Do I Need Cyber Insurance for My Business?

The state of cyber insurance for UK SMEs

Cyber insurance has moved from a niche product to a business essential in a very short period of time. But adoption among smaller businesses remains patchy — and awareness of what policies actually cover (and what they don't) is even patchier.

7% of UK businesses hold a standalone cyber insurance policy — down from 8% in 2023

77% of UK SMEs don't know what cyber insurance actually covers

40%+ of UK cyber insurance claims are rejected at some stage in the process

Sources: UK Cyber Security Breaches Survey 2024 (DSIT); PolicyBee Business Insurance Statistics 2025; Precursor Security 2026

That last figure is the one that matters most. A policy you cannot claim on is not insurance — it is a monthly outgoing that gives you false confidence. Understanding why claims are rejected, and whether your business would pass the test, is more valuable than any premium comparison.

What cyber insurance actually covers

Modern UK cyber policies typically bundle two types of protection. First-party cover deals with costs your business suffers directly. Third-party cover handles claims brought against you by others — customers, suppliers, or regulators — as a result of a breach.

✓ What it typically covers

First-party losses

Incident response and forensic investigation costs
Data recovery and system restoration
Business interruption — lost revenue during downtime
Ransomware payments (subject to conditions)
Crisis communications and PR support
Legal costs and regulatory defence
Customer notification costs after a breach
ICO fines (some policies, not all)

✕ What it typically does NOT cover

Common exclusions

Incidents caused by failure to maintain security standards
Known vulnerabilities that were unpatched at time of breach
Late notification to the insurer after an incident
Nation-state attacks (war exclusion clauses)
Losses from social engineering if controls were absent
Pre-existing breaches not disclosed at policy inception
Reputational damage or loss of future customers
Your own negligence in security configuration

The rejection problem. In 2024–2025, the most common reason UK cyber insurance claims were rejected was insufficient evidence that security controls were active at the time of the breach — where the policy application said one thing and the forensic investigation found another. The second most common reason was late notification to the insurer.

Source: Precursor Security — What Cyber Insurance Actually Covers in 2026

What insurers now require from UK SMEs

The cyber insurance market has changed significantly since 2021. Underwriters now verify policy application answers against external data sources before binding cover — checking your email authentication records, exposed services, and even dark web credential databases. Ticking boxes on a questionnaire is no longer enough.

These are the controls most UK insurers now actively look for:

🔐

Multi-Factor Authentication (MFA)

Required on email, remote access, cloud platforms, and financial systems. Insurers increasingly treat the absence of MFA as a grounds for claim rejection, particularly for ransomware incidents. This is now the single most commonly cited prerequisite across UK underwriters.

💾

Tested, offsite backups

Not just backups — tested backups. Insurers want evidence that your recovery process has actually been verified, not just that files are being copied somewhere. Backups stored on the same network as the systems they protect are considered inadequate by most underwriters.

🔄

Up-to-date patching

Known, unpatched vulnerabilities at the time of a breach are one of the most common grounds for claim rejection. Insurers expect critical patches to be applied within 14–30 days of release. Documented patch management — even a simple log — strengthens your position considerably.

📋

An incident response plan

Knowing what to do when something goes wrong — and being able to demonstrate that plan existed before the incident — matters to insurers. It also dramatically shortens recovery time, which directly affects your business interruption claim.

🎓

Staff security awareness

Insurers increasingly ask whether staff have received security training — particularly around phishing. A business that cannot demonstrate any staff awareness programme presents a higher risk profile and may face higher premiums or stricter exclusions.

Cyber Essentials certification is increasingly relevant here. While most UK insurers do not yet make it an absolute requirement, holding Cyber Essentials demonstrates that the five fundamental controls are in place — and some underwriters offer premium reductions of 15–30% for certified businesses. For higher-value policies or businesses in regulated sectors, it is becoming close to mandatory.

Source: SmartSMS Solutions — Cyber Insurance and Cyber Essentials Guide 2025/26

The question most SMEs never ask

Most businesses that buy cyber insurance spend their time comparing premiums and coverage limits. Very few ask the more important question: if we had an incident today, would we actually be covered?

The gap between what a business thinks its policy covers and what it actually covers at claim time is where the real risk lives. That gap is usually caused by one of three things:

Security controls were described as active on the application form, but weren't implemented properly — MFA ticked as complete when it was only on some accounts, for example.
The policy was renewed without reviewing whether conditions had changed — new staff, new systems, new cloud platforms, all potentially creating gaps.
A pre-existing vulnerability was present at the time the policy was taken out — and was not disclosed, either because the business didn't know, or didn't realise it mattered.

A pre-policy security review — not from the insurer, but from an independent specialist — answers all three questions honestly, before they become a problem.

What does cyber insurance cost for a UK SME?

Premiums vary considerably depending on sector, turnover, data types, and the controls you have in place. As a general guide for UK SMEs:

Micro-businesses and sole traders — from around £350 per year for basic cover
Small businesses (up to ~100 staff) — typically £1,000–£3,000 per year for £1M–£5M of cover
Businesses with strong controls in place — premiums reduced by 15–30% compared to those without
Businesses with a previous claim — typically 25–50% higher premiums, or stricter conditions

Source: Insure24 — How Much Does Cyber Insurance Cost for UK SMEs?

To put that in context: the average cost of a data breach for a UK SME is £193,000 in direct costs alone — before reputational damage and lost customers are factored in. At £1,000–£3,000 per year, insurance is not a luxury. The question is whether yours will actually pay out when you need it.

Not sure if your business would pass the test?

GET-IT offers a straightforward insurance readiness review — checking whether your current controls match what your policy (or a prospective policy) actually requires. No jargon, no pressure, no agenda beyond giving you an honest picture.

We are also working with UK underwriters to offer direct cyber insurance provision for clients — covering both technical defences and financial recovery under one managed roof.

Book an Insurance Readiness Review Send Us a Message

[ Remote. No site access required. Confidential. ]

Related guidance

→ What is Cyber Essentials and do I need it? → I think my business has been hacked — what do I do? → How much does a cyber attack actually cost a small business? → GET-IT risk management and insurance readiness service → Disaster recovery — the prerequisite most insurers require

Do I Need Cyber Insurancefor My Business?