Cyber Insurance Explained
What Cyber Insurance Actually Covers (and the Exclusions Nobody Reads)
Cyber insurance for a UK small business pays for the things that actually happen after an attack: the incident-response team and forensics, restoring your data, the income you lose while systems are down, ransom and extortion negotiation, breach notification, plus the third-party costs if someone sues you or the ICO opens an investigation. What trips most buyers up is not the cover. It is the exclusions, the conditions and the sub-limits that quietly decide whether a claim gets paid. This guide walks through both, in plain English, grounded in UK rules (Lloyd’s, the ABI, the ICO) rather than American sales pages.
What cyber insurance actually covers
A standard UK SME policy is built from two halves. First-party cover pays for your own losses. Third-party cover pays for claims other people bring against you. Most policies bundle the sections below, though the exact mix and limits vary, and a slim “cyber” add-on inside a general business policy will cover far less than a true standalone policy.
| Section | What it pays for | First or third party |
|---|---|---|
| Incident response and forensics | Specialist firm to investigate, contain and remediate the breach | First |
| Data restoration | Recovering or rebuilding corrupted or lost data | First |
| Business interruption | Income lost while systems are down, sometimes including a knock-on period | First |
| Cyber extortion / ransomware | Ransom negotiation and, where lawful, payment | First |
| Crisis management and PR | Managing reputation and public communications | First |
| Notification and credit monitoring | Telling affected people and monitoring services | First |
| Privacy and network security liability | Claims from people whose data leaked, or whose systems you infected | Third |
| Regulatory defence | Legal costs defending an ICO investigation under UK GDPR | Third |
| PCI DSS penalties | Card-scheme fines and assessments, where card data is involved | Third |
That looks generous, and for the common claims (a ransomware hit, a lost laptop, an email compromise) it usually is. The catch is that each section can carry its own sub-limit, and the policy as a whole carries a list of exclusions that most buyers never read. For a fuller breakdown of how these two halves work, see our first-party vs third-party cyber cover explainer.
Does it cover ransomware?
Yes, ransomware is one of the main things cyber insurance is bought for. The extortion section covers negotiation, the ransom payment where it is legal to make one, and the first-party costs of recovery. UK insurers paid out roughly GBP 197 million in cyber claims in 2024, according to the Association of British Insurers, with malware and ransomware alone accounting for over half of all claims. Note two limits, though: paying a ransom can be unlawful if the recipient is a sanctioned entity, and the policy restores you to your pre-incident state, not a better one (see betterment below).
The exclusions nobody reads
The ABI publishes a list of common cyber insurance exclusions, and brokers rarely walk you through them line by line. These are the ones that decide real claims.
The war and “acts of foreign enemies” exclusion
Every cyber policy excludes loss caused by war. Traditional wording goes further, excluding loss “directly or indirectly caused by, resulting from or in connection with war (whether declared or not), invasion, hostilities, acts of foreign enemies, terrorism, warlike operations, rebellion, revolution or insurrection.” The phrase that catches people is “acts of foreign enemies,” because a serious cyber-attack is often eventually attributed to a nation state.
This is not theoretical. When the NotPetya malware spread in June 2017, it infected more than 40,000 Merck machines, and the company’s insurers refused a claim built on around USD 1.4 billion of losses, relying on a “hostile or warlike action” exclusion in an all-risk property policy. The New Jersey courts sided with Merck, finding the exclusion required actual military action, and the parties reached a confidential settlement in early January 2024 just before the state’s highest court was due to hear the case. The insurance market’s answer was not to give up on the exclusion. It was to write a sharper, cyber-specific one.
Since 31 March 2023, Lloyd’s Market Bulletin Y5381 has required every standalone cyber policy written or renewed at Lloyd’s to carry a state-backed cyber-attack exclusion, satisfied by one of four model clauses (LMA5564, LMA5565, LMA5566, LMA5567) first published by the Lloyd’s Market Association on 25 November 2021. These exclude loss from war and from state-backed cyber-attacks that significantly impair a state’s ability to function or its security capabilities. Crucially, under LMA5564 the primary but not exclusive factor for deciding which state was behind an attack is any attribution made by the government of the state where the affected computer system is physically located. In plain terms: if the UK government attributes an attack to a foreign state, your insurer can point to that attribution to deny the claim.
