What is Cyber Insurance?
Cyber insurance protects businesses against the financial impact of cyber attacks, data breaches, and IT system failures. This guide explains what it covers and why UK businesses should consider it.
Cyber insurance protects businesses against the financial consequences of cyber attacks, data breaches, and technology failures. As UK businesses become increasingly dependent on digital systems, cyber insurance has moved from a niche product to an essential consideration for companies of all sizes.
The UK government’s Cyber Security Breaches Survey consistently finds that a significant proportion of businesses experience cyber incidents each year, yet many remain uninsured.
What Cyber Insurance Covers
Cyber insurance policies vary between insurers, but most provide a combination of first-party cover (your own losses) and third-party cover (claims from others).
First-Party Cover
| Coverage | Description |
|---|---|
| Incident response costs | Forensic investigation, legal advice, and crisis management immediately after an attack |
| Data recovery | Costs of restoring or recreating lost or corrupted data |
| Business interruption | Lost income and additional costs while systems are down |
| Notification costs | Expenses of notifying affected individuals and the ICO as required by the UK GDPR |
| Ransomware payments | Some policies cover ransom payments (though this is controversial and subject to conditions) |
| Reputational damage | PR and communications costs to manage public perception |
| Cyber extortion | Costs associated with threats to release data or attack systems |
Third-Party Cover
| Coverage | Description |
|---|---|
| Data breach liability | Claims from individuals whose personal data has been compromised |
| Regulatory fines and penalties | Fines imposed by the ICO for breaches of the UK GDPR or Data Protection Act 2018 (where insurable by law) |
| Network security liability | Claims from third parties arising from a failure of your network security (e.g. transmitting a virus to a client) |
| Media liability | Claims arising from content published online, including defamation and copyright infringement |
| PCI-DSS fines | Penalties from payment card companies if card data is compromised |
Common Cyber Threats
The types of incidents that trigger cyber insurance claims include:
- Ransomware — Malicious software that encrypts data and demands payment for the decryption key
- Phishing — Fraudulent emails that trick employees into revealing credentials or making payments
- Business email compromise (BEC) — Attackers impersonate a director or supplier to redirect payments
- Distributed denial of service (DDoS) — Attacks that overwhelm systems and prevent access
- Data theft — Hackers gaining access to customer, employee, or financial data
- Insider threats — Employees or contractors misusing access to steal or destroy data
- System failures — Hardware or software malfunctions that cause data loss or downtime
What Cyber Insurance Does Not Cover
Most policies exclude:
- Pre-existing breaches — Incidents that occurred before the policy started
- Unpatched vulnerabilities — Some insurers exclude losses if the business failed to apply known security updates
- War and terrorism — State-sponsored attacks may be excluded under war exclusions
- Bodily injury and physical damage — Covered by other policies
- Reputational loss beyond PR costs — Long-term loss of customers is generally not covered
- Deliberate acts — Losses caused intentionally by the insured business
Who Needs Cyber Insurance?
Any business that uses computers, stores data, or transacts online faces cyber risk. Cyber insurance is particularly relevant for:
- Businesses holding personal data — Customer databases, employee records, health data
- E-commerce businesses — Processing card payments and storing customer information
- Professional services — Accountants, solicitors, and consultants handling confidential client data
- Healthcare providers — Managing sensitive patient information under strict data protection rules
- Technology companies — Where system failures could impact clients’ operations
- Any business using email — Phishing and BEC attacks target every sector
Even businesses with strong security controls cannot eliminate all risk. Cyber insurance provides a financial safety net for when controls fail.
Cost of Cyber Insurance
Premiums depend on several factors:
| Factor | Impact on Premium |
|---|---|
| Annual turnover | Higher turnover typically means higher premiums |
| Industry | Healthcare, financial services, and technology pay more |
| Data volume | More records = higher risk and premium |
| Security controls | Strong controls (MFA, encryption, backups) reduce premiums |
| Claims history | Previous incidents increase costs |
| Cover limit | Higher limits cost more |
| Excess | Higher excess reduces the premium |
For a small UK business with turnover under £1 million and good security practices, annual premiums typically range from £200 to £1,000. Larger businesses or those in high-risk sectors can pay significantly more.
Cyber Insurance and Data Protection Law
Under the UK GDPR and the Data Protection Act 2018, businesses must:
- Report certain data breaches to the Information Commissioner’s Office (ICO) within 72 hours
- Notify affected individuals without undue delay if there is a high risk to their rights and freedoms
- Maintain appropriate technical and organisational measures to protect personal data
The ICO can impose fines of up to £17.5 million or 4% of global annual turnover (whichever is greater) for serious breaches. While the insurability of regulatory fines is a developing area of law, many cyber policies include cover for ICO fines where legally permissible.
Having cyber insurance with a good incident response service helps businesses meet their notification obligations quickly and correctly.
What to Look for in a Cyber Policy
When comparing policies, consider:
- Incident response — Does the insurer provide a 24/7 helpline and pre-approved panel of forensic investigators, lawyers, and PR firms?
- Retroactive date — Does the policy cover breaches that occurred before the policy started but were discovered during the policy period?
- Social engineering cover — Is there specific cover for phishing and BEC losses?
- Ransomware — Is ransom payment covered, and what are the conditions?
- Sub-limits — Are there lower limits for specific types of loss (e.g. ransomware or regulatory fines)?
- Territorial scope — Does the policy cover incidents affecting overseas operations or data?
- Cyber crime — Cover for fraudulent transfer of funds resulting from a cyber attack
Cyber Insurance and Your Accounts
- Premiums are an allowable business expense for Corporation Tax or income tax
- Any payout received to cover lost income is taxable as it replaces trading profits
- Payouts for capital expenditure (e.g. replacing hardware) may have different tax treatment
- Keep detailed accounting records of all incident-related costs and insurance receipts
Reducing Your Cyber Risk
Insurers increasingly require certain minimum security controls before providing cover. Common requirements include:
- Multi-factor authentication (MFA) on all remote access and email
- Regular data backups stored offline or in a separate cloud environment
- Employee training on recognising phishing and social engineering
- Endpoint protection (antivirus and anti-malware) on all devices
- Patch management — Applying security updates promptly
- Access controls — Limiting access to data and systems based on role
Meeting these requirements not only helps secure a policy but also reduces the likelihood of a claim.
Related Insurance
- Professional indemnity insurance — May cover some data-related claims but is not a substitute for cyber cover
- Public liability insurance — Covers bodily injury and property damage but excludes cyber events
- Directors and officers insurance — May respond if directors face claims for failing to prevent a breach
- Employers’ liability insurance — Does not cover data breaches affecting employees