Cyber insurance covers the financial costs of responding to a cyberattack or data breach — forensic investigation, legal costs, customer notification, regulatory fines defence, ransomware payment, and business income lost during system downtime. The average cost of a cyber incident for a UK SME was £8,460 in 2024 according to Hiscox. 39% of UK businesses identified at least one cyberattack in 2023. Any business holding customer data, dependent on IT systems to trade, or operating online has a measurable cyber risk — and cyber insurance is the only product designed to cover it.
Cyber insurance is a UK business policy that pays the first-party response costs and third-party liability claims arising from a cyberattack, data breach, or IT system failure — covering forensic investigation, notification, business interruption, ransomware, legal defence, and regulatory response.
The Cyber Threat Landscape for UK Businesses in 2026
The Department for Science, Innovation and Technology (DSIT) Cyber Security Breaches Survey 2024 found that 50% of UK businesses and 32% of charities reported a cyber breach or attack in the previous 12 months. For medium-sized businesses (50–249 employees), the figure rose to 70%.
The three most common attack vectors targeting UK SMEs:
Phishing and spear-phishing (83% of identified attacks): Fraudulent emails designed to steal credentials, deliver malware, or redirect payments. Business email compromise — where an attacker impersonates a senior executive to instruct a financial transfer — caused average losses of £23,000 per incident in the UK in 2023 according to Action Fraud data.
Ransomware: Malicious software encrypts business data and demands payment for the decryption key. The average ransomware demand against UK SMEs in 2024 was £93,000 (Sophos State of Ransomware Report 2024). Most affected businesses also face business interruption costs — the average downtime is 21 days.
Supply chain attacks: Attacks targeting software or service providers used by the actual target business. The 2021 Kaseya VSA attack compromised over 1,500 businesses globally through a single IT management software provider. As direct security improves at larger businesses, attackers increasingly target smaller suppliers as the entry point.
The UK GDPR exposure: Under UK GDPR, any business experiencing a personal data breach that poses a risk to individuals must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Failure to notify carries fines of up to £17.5m or 4% of global annual turnover (whichever is higher). The notification obligation exists regardless of how the breach occurred or who was at fault.
What Cyber Insurance Covers — the Full Policy Breakdown
Cyber insurance is structured around two coverage areas: first-party costs (your own losses) and third-party liability (claims by others against you).
First-Party Coverage — Your Own Costs
Incident response and forensic investigation: The first cost of any cyberattack is identifying what happened, what data was accessed, and how the attacker got in. Specialist cyber incident response firms charge £200–£500 per hour for breach investigation. For a complex breach investigation, costs of £15,000–£80,000 are not unusual. Cyber insurance pays these directly — often through a panel of pre-approved incident response firms the insurer manages on your behalf.
Data breach notification: UK GDPR requires notification to the ICO within 72 hours and notification to affected individuals where the breach creates significant risk. Notification costs include legal advice on notification obligations, credit monitoring services offered to affected individuals, and in large breaches, dedicated notification services. Cyber insurance covers these costs.
Business interruption from cyber event: Standard business interruption insurance (bundled with commercial property) typically excludes losses caused by cyberattacks — it requires physical property damage as the trigger. Cyber insurance provides business interruption coverage for trading losses during the period your systems are unavailable, from the first hour of downtime to the maximum indemnity period specified in the policy.
Data recovery and system restoration: The cost of restoring encrypted or corrupted data from backups — or recreating it where no backup exists — is covered. System reconfiguration, security patching, and the cost of replacing hardware rendered unusable by the attack are also included.
Ransomware payments: Where a ransomware payment is made, cyber insurance has historically covered the payment amount. This position has changed materially since 2022.
Cyber extortion and threat management: Beyond ransomware, cyber extortion includes threats to publish stolen data, DDoS attacks used as leverage, and threats targeting executives. Cyber insurance typically covers the cost of specialist crisis negotiators and legal advice during extortion situations.
Reputation management: Public relations costs following a high-profile breach — particularly where customer data was exposed — are covered under most comprehensive cyber policies.