Critical national infrastructure exclusion
Losses arising from the failure of critical national infrastructure (electricity, gas, water, satellite or telecoms) are commonly excluded. If a major cloud or telecoms provider goes down and takes your business with it, the resulting interruption may not be covered, because the trigger sits upstream of you. Read the dependent-business-interruption wording carefully.
Prior known circumstances
A policy will not pay for a problem you already knew about. The prior known circumstances (or prior acts) exclusion voids claims where you “knew or ought to have known” of a vulnerability or circumstance likely to give rise to a claim before the policy started. This is one of the most contentious cyber exclusions in the UK. A penetration-test report that flagged risks you never fixed is documented evidence that you knew. Get a test, then act on it, or the report itself becomes the insurer’s defence.
Failure to maintain minimum security standards
This is the big one, and it overlaps with the proposal form you sign at application. If you attested to having certain controls and they were not actually in place at the time of the incident, the insurer can decline. Material misrepresentation on the proposal form is cited as the single biggest reason cyber claims are denied. Multi-factor authentication has become the decisive control: Coalition’s 2024 claims data found that around 82% of denied claims involved organisations without MFA. The practical lesson is to answer the application honestly and keep evidence (screenshots, configuration logs, vendor confirmations) that your attested controls were genuinely live. We go deeper on this in why cyber insurance claims get refused.
Betterment
Insurers pay to put you back where you were, not to make you safer. The betterment exclusion means the cost of patching, hardening, upgrading or replacing systems beyond their pre-incident condition, including removing the pre-existing vulnerability that let the attacker in, falls on you. Many SMEs assume the insurer rebuilds them “better.” It does not. The security improvements that stop the same breach happening again are your bill.
Unencrypted device exclusion
Many policies exclude or dispute losses from the theft or loss of devices that were not encrypted, treating encryption as a basic expected control. A stolen laptop full of client data may not trigger cover if that laptop was not encrypted. Full-disk encryption is built into modern hardware at no extra cost; the absence of it has driven real claim denials.
Social engineering and BEC sub-limits
Social engineering, business email compromise and funds-transfer fraud (the “change of bank details” invoice scam, the fake-CEO payment request) are frequently not covered as standard. Where cover exists, it is usually a specific endorsement carrying a sub-limit far below the headline policy limit, often a small fraction of the total. Worse, the cover can be defeated if your staff did not follow your own documented payment-verification procedure. So you need the endorsement, you need to read the sub-limit, and you need a verification process your people actually follow. We cover the mechanics in social engineering and BEC cover.
Other standard exclusions
The ABI list also covers: bodily injury and property damage from a cyber event; criminal, civil or regulatory fines and penalties you are legally obliged to pay; claims by related entities (your own staff, contractors, partly owned subsidiaries); and territorial limits that often exclude North American jurisdiction. On fines specifically, regulatory defence costs (the legal cost of dealing with an ICO investigation) are often covered, but the fine itself may be excluded, and some ICO penalties may be uninsurable as a matter of public policy.
What “sub-limit” means in practice
Your policy has a headline limit, the maximum it will pay overall. A sub-limit is a smaller cap that applies to one specific section. Social engineering, cyber extortion and PCI penalties commonly sit under sub-limits. A policy advertised with a large headline limit can still cap invoice-fraud losses at a tiny fraction of it. Always read the schedule, not the brochure, and check the excess (retention) on each section too, because a high excess can wipe out a small sub-limited claim entirely.
Standalone cover versus the cyber bit in your business policy
UK adoption is rising. The Government’s Cyber Security Breaches Survey 2025 found that the share of small businesses with some form of cyber insurance rose to 62%, up from 49% in 2024. But “some form” matters: most of that is limited cyber cover bundled into wider business insurance, not a true standalone policy. Bundled cover tends to have low limits, narrow definitions and more exclusions. If your business holds personal data, takes card payments, or could not trade through a multi-day outage, a standalone policy is usually the right tool. Whether you need it at all is worth thinking through in do I need cyber insurance, and the trade-offs are set out in our cyber insurance UK small business guide.
