Cyber insurance for UK SMEs: what it covers, what it costs, and whether you need it

Why cyber insurance matters for UK SMEs right now

Cyber insurance for UK SMEs has moved from a niche product to a serious business consideration. The National Cyber Security Centre (NCSC) reported in its 2024 Cyber Security Breaches Survey that 50% of UK businesses experienced some form of cyber incident in the previous twelve months. For small and medium-sized businesses, the financial consequences of even a modest incident — a ransomware attack, a data breach, or a successful phishing campaign — can be severe enough to threaten the business itself.

Many SME owners assume cyber attacks are a problem for large enterprises with valuable intellectual property or high-profile customer data. That assumption is increasingly dangerous. Attackers frequently target smaller organisations precisely because their defences are weaker and their incident response capabilities are limited. A business processing payment card data, storing customer records, or operating any kind of connected infrastructure carries meaningful cyber risk.

Insurance does not prevent an attack. But it does transfer the financial risk of one, and that is exactly what it is designed to do.

---

First-party versus third-party coverage

Before comparing policies, it helps to understand the two fundamental categories of cyber insurance coverage: first-party and third-party.

First-party coverage pays for losses your business suffers directly. This includes the cost of investigating and containing an incident, restoring data and systems, lost revenue during downtime, and ransom payments if you choose to make them. It is the coverage that keeps your business operational after an attack.

Third-party coverage pays for claims made against your business by others. If a data breach exposes customer personal data and those customers seek compensation, or if the Information Commissioner's Office (ICO) investigates your data handling practices and imposes a fine, third-party cover is what responds. Legal defence costs, regulatory penalties, and compensation settlements all fall into this category.

Most comprehensive cyber insurance policies bundle both. Some lower-cost policies focus primarily on first-party losses, which can leave businesses exposed to regulatory and legal liability. Understanding which category each policy element falls into helps you evaluate whether a given policy actually meets your risk profile.

---

What UK cyber insurance policies typically cover

UK cyber policies vary considerably, but the following elements appear in most comprehensive products on the market.

Incident response costs

When a serious incident occurs, you need specialist help quickly. Good policies include access to a retained incident response team — forensic investigators, legal counsel, and public relations advisers — at no additional cost. This is often one of the most valuable benefits, particularly for SMEs that do not have these relationships in place. Having an incident response plan before you need it matters, and good insurers support that.

Data recovery and system restoration

Restoring encrypted or corrupted data, rebuilding compromised systems, and returning to normal operations costs money and time. Policies typically cover the direct costs of recovery, including third-party contractor fees, up to a defined limit.

Business interruption

If an incident takes your systems offline and you lose revenue as a result, business interruption coverage compensates for that lost income. Most policies apply a waiting period before this kicks in — typically eight to twenty-four hours — and cover a defined period of disruption.

Regulatory fines and ICO notification costs

Under UK GDPR, businesses must notify the ICO within seventy-two hours of a personal data breach. The cost of legal advice, notification to affected individuals, and regulatory defence can add up quickly. Many cyber policies cover these costs directly, and some cover a portion of any regulatory fine imposed, although the ICO's enforcement decisions cannot be contractually transferred in full.

Cyber extortion and ransomware

Most comprehensive policies include cover for extortion payments and the costs of engaging specialist negotiators. This is an area that has evolved considerably as ransomware incidents have increased. Note that paying a ransom is a significant decision with legal and ethical dimensions — your insurer's incident response team will guide you through this if you are ever in that position.

Social engineering fraud

Business email compromise and invoice redirection fraud are among the most common causes of financial loss for UK SMEs. Some policies include social engineering coverage as standard; others require it as an endorsement. If your business handles supplier payments or client transfers, this is worth checking explicitly.

---

Common exclusions to watch for

Policy exclusions are where many businesses find out, too late, that their coverage does not apply. The following are the most significant.

Known, unpatched vulnerabilities. If your systems were compromised through a vulnerability that had a publicly available patch you had not applied, some insurers will deny the claim. This is a direct incentive to maintain good patch management practices.

Acts of war and state-sponsored attacks. This exclusion has attracted significant attention following attribution of major incidents to nation-state actors. The exact wording varies between policies, and some insurers have clarified their position on this. If your sector is considered critical infrastructure or you have exposure to geopolitical risk, read this clause carefully.

