What Is Cyber Insurance?

Cyber insurance is a type of business insurance that protects companies from financial losses caused by cyber attacks, data breaches, and IT failures.

Compare Cyber Insurance Quotes

What is cyber insurance?

Cyber insurance (also known as cyber liability or cyber risk insurance) helps protect your business if you suffer a cyber-attack, data breach, or digital system failure.

It’s a standalone policy designed to cover both immediate response and longer-term costs, from forensic investigations and data recovery, to legal defence, compensation claims, and reputational repair.

Why cyber insurance matters to you today

Half of UK businesses were hit by a cyber attack last year. The average cost for an SME was over £21,000. These attacks include ransomware, phishing scams, data leaks, and system faults. A staggering 81% of reported victims were small businesses.

  • Criminals target weak systems for fast returns
  • Downtime affects revenue, customers, and trust
  • Some businesses struggle to recover without support

Cyber insurance helps you respond quickly, cover the costs, and stay operational.

What does cyber insurance cover?

Cyber insurance protects your business against the financial and reputational damage caused by cyber attacks, data breaches, and system failures.

Most policies include two types of protection: First-party cover for your own losses and third-party cover for claims made against you.

First-party cover: Your business costs after an attack

If your systems are breached or your data is compromised, a typical policy covers:

  • Incident response – IT forensics, legal advice, and crisis communication
  • Data recovery – Restoring or rebuilding lost or encrypted files
  • System restoration – Repairing or replacing damaged hardware and software
  • Reputation management – Responding to customers and protecting your brand
  • Cyber extortion – Ransom payments and expert negotiation
  • Notification costs – Telling customers or regulators if personal data is exposed
  • Business interruption – Income loss if you can’t operate (often an optional add-on)

Some policies offer a fixed daily payout during downtime to help with cashflow.

Third-party cover: Claims made against you

If your incident affects others, your policy may cover:

  • Legal defence – If a client or regulator takes action over a data breach
  • Damages and settlements – Payments owed to customers or suppliers
  • Regulatory investigations – Including GDPR and PCI-DSS
  • Online liability – If a hacker alters your content and causes reputational harm

Read our guide on cyber liability insurance to understand the core concepts.

Additional cover and services

Some policies also include:

  • Cyber crime losses – Including phishing, invoice fraud, and fake payment requests
  • Employee fraud – Some extend cover to dishonest staff activity
  • Prevention tools – Security scans, training, and breach planning support

CyberSure insight: Policies vary. Always check for cover on phishing, cloud failures, and accidental data loss. These are common causes of serious claims.

Who needs cyber insurance?

Any business connected to the internet is a target. If you store data, take payments, or rely on software to operate, you face real risk. Cyber insurance helps limit the damage when that risk becomes reality. Here’s who needs cyber insurance to ensure their business isn’t interrupted. 

Small businesses

Most cyber attacks target small firms. They’re seen as easier targets due to limited IT security and fewer resources.

If you run a business that:

  • Stores customer or employee data
  • Sells products or services online
  • Manages payments or invoices
  • Uses cloud-based tools or remote systems

...you’re exposed. A single breach could disrupt operations, damage your reputation, or lead to significant legal costs.

Regulated sectors

Some industries face higher risks and tighter rules.

  • Legal – Professional indemnity policies often exclude first-party cyber losses
  • Finance – High-value data and strict FCA requirements
  • Healthcare – Patient records are frequent ransomware targets

Many regulators expect firms to manage cyber risks. Insurance helps meet these expectations.

Startups, freelancers, and remote teams

Small teams are often connected, but not protected. They rely on SaaS platforms, shared access, and remote tools that bring speed and risk.

Cyber insurance offers:

  • Support if systems are compromised
  • Cover for client data loss
  • Help responding to fraud or fake payment requests

Even one laptop or email account is enough to expose your business.

No. Cyber insurance is not a legal requirement in the UK. But that doesn’t mean it isn’t expected. If your business handles sensitive data or operates in a regulated sector, insurance may be necessary to meet client, contractual, or compliance requirements for cybersecurity.

