+44 345 1255400
Insurance & Risk

Cyber Insurance

Also known as: Cyber Liability Insurance, Cyber Risk Insurance

Cyber Insurance is an insurance product that helps cover the costs of a cyber incident, ransomware, data breach, business email compromise, or any other attack that costs you money. It covers things standard business insurance typically doesn’t: forensics, legal costs, ICO fines, customer notification, credit monitoring for affected people, ransom payments, business interruption, and PR management.

What cyber insurance typically covers

Policies vary, but a reasonable cyber policy for a UK SMB might include:

  • First-party costs, incident response and forensics, system restoration, business interruption, cyber extortion
  • Third-party liability, claims from customers whose data was breached, regulatory fines where legally insurable, defence costs
  • Crime cover, fraudulent funds transfer (e.g. business email compromise that redirects a payment)
  • Reputation management, PR support in the aftermath of an incident
  • Breach notification, the cost of writing to every affected individual within the UK GDPR 72-hour window

What insurers are asking for in 2026

The cyber insurance market has hardened significantly since 2021. What used to be a tick-box application now involves detailed technical questionnaires. Common minimum requirements:

  • MFA on email, remote access, and privileged accounts, see Multi-Factor Authentication
  • Endpoint Detection and Response (EDR) on all devices
  • Offline or immutable backups with tested recovery
  • Patch management discipline with a defined timeline for critical patches
  • Incident response plan, written, tested
  • Security awareness training, regular, not annual
  • Network segmentation so one infection doesn’t spread everywhere
  • Often, Cyber Essentials certification

Premiums are rising in sectors with heavy breach activity (legal, financial services, manufacturing) and falling in sectors with maturing controls.

Exclusions to watch for

  • State-sponsored activity, many policies exclude attacks attributed to nation-state actors. This got messier after the NotPetya precedent.
  • Pre-existing vulnerabilities, if you knew about a critical unpatched CVE and chose not to patch, the claim may be denied
  • Acts of war, particularly relevant to attacks originating from Russia during sanctions periods

The insurance-security relationship

Cyber insurance is not a substitute for good security, it’s a backstop. Insurers increasingly use your security posture to decide both whether to offer cover and at what premium. A business with CE Plus, EDR, and good backup practices will pay meaningfully less than one without. Poor controls may see cover declined outright.

How we help

Our cyber security work directly improves your insurability. The controls we put in place are the ones insurance underwriters ask about. For practical advice on preparing for a renewal questionnaire, get in touch, we’ve helped clients complete many of the major underwriters’ questionnaires and know what answers reduce premiums.