Failure to maintain security controls. Policies typically require you to maintain the security measures you declared when applying for cover. If you said you had multi-factor authentication deployed and you had not, a claim arising from a credential-based attack could be challenged.

Systems you do not own or control. If you rely heavily on third-party cloud services or shared infrastructure, check how your policy handles incidents originating in those environments. Some policies extend to cover losses from third-party outages; many do not.

---

Typical cyber insurance premiums for UK SMEs

Premium levels depend on several factors: your annual turnover, the type of data you process, the industry you operate in, the security controls you have in place, and your claims history.

As a rough guide, small businesses with turnover under £1 million and standard security controls can expect to pay between £500 and £1,500 per year for a comprehensive policy. Businesses turning over £2 million to £5 million typically see premiums in the £1,500 to £3,500 range. Higher-risk sectors — healthcare, financial services, legal, and retail with high card transaction volumes — will pay more.

Premiums have risen across the market over the past three years in response to increased claims frequency and the growing cost of ransomware incidents. The British Insurance Brokers' Association (BIBA) publishes guidance on cyber insurance and can help SMEs find brokers with specialist expertise in this area.

---

How to assess whether you need cyber insurance

Not every SME faces the same level of cyber risk, and insurance is not a substitute for good security practice. But most UK businesses that meet one or more of the following criteria should take it seriously.

You process personal data belonging to customers, employees, or third parties. You rely on IT systems being available to operate day to day. You handle financial transactions or hold payment card data. You have regulatory obligations under UK GDPR or sector-specific rules. You would struggle to absorb an unplanned cost of £10,000 to £50,000 without serious business disruption.

If you have invested in penetration testing and already understand your attack surface, that context will help you have a more informed conversation with a broker about what coverage you actually need.

---

Choosing the right policy

Working with a specialist broker is the most reliable way to find appropriate coverage. The BIBA directory includes brokers with cyber insurance expertise who can compare policies across the market and explain the differences in plain terms.

When evaluating policies, focus on: the limits offered relative to your likely maximum loss; the quality and accessibility of the incident response service; the specific list of covered events and exclusions; and the claims process. Ask insurers directly how they have handled ransomware claims and what their average time to respond to an incident notification is.

Do not buy cyber insurance in isolation. Review your existing business interruption, professional indemnity, and crime policies to understand where overlaps or gaps exist. Some losses could be covered under existing policies; others will require specific cyber cover.

---

How cyber insurance fits with Cyber Essentials

Cyber Essentials is the UK government-backed certification scheme developed by the NCSC. It establishes a baseline of five security controls — firewalls, secure configuration, access control, malware protection, and patch management — that protect against the majority of common cyber attacks.

Holding Cyber Essentials certification has a direct effect on your insurability and your premium. Many UK insurers offer discounts of ten to twenty percent for certified businesses, and some treat it as a prerequisite for full coverage. From an underwriter's perspective, certification is evidence that your business has addressed the most exploitable weaknesses.

Beyond the premium benefit, Cyber Essentials helps you meet the requirements that insurers impose through policy conditions. The certification process requires you to have patched software, configured firewalls, and restricted administrative access — all of which appear as conditions in standard cyber insurance policies. Achieving certification before you apply for insurance reduces the risk of a claim being challenged on the basis that your controls were inadequate.

Cyber Essentials Plus takes this further with an independent technical assessment. For businesses in higher-risk sectors or seeking higher coverage limits, Plus certification is increasingly expected by underwriters.

---

Making cyber insurance work for your business

Cyber insurance is a financial risk transfer tool, not a security strategy. The businesses that get the most value from it are those that treat it as one layer in a broader risk management approach — investing in security controls, maintaining good hygiene practices, and having a tested incident response plan in place before they need it.

The NCSC's small business guidance, the ICO's breach notification requirements, and BIBA's broker network are all practical starting points. But the most effective step you can take is to assess your current security posture honestly and then align your insurance coverage to the residual risk that remains after your controls are in place.

If you want help understanding your cyber risk profile, assessing whether your current security controls meet insurer requirements, or preparing your business for Cyber Essentials certification, take a look at the services available. Getting the security foundations right makes insurance more effective, premiums more manageable, and your business more resilient overall.