Regulations and compliance context in the UK

Cyber insurance is not a legal requirement in the UK. No law forces businesses to buy it, even if they hold personal data. But if you process sensitive information, you must protect it under GDPR. That includes having systems in place to reduce risk and respond to breaches.

Some regulators now expect standalone cyber cover. For example, the Solicitors Regulation Authority excludes first-party cyber losses from professional indemnity policies. Law firms must handle that risk separately.

When it’s strongly recommended

Cyber insurance is often expected, even if not enforced by law. It’s recommended if you:

  • Collect or store personal, payment, or health data
  • Work in finance, legal, or healthcare
  • Bid for public-sector contracts
  • Provide IT services or manage data for others

Many supply chains now require Cyber Essentials Plus. Insurers often bundle this with cyber cover or offer discounts when certified.

How much does cyber insurance cost?

It depends on your size, sector, and security setup. Most small businesses pay between £300 and £3,500 a year. High-risk industries and businesses handling sensitive data will pay more, but strong controls can reduce your premium.

What affects the price?

Premiums vary by risk. Key factors include:

  • Turnover and business size
  • Sector exposure (e.g. legal, finance, health)
  • Type and volume of data handled
  • Existing security controls
  • Claims history
  • Level of cover and excess selected

Firms without basic controls, such as multi-factor authentication or off-site backups, may pay more or be refused coverage.

Cost ranges for small to medium businesses

Cyber insurance costs vary widely for SMEs, depending on turnover, sector, and cover limits. The table below gives a realistic price range based on current UK market data, so you can see what similar businesses typically pay.

Business Size Estimated Annual Premium
Micro (< £1m turnover) £323 – £3,500
SME (£1m–£10m turnover) £3,500 – £15,000
Larger firms (> £10m) £15,000 – £100,000+
Entry-level package From £10.79 per month

How to get the best value on your cyber insurance

To improve pricing:

  • Put core security in place (MFA, backups, endpoint protection)
  • Get Cyber Essentials certified
  • Compare providers, not just prices
  • Choose a limit that reflects your exposure
  • Review exclusions carefully
  • Speak to a broker if your setup is complex

Cyber cover is more affordable when paired with strong cyber hygiene. Insurers reward firms that reduce their risk.

How to choose the right cyber insurance policy

Cyber policies vary. So do the risks businesses face. Start with what matters most: what it covers, what it excludes, how cyber insurance claims work. Then you can match the policy to your current setup. Remember, though, cheap cover that doesn’t pay out is no cover at all.

Cyber cover isn’t one-size-fits-all. You need a policy that matches how your business operates, the data you handle, and where you’re vulnerable.

Key questions to ask your insurer

Before you buy, ask:

  • Does the policy cover both first-party and third-party losses?
  • Are phishing, invoice fraud, and system outages included?
  • Will it cover ransomware payments and negotiation costs?
  • What support is offered during and after an incident?
  • Are regulatory fines and investigation costs covered, where legal?
  • What are the claim limits and excess terms?
  • Are cloud services, suppliers, or outsourced platforms covered?

If you don’t understand the exclusions, ask for them in plain terms. You need to know where the policy stops.

Comparing providers and policy terms

Price matters, but cover matters more. When comparing policies:

  • Read the policy wording. Don't rely on summaries.
  • Check if losses from human error or tech failure are covered.
  • Look for 24/7 incident support, not just claim forms.
  • Ask if the insurer includes prevention tools like scans or training.
  • Check payout timeframes and claim handling reviews.

Some policies won’t pay if you haven’t met minimum security standards. Ensure those conditions are clear from the outset.

Aligning cyber insurance with Cyber Essentials and risk management

Cyber insurance works best as part of a wider plan. If you have Cyber Essentials or Cyber Essentials Plus, insurers may:

  • Offer lower premiums
  • Include bundled cover
  • Accept simpler underwriting forms

These schemes also help you put controls in place, such as multi-factor authentication and data backups, which reduce the likelihood of a breach.

Insurance transfers risk. It doesn’t fix weak systems. Use it to plug the gap, not replace the basics.

On This Page