fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Beyond fines, a data breach triggers mandatory notification costs, potential compensation claims from affected individuals, and reputational damage that can take years to recover from.

Cyber insurance does not replace good security practices — you still need proper technical controls and GDPR compliance. But it provides a financial safety net when things go wrong despite your best efforts.

What cyber insurance covers

First-party cover (costs to your business)

First-party cover pays for the direct costs you incur after an incident:

• Breach response and forensics: Hiring specialist investigators to identify what happened, which systems were affected, and how to contain the breach
• Notification costs: Under UK GDPR, you must notify the ICO within 72 hours and may need to contact affected individuals — this can be substantial for large databases
• Business interruption: Lost income while your systems are down and the cost of temporary workarounds to keep trading
• Ransomware and extortion: Costs associated with ransomware attacks, including (in some policies) ransom payments, though insurers increasingly discourage payment
• System restoration: Rebuilding damaged systems, recovering data from backups, and replacing compromised hardware or software
• Crisis management and PR: Professional communications support to manage reputational damage with customers, suppliers, and the media

Third-party cover (claims against you)

Third-party cover protects against liability when others suffer because of a cyber incident at your business:

• Data protection claims: Defence costs and settlements when individuals whose data was compromised bring claims against you
• Regulatory fines: Where insurable under UK law, cover for fines imposed by the ICO or other regulators (note: not all fines are insurable — deliberate breaches are excluded)
• Customer compensation: Payments to customers or partners who suffered financial loss because of a breach at your business
• PCI DSS fines: If you handle payment card data and fail Payment Card Industry standards following a breach, your payment processor may impose fines
• Legal defence costs: Solicitor and barrister fees for defending regulatory investigations or civil claims

When you need cyber insurance

Cyber insurance is not legally mandatory, but certain business circumstances make it strongly advisable:

• You hold personal data under UK GDPR: Any business with a customer database, employee records, or mailing list has data protection obligations — and financial exposure if that data is compromised
• You trade online: E-commerce businesses, SaaS providers, and online service businesses face elevated risks from payment fraud, account takeovers, and website attacks
• Your business depends on IT systems: If you cannot trade when your systems are down, business interruption cover becomes essential
• You handle payment card data: PCI DSS compliance creates additional liability if card data is breached
• Your contracts require it: Larger clients and public sector organisations increasingly require suppliers to hold cyber insurance as a condition of contract

Even very small businesses are at risk. A sole trader with a customer email list holds personal data under UK GDPR. A small retailer taking card payments online faces PCI DSS obligations. The question is not whether you face cyber risk, but whether you can absorb the financial impact of an incident without insurance.

Relationship with UK GDPR compliance

Cyber insurance and UK GDPR compliance are complementary — you need both, and neither replaces the other.

What GDPR requires: You must implement appropriate technical and organisational measures to protect personal data. This includes access controls, encryption, staff training, and documented procedures. If a breach occurs, you must notify the ICO within 72 hours and, where there is high risk to individuals, notify them directly.

What insurance adds: Even with strong security, breaches can occur — through sophisticated attacks, supply chain compromises, or human error. Insurance covers the financial consequences: forensic investigation, notification costs, legal defence, and potential fines or compensation.

Important limitation: Cyber insurance will not pay out if you have fundamentally failed to implement basic security measures. Policies typically exclude claims arising from known vulnerabilities you failed to patch, deliberate non-compliance, or wilful negligence. Good security practices are a prerequisite for cover, not an alternative to it.

What insurers expect from your business

Cyber insurance underwriting has tightened significantly since 2020. Most insurers now require evidence of baseline security controls before they will offer cover — and better security typically means lower premiums.

Common underwriting requirements

• Multi-factor authentication (MFA): On email accounts, remote access, and administrative systems — this is now a near-universal requirement
• Regular patching: Applying software security updates within a reasonable timeframe (typically 14-30 days for critical patches)
• Backup and recovery: Documented backup procedures with regular testing, including offline or immutable backups that ransomware cannot encrypt
• Employee training: Cyber awareness training covering phishing, social engineering, and password hygiene
• Endpoint protection: Antivirus and endpoint detection on all devices

Cyber Essentials certification

Many insurers offer premium reductions of 10-25% for businesses holding Cyber Essentials certification. The scheme, backed by the National Cyber Security Centre (NCSC), verifies that your business has five baseline technical controls in place. Getting certified is good practice regardless of insurance — it demonstrates a minimum standard of cyber hygiene to customers and supply chain partners.

Choosing the right cover

Cyber insurance policies vary considerably in scope, limits, and exclusions. Consider these factors when selecting cover:

Assess your exposure

• Data volume: How many personal records do you hold? Breach notification costs scale with the number of affected individuals
• Revenue dependency: How long can your business survive without its IT systems? Business interruption cover should match your maximum tolerable downtime
• Contractual obligations: Do client contracts specify minimum cover levels?
• Sector requirements: Healthcare, financial services, and legal firms face heightened regulatory scrutiny and may need higher limits

Key policy terms to check

• Retroactive date: Does the policy cover breaches that occurred before the policy started but are discovered during the policy period?
• Regulatory fines: Are ICO fines explicitly included or excluded? Check whether the policy covers fines "where insurable by law"
• Ransomware: Some policies now exclude ransomware payments or cap them at a sub-limit
• Supply chain incidents: Does the policy cover you if a breach occurs at a third-party provider (such as your cloud host or payroll provider)?
• Incident response panel: Good policies include access to pre-approved forensic investigators, solicitors, and PR firms who can respond quickly

Typical cover levels

For small businesses, cover typically starts at £100,000 and ranges up to £1 million. Premiums for a small business with good security controls generally range from £300 to £1,500 per year, depending on sector, data volumes, and turnover. Businesses in higher-risk sectors (healthcare, financial services, e-commerce) or those with large customer databases should consider higher limits.