Third-Party Coverage — Claims Against You
Privacy liability: If personal data you hold is exposed in a breach and affected individuals bring claims against you for distress or financial harm, privacy liability coverage pays your legal defence costs and any compensation awarded.
Regulatory proceedings: The ICO can investigate data breaches and issue enforcement notices. While cyber insurance cannot cover the fines themselves (regulatory fines are excluded from all UK insurance products), the legal costs of responding to and defending an ICO investigation are covered under most comprehensive cyber policies.
Media liability: If digital content you publish — website content, emails, social media — is alleged to be defamatory, infringe copyright, or cause another form of media harm, media liability coverage under a cyber policy pays the defence costs.
How Much Does Cyber Insurance Cost for UK Businesses?
Cyber insurance premiums in the UK are determined by five primary factors: annual revenue, industry sector, volume and sensitivity of personal data held, IT security posture, and claims history.
2026 Indicative Annual Premiums by Revenue Band
| Annual Revenue | Core Cover | Standard Cover | Comprehensive |
|---|---|---|---|
| Under £500k | £280–£480 | £420–£720 | £620–£1,050 |
| £500k–£1m | £380–£680 | £570–£980 | £840–£1,450 |
| £1m–£5m | £580–£1,050 | £870–£1,580 | £1,280–£2,350 |
| £5m–£10m | £900–£1,680 | £1,350–£2,520 | £1,980–£3,780 |
| £10m–£25m | £1,500–£2,800 | £2,250–£4,200 | £3,300–£6,300 |
The Security Posture Discount — What You Can Control
Unlike most insurance classes, cyber insurers actively price for your security practices. The difference between a business with strong security controls and one without can be 25–45% on annual premiums.
Security measures that reduce cyber insurance premiums — and that all insurers now ask about at application:
Multi-factor authentication (MFA): Required by most cyber insurers as a minimum condition for coverage on email, remote access, and privileged admin accounts. Absence of MFA on admin accounts is cited in over 60% of successful ransomware attacks. Some insurers exclude ransomware coverage entirely for businesses without documented MFA implementation.
Regular and tested backups: Offline or immutable backups that cannot be encrypted by ransomware are the primary recovery mechanism. Insurers want to see: backup frequency (daily minimum), backup isolation (offline or cloud with versioning), and evidence that backups are tested by actual restoration.
Patching and vulnerability management: Systems with outstanding critical security patches are a common entry point for attackers. Documented patching cycles — particularly for internet-facing systems, remote access tools, and email platforms — are weighted positively.
Employee security awareness training: Phishing simulation programmes and annual security training reduce the probability of a successful social engineering attack. Evidence of training programmes is increasingly a standard underwriting question.
Endpoint detection and response (EDR): EDR tools detect and respond to malicious activity on endpoints before it propagates. Insurers rate businesses with EDR more favourably than those with standard antivirus only.
Who Needs Cyber Insurance — the Risk Assessment
Highest exposure — consider cyber insurance essential:
- Businesses holding personal data for more than 500 individuals
- Businesses with online transaction processing or card payment systems
- Regulated businesses (financial services, healthcare, legal) where a breach triggers mandatory regulatory notification
- Businesses entirely dependent on IT systems to generate revenue — downtime equals zero trading
- Any business with remote working or cloud-based systems as their primary operating model
Significant exposure — strong case for cyber cover:
- Businesses with customer databases of any size
- Businesses using third-party software or cloud services for core operations
- Professional service firms holding client confidential information
- Any business with a website that processes contact forms, enquiries, or any form of personal data submission
Lower exposure — assess the residual risk:
- Businesses holding no customer personal data digitally
- Cash-only businesses with no online systems
- Sole traders with minimal digital footprint and no customer data obligations
The common misconception: Many SME owners believe their IT provider's security measures eliminate their cyber risk and therefore their need for insurance. Cyber insurance is not a substitute for security — it is the financial layer that responds when security measures fail. Security investment reduces the probability of an attack. Cyber insurance covers the financial consequence when an attack succeeds despite those measures.