The Government’s “Insuring Resilience: the state of SME cyber insurance” report, published in August 2025, examined exactly these gaps in SME understanding and market provision, including how few firms find the information from insurers and brokers clear.
How to read a quote before you sign
- Get the full policy wording and schedule, not just the summary. The exclusions and sub-limits live in the detail.
- Find the war and state-backed clause (look for an LMA5564 to LMA5567 reference) and understand it can be triggered by government attribution.
- Check the social engineering section: is it included, what is the sub-limit, and what verification steps does it require?
- Confirm what controls you are attesting to (MFA, encryption, backups, patching) and make sure every answer is true and evidenced.
- Note the betterment position: budget separately for the security upgrades the policy will not fund.
- Check the excess on each section, the territorial limits, and whether dependent (supply-chain) business interruption is covered.
Cyber insurance is genuinely useful, and the common claims do get paid. The denials cluster around a short list: an answer on the form that was not true, a control that was not in place, a known problem that was never fixed, or a loss that fell into a sub-limit nobody checked. Read those parts before you read the price.
Frequently asked questions
What does cyber insurance actually cover for a small business? First-party costs (incident response and forensics, data restoration, business interruption, ransomware and extortion, crisis PR, breach notification) and third-party liability (privacy and network security claims, regulatory defence for ICO investigations, and PCI DSS penalties where card data is involved). The exact sections and limits vary by policy.
Does cyber insurance cover ransomware and ransom payments? Yes, ransomware is a core reason businesses buy it. The extortion section covers negotiation, recovery and, where lawful, the ransom itself. Paying can be unlawful if the recipient is sanctioned, and the policy restores your systems to their prior state, not an improved one.
Is social engineering or invoice fraud covered, or do I need an add-on? It is frequently not covered as standard. You usually need a specific endorsement, it commonly carries a sub-limit well below the headline limit, and cover can be refused if your staff did not follow your documented payment-verification process.
Why do cyber insurance claims get rejected? The single biggest cause is material misrepresentation on the proposal form: the controls you said you had were not actually in place. Missing MFA is decisive, with Coalition’s 2024 data showing around 82% of denied claims involved organisations without it. Known-but-unfixed vulnerabilities and unencrypted devices also drive denials.
Does cyber insurance cover state-sponsored cyber attacks? Often not. Since 31 March 2023, Lloyd’s has required standalone cyber policies to carry a state-backed cyber-attack exclusion (model clauses LMA5564 to LMA5567). If the attack is attributed to a foreign state, particularly by the government of the country where the affected system sits, the insurer can decline.
What is the war exclusion and what does “acts of foreign enemies” mean? It is wording that excludes loss connected to war, invasion, hostilities and “acts of foreign enemies.” That last phrase lets insurers point to nation-state attribution to deny a claim. The Merck NotPetya case (a dispute built on roughly USD 1.4 billion of losses, settled in early January 2024) tested it and helped prompt the modern cyber-specific exclusions.
What is betterment? The principle that insurers pay to restore your systems to their pre-incident condition, not to upgrade them. The cost of patching, hardening or replacing systems beyond their prior state, including fixing the vulnerability that caused the breach, is the policyholder’s responsibility.
Will my claim be denied if I didn’t have MFA or encryption? Very possibly. If you attested to having MFA or device encryption and did not, that is material misrepresentation. Unencrypted-device exclusions also let insurers dispute losses from lost or stolen kit that was not encrypted.
Does cyber insurance cover ICO fines under UK GDPR? Defence costs for an ICO investigation are often covered, but the fine itself may be excluded, and some regulatory penalties may be uninsurable as a matter of public policy. Check the wording carefully.
Is a standalone cyber policy worth it, or is my business insurance enough? The cyber cover bundled into general business insurance is usually narrow with low limits. If you hold personal data, take card payments or could not trade through a multi-day outage, a standalone policy is generally worth it. In the 2025 survey 62% of small businesses had some cover, but standalone policies remain far rarer.
