Cyber insurance has moved from a niche product to a mainstream business requirement in the past five years. With the average cost of a data breach at $4.88 million globally (IBM 2024) and ICO fines reaching £20 million, the financial exposure from a cyber incident is large enough to threaten the survival of many UK businesses. Yet most small and mid-sized organisations still do not have a policy — often because they do not understand what it covers or what it costs.
What does cyber insurance cover?
A typical UK cyber insurance policy covers two broad categories: first-party costs (your own losses) and third-party liability (claims from others).
First-party coverage
- Incident response costs — forensic investigation, legal advice, crisis PR, and breach notification to the ICO and affected individuals
- Business interruption — lost revenue during system downtime caused by a cyber attack
- Data recovery — costs to restore or reconstruct data lost in a breach or ransomware attack
- Ransomware payments — some (not all) policies cover ransom payments, though this is increasingly controversial and may require insurer pre-approval
- Cyber extortion — costs associated with responding to extortion threats, including negotiation specialists
- Reputational harm — PR and customer retention costs following a public breach
Third-party coverage
- Data breach liability — legal defence and settlement costs when individuals whose data was exposed bring compensation claims against you
- Regulatory defence — legal costs of responding to ICO investigations and enforcement actions
- Regulatory fines — coverage for ICO or other regulatory fines where insurable by law (the insurability of GDPR fines in the UK remains a grey area — some policies include them, others exclude them)
- Media liability — claims arising from content published online
How much does cyber insurance cost in the UK?
Premiums vary enormously based on company size, sector, revenue, data volume, and security posture. Indicative UK annual premiums for 2025:
| Company size | Revenue | Annual premium range |
|---|---|---|
| Sole trader / micro | Under £500K | £200 – £600 |
| Small business | £500K – £5M | £500 – £3,000 |
| Mid-market | £5M – £50M | £3,000 – £15,000 |
| Large enterprise | £50M+ | £15,000 – £100,000+ |
These are broad ranges. High-risk sectors (healthcare, financial services, legal) typically pay 30–50% more than average. Companies with strong security controls (ISO 27001, Cyber Essentials Plus, MFA everywhere) often receive significant premium reductions.
What factors affect your premium?
Insurers assess cyber risk based on several factors, and being prepared on these can meaningfully reduce your costs:
- Industry sector — healthcare, legal, and financial services pay the highest premiums due to the sensitivity of data they process
- Revenue and employee count — larger organisations face larger potential exposures
- Volume and type of personal data held — storing special category data (health, criminal) increases premiums
- Security certifications — ISO 27001, Cyber Essentials, SOC 2 all reduce premiums because they demonstrate a structured security programme
- Multi-factor authentication — most insurers now require MFA on email, VPN, and admin access as a condition of coverage
- Backup strategy — offline or immutable backups significantly reduce ransomware risk, which reduces premiums
- Claims history — a prior claim increases premiums, sometimes substantially
- Endpoint detection and response (EDR) — increasingly required by underwriters for mid-market and above
What cyber insurance does not cover
Common exclusions that catch businesses by surprise:
- Known vulnerabilities left unpatched — if a breach exploits a vulnerability your IT team knew about and failed to patch, the insurer may deny the claim
- Acts of war and state-sponsored attacks — the "war exclusion" has been tested in court (Merck vs Zurich) and remains contentious. Some insurers now use more precise "cyber war" definitions
- Intentional acts by employees — if an insider deliberately exfiltrated data, this is typically excluded (though some policies include rogue employee coverage)
- Improvement costs — insurers pay to restore systems to their pre-breach state, not to upgrade them. You cannot use a claim to fund a security improvement programme
- Loss of future business — reputational harm coverage is limited; long-term customer attrition is not covered
Do you actually need it?
The honest answer depends on your risk profile. Cyber insurance is genuinely valuable for:
- Any business that holds personal data of UK individuals (i.e. most businesses)
- Companies in regulated sectors where ICO enforcement is a real possibility
- Organisations whose operations would be severely disrupted by ransomware or system downtime
- Businesses that cannot self-fund a six- or seven-figure incident response
It is less critical for very small businesses with minimal data, sole traders with no employees, and organisations that already have substantial cash reserves and an established incident response capability.
The strongest approach is to pair insurance with genuine security controls — certifications, MFA, backups, staff training. Insurance is a financial safety net, not a substitute for security.