Quick answer: Cyber Essentials includes £25k free cyber-liability insurance from Hiscox via IASME. Eligibility, cover, claims process & top-ups explained for UK SMEs in 2026.
Last updated: April 2026 | Reviewed by: Connection Technologies team
Cyber Essentials Insurance UK 2026: £25k Free Cover Explained
Holding a current Cyber Essentials certificate from IASME automatically includes £25,000 of cyber-liability insurance for eligible UK businesses — at no extra cost. This is one of the least-talked-about benefits of the scheme, and for many SMEs it covers the certification fee several times over compared to buying standalone cyber-liability cover. This guide explains what’s actually covered, who’s eligible, how to claim, and where you’ll need to top up with broader cover.
The £25k cover is provided by Hiscox via IASME (the certification body for the scheme on behalf of NCSC). It’s underwritten only for businesses that meet eligibility criteria and is automatically included with both Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials insurance — at a glance
| What | Detail |
|---|---|
| Cover limit | £25,000 per claim, aggregate over the 12-month policy |
| Insurer | Hiscox, via IASME |
| Policy duration | Runs alongside the 12-month CE certificate; renews on re-certification |
| Eligibility | UK-domiciled, head office in UK or Crown Dependencies, group turnover under £20m |
| Cost | Included free with certification — no separate premium |
| Excess | £1,000 each and every claim |
| Top-up available | Yes — IASME / Hiscox offer paid uplift to higher limits |
Who’s eligible for the free cyber liability insurance?
The free £25k cover is restricted to small UK businesses. Specifically:
- Head office in the UK or Crown Dependencies (Jersey, Guernsey, Isle of Man)
- Group turnover under £20 million in the most recent financial year
- Cyber Essentials certified for the entire organisation (not a sub-set certification)
- Currently in good standing with IASME (no fraudulent declarations)
If your group turnover is over £20m, the certification still has commercial value — but the included insurance doesn’t apply. You’ll typically already have standalone cyber cover at that size; the certification supports the underwriting case.
Sub-set certifications (where you certify only part of the business) do not qualify for the free insurance. This is one of the practical reasons we recommend whole-organisation scope to most SMEs.
What does the £25k Cyber Essentials insurance actually cover?
The cover is genuine cyber-liability insurance, not a token gesture. It includes:
- Incident response costs — IT forensics, legal advice, customer notification, PR support after a breach
- Cyber extortion / ransomware — ransom payment (where legally permitted) plus negotiation specialist costs
- Data restoration — recovering data from backups, rebuilding systems
- Business interruption — lost income while systems are down, up to the policy limit
- Third-party liability — claims from customers or partners affected by your breach
- Regulatory fines and investigations — ICO investigation costs (where insurable)
- Notification costs — notifying affected data subjects under GDPR Article 34
£25k goes further than people expect for incident response. A mid-sized ransomware attack on a 30-person business will typically cost £15-30k in response, recovery and notification. The cover is designed to absorb that without requiring you to find five-figure cash on day one of an incident.
What it doesn’t cover
The free £25k is generous but limited. It will not cover:
- Losses above £25,000 per claim (you need top-up cover for high-value claims)
- Acts of war / nation-state-attributed attacks (industry-wide exclusion since 2023)
- Fines that are uninsurable in UK law
- Pre-existing breaches discovered after you certify (the policy starts from your certification date)
- Damage caused by an employee acting maliciously where the employee was a known risk
- Losses where you weren’t actually compliant with the Cyber Essentials controls at the time of the incident
That last one matters: if you certify and then let MFA lapse or stop patching, and a breach occurs that exploits the missing controls, the insurer can decline. Maintaining compliance through the year — not just at the point of certification — is what makes the cover dependable.
How to claim on the Cyber Essentials insurance
If you suffer an incident covered by the policy:
- Notify Hiscox immediately via the dedicated 24/7 incident line (number is included in your IASME welcome pack and also published on the IASME portal)
- Hiscox will appoint an incident response specialist (typically within 4 hours)
- The specialist coordinates IT forensics, legal, customer notification, recovery — costs flow directly through the policy, not via you fronting cash
- Where you’ve spent ahead of approval (e.g. emergency overtime), retain receipts — Hiscox will reimburse
- Submit a formal proof of loss within 30 days of the initial notification
The single biggest mistake businesses make is delaying notification while they try to sort it themselves. Always call the line first — even if you’re not sure you’ll claim. The clock starts ticking on certain elements of cover from the moment you notice the incident.
Cyber Essentials Plus insurance — same cover, more weight
Cyber Essentials Plus carries exactly the same £25k cover. The difference is reputational and procurement: Plus is far more weighted in supplier-of-record evaluations because the controls have been independently tested, not just self-attested. Many enterprise procurement teams will accept your existing cyber liability cover as evidence of risk management when paired with Plus, where they wouldn’t with CE alone.
Topping up beyond £25k
For most SMEs over 25 staff or holding sensitive customer data (legal, healthcare, financial services), £25k is a starting point rather than full cover. IASME and Hiscox offer paid uplift policies up to £500k cover for IASME-certified businesses, typically £400-£1,500/yr depending on your sector and turnover. Standalone cyber-liability policies from other UK insurers (AXA, Aviva, Allianz, Markel, CFC) typically start around £150/yr for £100k cover and usually offer a discount for Cyber Essentials holders.
The certification often unlocks a 10-30% discount on standalone cyber cover, because insurers see the controls as a meaningful risk reducer. Worth getting your broker to re-quote once you certify.
Compare: free CE insurance vs paid standalone cyber cover
| Feature | Free CE insurance | Standalone cover |
|---|---|---|
| Cover limit | £25,000 | £100k – £10m+ |
| Cost | £0 (with cert) | £150 – £5,000+/yr |
| Eligibility | Under £20m turnover, UK only | Any size |
| Excess | £1,000 | Typically £2,500-£10,000 |
| Incident response | Hiscox-appointed specialist | Insurer-specific panel |
| Best for | Small UK SMEs (under 50 staff) | Larger SMEs, regulated sectors, sensitive data |
For most businesses with under 50 staff and modest data holdings, the free £25k is a sensible level of cover. For anything beyond that, treat it as a first-loss layer and add standalone cover above it.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions
Yes — £25,000 of cyber-liability cover from Hiscox is automatically included with every Cyber Essentials and Cyber Essentials Plus certification, for eligible UK businesses. No separate premium, no extra paperwork. The cover runs for the 12-month duration of the certificate.
UK-domiciled businesses with head office in the UK or Crown Dependencies, with group turnover under £20 million, certified for the whole organisation (not a sub-set), in good standing with IASME.
Incident response, forensics, legal, customer notification, ransomware response, data restoration, business interruption, third-party liability claims, GDPR notification costs and ICO investigation costs. £1,000 excess per claim.
Yes — IASME and Hiscox offer paid uplift policies up to £500k. You can also buy standalone cyber-liability cover from other UK insurers (AXA, Aviva, Allianz, Markel, CFC), typically with a 10-30% discount for Cyber Essentials holders.
Cover ends at certificate expiry. If you re-certify within the renewal window, cover renews seamlessly. If you lapse and re-certify later, there’s a gap period with no cover.
Potentially not — Hiscox can decline if you certified but then let critical controls (MFA, patching, AV) lapse before the incident. Maintaining the controls through the year is essential. Our managed service keeps the controls automated continuously, not just at audit time.
Related Reading
More from the Connection Technologies blog.