Cyber Insurance Explained
Do I Need Cyber Insurance? A Straight Answer for UK SMEs
No, cyber insurance is not a legal requirement for any UK business. There is no statute that makes you buy it, and nobody will fine you for not having it. The honest follow-up is that “not legally required” is doing a lot of work in that sentence, because the two things that actually push SMEs into buying it, contracts that demand it and a small chance of a ruinous incident, have nothing to do with the law. This page gives you a straight answer to whether you need it, built on the latest government data rather than insurer marketing.
The two real reasons SMEs buy cyber insurance
Reason one: a contract says so. Supplier agreements, public-sector tenders and client security questionnaires increasingly require either cyber insurance, Cyber Essentials certification, or both. For a lot of small firms this is the actual trigger: a procurement form lands asking for proof of cyber cover, and the choice is buy a policy or lose the work. If you bid for contracts, check the security schedules before you decide anything else on this page.
Reason two: tail risk. The Cyber Security Breaches Survey 2025/2026, published by the government on 30 April 2026, found 43% of UK businesses identified a breach or attack in the last 12 months: 42% of micro businesses, 46% of small, 65% of medium and 69% of large. The full figures are on the GOV.UK survey page.
Here is the part insurer marketing leaves out: the same survey found the median cost of a business’s most disruptive breach was zero. Most incidents are a blocked phishing email or a nuisance you clean up in an afternoon. So the typical incident costs little or nothing. The problem is the tail. Ransomware, a leaked customer database, or a fraudster redirecting a large payment can put a small firm out of business, and that is the scenario cyber insurance exists for. It is tail-risk cover, like buildings insurance, not a way to recoup routine annoyances.
That framing also explains the market: 47% of UK businesses now hold some form of cyber cover (55% of small businesses), yet government-commissioned research into SME adoption found that among SMEs without a policy, 28% do not think cyber insurance is necessary and 31% are deterred by unclear or limited advice from brokers, while nearly four in ten of the SMEs surveyed were not fully aware of the types of cyber insurance available. A lot of firms are deciding on instinct rather than numbers. You can do better with a simple test.
A decision test you can run in five minutes
Answer these four questions honestly:
- Do any current or likely contracts require cyber cover or Cyber Essentials? If yes, the decision is made for you.
- How much personal data do you hold? A client list of 40 trade customers is a different exposure from 20,000 consumer records with payment details. More records means higher notification, legal and regulatory costs if they leak.
- How many days of downtime could you absorb? If your systems went dark on Monday, when does it start costing serious money? A firm that can run on paper for a week needs less cover than one that loses revenue from hour one.
- Could anyone in your business be tricked into sending a large payment? Funds-transfer fraud, usually started by phishing, is the route to a single catastrophic loss. Phishing was the most common attack in the 2025/2026 survey at 38% of businesses; ransomware, for all the headlines, hit around 1%.
If you answered yes to question 1, or yes to two or more of questions 2 to 4, you are in the group that genuinely needs cover. If you answered no across the board, a sole trader with no client data, no contractual requirements and a business that survives offline, you can reasonably hold off, and you will not hear that from an insurer’s website. Spend the money on the security controls instead, then revisit.
The cheapest legitimate first step: Cyber Essentials with cyber insurance included
Before pricing standalone policies, know this: UK-domiciled organisations under the scheme’s turnover threshold that certify their whole organisation to Cyber Essentials, the government-backed scheme, and opt in, get cyber liability insurance included at no extra cost. It carries a small fixed limit and a 24-hour incident helpline, underwritten by American International Group UK Limited and administered through Sutcliffe & Co on behalf of IASME, the NCSC’s delivery partner for the scheme.
For a micro business that fails the decision test above only narrowly, this is often the right answer: you get the security improvements, a certificate that satisfies many contract requirements, and baseline insurance, all for the price of the assessment. We cover the eligibility conditions and the opt-in box that trips people up in our guide to the free cyber insurance bundled with Cyber Essentials.
Be clear about its limits though. The bundled limit disappears fast in a serious incident, and the policy is not a substitute for business interruption cover if downtime is your big exposure.
| Free IASME cover with Cyber Essentials | Standalone SME cyber policy | |
|---|---|---|
| Cost | Included with certification | Broker-quoted premium; sector, turnover, data volume and controls move it a long way |
| Limit | Small fixed limit set by the scheme | Your choice from the standard limit tiers |
| Incident helpline | Yes, 24 hours | Yes, usually with forensics, legal and PR bundled |
| Business interruption | No meaningful cover at this limit | Core component, sized to your downtime exposure |
| Eligibility | UK-domiciled, under the scheme’s turnover threshold, whole-organisation certification, opt in | Underwriting questions; minimum security controls required |
| Best for | Micro and small firms wanting baseline cover plus certification | Firms with real data, downtime or contract exposure |
“Am I already covered?” Almost certainly not
The most common reason SMEs skip cyber insurance is the belief that professional indemnity or a combined business policy already handles it. It used to be partly true. It is not any more. Insurers have spent the last few years stripping so-called silent cyber out of PI and combined policies, following Lloyd’s market-wide requirement that policies state clearly whether cyber is covered, so cyber events are now explicitly limited or excluded. PI was designed for claims arising from your professional advice, not for your own ransomware recovery, breach notification costs or lost income, the first-party losses that hurt most. If you are relying on PI, read the exclusions; the difference is unpacked in cyber insurance vs cyber liability explained.
