The distinction most businesses miss: liability vs. crime
Before anything else, this is the most important thing to understand about cyber insurance — and the thing most frequently overlooked when buying a basic policy.
There are two fundamentally different types of cyber coverage, and many entry-level policies — including the £25,000 cyber liability cover included with Cyber Essentials certification — cover only one of them.
What most basic policies cover
Protects you against the legal and regulatory consequences of a data breach or security failure — costs you incur because something bad happened to your systems or data.
- Legal defence against data breach claims
- ICO regulatory investigation costs
- Customer notification costs under UK GDPR
- Third-party liability if your breach harms others
- PR and crisis communications
The £25,000 cover included with Cyber Essentials certification is cyber liability only.
What requires a fuller policy
Covers direct financial losses caused by criminal acts — money stolen, ransoms paid, fraud losses. This is a separate insuring clause and is frequently absent from cheaper policies.
- Ransomware payments and recovery costs
- Business interruption from a cyber attack
- Funds transfer fraud and BEC losses
- Social engineering / invoice fraud
- Cyber extortion
Often requires a specific endorsement or a comprehensive policy — not included in basic liability cover.
If you've renewed your cyber insurance without checking the policy wording, it's worth confirming which type you have. A business that suffers a ransomware attack and has only cyber liability cover may find the recovery costs — ransom, system restoration, lost revenue — are not covered at all.
What a comprehensive cyber policy covers
The following represents the typical scope of a comprehensive UK commercial cyber policy from a specialist insurer. Policy wording varies — the categories below are drawn from published guidance by CFC Underwriting and QBE, two of the leading UK cyber insurers. Always read the specific policy schedule for the exact terms applicable to your business.
Typically included in comprehensive policies
- Business interruption — lost revenue during system downtime
- Ransomware response and negotiation costs
- Data recovery and system restoration
- Cyber extortion payments (subject to sanctions screening)
- Forensic investigation to establish cause and scope
- Crisis communications and reputation management
- UK GDPR notification costs to affected individuals
Source: CFC Cyber Insurance — policy structure overview, 2025
Typically included in comprehensive policies
- Legal defence costs for data breach claims from customers
- Compensation payments to affected third parties
- ICO regulatory investigation defence costs
- Fines and penalties where insurable under UK law
- Network security liability — transmitting malware to third parties
- Media liability for online content
Source: CFC Underwriting — Anatomy of a Cyber Policy, 2025
What cyber insurance commonly excludes
Exclusions have tightened significantly since 2021 as insurers absorbed major ransomware losses. These are the most common grounds for claim reduction or rejection:
Typically not covered
- War, nation-state attacks, or terrorism — contested since NotPetya; check your policy's war exclusion wording carefully
- Infrastructure failure not caused by a cyber event
- Loss of value of intellectual property or trade secrets
- Future lost profits beyond the indemnity period
- Betterment — restoration only, not upgrades
Often excluded or grounds for void
- Incidents caused by known unpatched vulnerabilities
- Losses where MFA was absent but declared as present
- BEC / social engineering fraud — often needs a separate endorsement
- Losses from a breach that pre-dated the policy start
- Employee theft or deliberate internal fraud
The misrepresentation problem — and why it matters
When you apply for cyber insurance, you answer questions about your security controls — MFA coverage, patch management, backup procedures, and so on. If you answer inaccurately and later claim, the insurer can void the policy from inception.
This is the most common reason UK cyber claims are declined — not obscure small print, but inaccurate application answers. It's often not deliberate: many businesses tick "yes" to MFA because some systems have it, not realising the insurer means all internet-facing services. Getting accurate answers before you apply is as important as the policy itself. This is one area where an independent assessment genuinely helps.
What insurers now require as a condition of cover
The following controls are increasingly required — not recommended — by UK underwriters. This information is drawn from published requirements by CFC and QBE, and reflects the current market standard for SME policies. Requirements vary by insurer, policy tier, and your business's revenue and sector.
Multi-factor authentication on all remote access and cloud services
MFA on email (Office 365, Google Workspace), VPN, RDP, and cloud platforms. Most underwriters now require 100% coverage on external-facing services — "most systems" is not sufficient. This is also a mandatory requirement under Cyber Essentials v3.3. Our ORA assessment covers your current MFA posture across all relevant services.
Documented and tested patch management
Security patches applied within 14 days, with a written policy in place. Systems running end-of-life software are a common basis for claim rejection. QBE's Cyber Risk Essentials assessment specifically covers patch management as a key risk area.
Offline or immutable backups, tested regularly
Backups connected to the same network as live systems can be encrypted alongside them in a ransomware attack. Insurers want offline or cloud-isolated backups with documented restore tests. CFC specifically cite backup integrity as a key claims differentiator. Our Disaster Recovery service covers fully managed image-based backups with rapid restoration — built to satisfy exactly this requirement. Your backup posture is also assessed as part of the ORA.
Endpoint detection and response (EDR)
Standard antivirus is no longer sufficient for most underwriters writing above basic liability policies. EDR tools with behavioural detection are increasingly required for businesses with revenue above £1m or those handling personal data at scale. Our Network Monitoring service integrates RMM and EDR to provide 24/7 endpoint and traffic coverage — the managed service approach that satisfies this underwriter requirement.
Email authentication — SPF, DKIM, DMARC
Not universally required yet but increasingly asked about — particularly where BEC cover is sought. A missing DMARC record signals elevated phishing exposure. Our Cyber Vitals scan checks your email authentication posture in minutes, for free.
Cyber Essentials and insurance — what the connection actually is
Cyber Essentials certification is sometimes marketed as a route to cheaper insurance. The reality is more nuanced. Certification does two useful things:
First, it forces accurate answers to the questions insurers ask — because the certification process requires you to actually implement and document the controls. Second, a growing number of insurers treat CE certification as a positive signal. CFC, for example, note that Cyber Essentials-certified businesses have measurably lower claims rates.
More practically: a passed CE assessment means your MFA, patching, firewall, and access control posture is documented and verified — which means your insurance application reflects reality. That's the most important thing.
One important caveat: the £25,000 free cyber liability cover included with Cyber Essentials certification through IASME is cyber liability only — it does not include cyber crime cover. For most businesses, this is a useful starting point, not a complete solution.
How much does cyber insurance cost for a UK SME?
Premiums vary by sector, revenue, data volumes, and the controls in place. The following ranges are indicative only — your actual premium will depend on underwriter assessment of your specific risk profile. These figures are drawn from market data published by CFC and QBE.
- Sub-£1m turnover, basic controls, liability only: approximately £300–£1,000 per year
- Sub-£1m turnover, good controls, comprehensive cover: approximately £800–£2,500 per year
- £1m–£5m turnover, good controls, comprehensive cover: approximately £1,500–£5,000 per year
- FCA-regulated firms: higher premiums due to regulatory notification requirements and client money exposure
- Healthcare, legal, financial services: sector loading applies — expect 30–50% above equivalent non-regulated businesses
Having demonstrable controls in place — particularly MFA, EDR, and tested backups — can materially reduce premiums and, more importantly, ensures your application accurately reflects your posture. Always speak to an FCA-authorised broker for a specific quote.
Operational Risk Assessment (ORA)
Before applying for cyber insurance, it's worth knowing exactly where your controls stand. ORA runs through 30 questions aligned to Cyber Essentials v3.3 — covering MFA, patching, backups, access control, and endpoint protection — and produces a plain-English report. That means you can answer insurance application questions accurately, identify gaps before they become exclusions, and prioritise remediation where it matters most.
Start the Free Assessment →Cyber Vitals — email and domain security scan
A passive scan of your domain covering SPF, DKIM, DMARC, SSL, open ports, and breach intel. Surfaces the configuration gaps that affect both your phishing exposure and your insurance application. Free instant scan, no agents required.
Run a Free Scan →Obtain a cyber insurance quote via GET-IT
We are working towards becoming a registered insurance introducer, partnering with FCA-authorised specialist cyber insurance brokers. The idea is straightforward: your technical controls are assessed and documented first — through ORA and Cyber Vitals — and then introduced to an insurer with an accurate picture of your posture, not a generic application form.
This means better-informed quotes, fewer surprises at claim time, and cover that reflects what your business actually needs. If you'd like to be notified when this is available, or want to talk through your current position now, book a free consultation. In the meantime, your insurance broker can approach the market directly — we're happy to provide your ORA report as supporting documentation.