What it costs, and what insurers demand before they will cover you
Premiums for UK SMEs vary widely, with sector, turnover, data volume and security controls moving the number a long way in either direction. Our cyber insurance cost guide breaks the pricing down properly.
The bigger shift in 2025/26 is that insurers now treat certain controls as preconditions, not discounts:
- Multi-factor authentication, with no opt-outs. Missing MFA is one of the most common reasons applications are declined.
- Endpoint detection and response (EDR) on your devices, not just basic antivirus.
- Tested, offline or air-gapped backups.
- An incident response plan, even a short one.
Get the four controls in place before you apply, not after.
There is a sharper edge to this. Under the Insurance Act 2015 duty of fair presentation, telling an insurer you have MFA and tested backups when you do not can void the policy entirely. In one reported US case, an insurer moved to rescind cover because MFA existed on the firewall but not on the servers that were actually breached. Answer the proposal form as it really is; a slightly higher premium beats a refused claim.
Two exclusions competitors gloss over
ICO and GDPR fines are not reliably insurable. Policies use wording like “to the extent insurable by law” because whether a UK regulator’s fine can legally be insured is uncertain and fact-specific; FCA fines are expressly uninsurable. What policies genuinely do cover is regulatory investigation defence costs, breach notification and remediation, which is where most of the money goes anyway. Any page telling you flatly that “GDPR fines are covered” is overselling. Remember too that a notifiable personal data breach must reach the ICO within 72 hours of you becoming aware, weekends included, insured or not.
Ransoms are never a given. Policies may cover extortion costs, but the NCSC and the insurance bodies ABI, BIBA and IUA have issued joint guidance aimed at reducing ransom payments, and insurers generally require their consent before any payment is made. Do not buy a policy assuming it is a ransom-payment machine. The full picture of what is in and out is in what cyber insurance covers and excludes.
How much cover: a method, not a guess
Most guides list factors and stop. Instead, estimate three numbers and size to the worst plausible combination:
- Data exposure: the number of personal records you hold, multiplied by a realistic per-person cost of notification, support and legal handling if they all leaked.
- Downtime exposure: your daily revenue at risk, multiplied by a realistic recovery period in days if your systems were encrypted.
- Fraud exposure: the largest single payment someone in your business could plausibly be tricked into redirecting.
Add the two largest together, round up to the nearest standard limit, and that is your starting point for limit conversations with a broker. A firm with thousands of consumer records and revenue that stops the moment systems go down should be looking at the higher limits; a low-data, low-downtime firm rarely needs the top tier.
Whatever you buy, the NCSC’s cyber insurance guidance is blunt on one point worth ending on: insurance complements security, it does not replace it. Most policies are reassessed every 12 months, insurers increasingly bundle incident response services that are worth real money to a firm with no IT team, and some discount for Cyber Essentials. The right order for most SMEs is controls first, certification second, then insurance sized to what is left.
Frequently asked questions
Is cyber insurance a legal requirement in the UK? No. No UK law requires any business to hold cyber insurance. The practical drivers are contractual, with tenders and supplier agreements increasingly demanding cover or Cyber Essentials, and the financial risk of a serious incident.
Do I still need cyber insurance if I have Cyber Essentials? Cyber Essentials reduces your risk and, for whole-organisation certifications under the scheme’s turnover threshold, includes free cyber liability insurance if you opt in. That is real cover but a small fixed limit; firms with meaningful data, downtime or contract exposure usually still need a standalone policy on top.
Does cyber insurance cover ICO or GDPR fines? Not reliably. Insurability of UK regulatory fines is legally uncertain, which is why policies hedge with “to the extent insurable by law”. Defence costs, notification and remediation are covered; treat fine cover as a maybe at best.
Doesn’t my professional indemnity policy already cover cyber? Almost certainly not any more. Insurers have removed silent cyber from PI and combined policies, so first-party losses like ransomware recovery and lost income are limited or excluded. Check your exclusions before relying on it.
What will an insurer require before covering me? The 2025/26 baseline is MFA everywhere, endpoint detection and response, tested offline backups and an incident response plan. Missing MFA and weak endpoint protection are common reasons applications are declined, and misstating controls can void the policy under the Insurance Act 2015.
Is it worth it if I barely store customer data and have good backups? Possibly not yet. If you also have no contractual requirements and could trade through a week of downtime, the better first spend is Cyber Essentials, which brings the free bundled insurance with it. Revisit the decision when your data, contracts or downtime exposure grows.
