Skip to content

Cyber Insurance UK 2026: Premiums, Cover & What Insurers Require

Andy Pickett

By · Managing Director
Published 5 May 2026 · About the author
Quick Answer: Cyber insurance in the UK costs £500–£1,500/year for a small business with £500k cover, rising to £5,000–£25,000/year for mid-market with £5m cover. Most insurers now require MFA, EDR, backups and Cyber Essentials as preconditions for cover. UK businesses turning over under £20m can also get £25,000 of free IASME cyber insurance bundled with Cyber Essentials certification.
Cyber insurance UK 2026 — premiums, cover and what insurers require

Cyber insurance has matured into a mainstream B2B insurance line in the UK, alongside professional indemnity and public liability. Premiums have stabilised after the 2021–2023 ransomware shock, but the underwriting bar has risen sharply — insurers now decline applications that would have been routinely accepted three years ago. This guide explains what UK cyber insurance actually covers in 2026, how to compare quotes, what controls insurers expect, and how to claim if the worst happens.

If you’re researching cyber insurance because a customer or tender requires it, jump to the “What insurers require in 2026” section — that’s where most applications fall over.

What does UK cyber insurance cover in 2026?

A typical UK cyber policy covers four broad areas. Limits vary — you can usually buy a different limit for each section.

1. First-party costs (your own losses)

  • Incident response & forensics: The cost of bringing in a digital-forensics and incident-response (DFIR) firm to contain and investigate the breach. Typical claim cost: £15,000–£120,000.
  • Business interruption: Lost profits while systems are down. Most UK policies cover 12–24 hours after a defined waiting period (usually 8–12 hours).
  • Data restoration: Cost to restore corrupted or encrypted data from backups, plus any expert time required.
  • Cyber extortion: Ransom payments (within UK sanctions law) plus negotiation services. Increasingly excluded or sub-limited.
  • System repair & replacement: Cost of rebuilding compromised infrastructure, replacing hardware, reinstalling and reconfiguring software.

2. Third-party liability

  • Privacy liability: Claims by individuals whose personal data was exposed. Often the largest line item in UK breaches.
  • Network security liability: Claims by other organisations harmed by malware that originated from your systems.
  • Regulatory defence: Legal costs to respond to ICO investigation under UK GDPR.
  • Regulatory fines: Where insurable by law — ICO fines are sometimes covered, sometimes excluded. Always read the wording.

3. Crime & social engineering

  • Funds transfer fraud (CEO fraud / BEC): Money sent under false instructions, typically capped at £100k–£500k. Why BEC is now the #1 UK B2B claim.
  • Telecom fraud: Hijacked PBX or VoIP systems making unauthorised premium-rate calls.
  • Telephone phishing / vishing: Voice-call social engineering.

4. Notification & reputation

  • Mandatory ICO & subject notifications under UK GDPR Article 33/34.
  • Credit monitoring for affected individuals (typically 12–24 months).
  • PR & crisis communications support during the breach window.

UK cyber insurance premiums — realistic 2026 ranges

Premiums depend heavily on turnover, sector, claims history, controls in place and chosen limits. Realistic ranges:

  • Micro business (turnover < £500k, £500k cover): £500–£1,500/year.
  • Small business (£500k–£2m turnover, £1m cover): £1,500–£4,000/year.
  • SMB (£2m–£10m turnover, £2m cover): £3,500–£9,000/year.
  • Mid-market (£10m–£50m turnover, £5m cover): £7,500–£25,000/year.
  • Enterprise (£50m+ turnover, £10m+ cover): £25,000–£150,000+/year.

Higher-risk sectors (healthcare, professional services holding PII, fintech, e-commerce processing card data) typically pay 25–75% more than these mid-band figures. Lower-risk sectors (manufacturing without significant PII, B2B services with limited customer data) pay 10–25% less.

IT support that actually supports you

Proactive managed IT from a UK team. 24/7 monitoring, cybersecurity and cloud services. Get a free quote.

✓ No obligation✓ 24/7 monitoring✓ UK-based team

What insurers require in 2026 — the “controls baseline”

UK cyber insurers have hardened their underwriting since 2022. If you can’t answer “yes” to all of the following, expect either a declined application or a sub-standard premium with sub-limits and exclusions stripping the cover.

The mandatory eight controls

  1. Multi-factor authentication (MFA) on all admin accounts, all remote access, all email access. Insurers ask specifically about M365 / Google Workspace MFA enforcement.
  2. Endpoint protection — EDR or business-grade antivirus on every device, centrally managed and reporting. Antivirus vs EDR explained.
  3. Patch management — documented process to apply critical security patches within 14 days. Insurers may ask for evidence (a recent patching report).
  4. Backups — including offline or immutable copies that ransomware cannot encrypt. Tested restore within the last 12 months.
  5. Email security — SPF, DKIM, DMARC configured; advanced phishing protection in place.
  6. Privileged access management — admin rights restricted to a small group; daily-driver accounts non-admin.
  7. Security awareness training — documented annual training for all staff with completion tracking.
  8. Incident response plan — documented, tested, with named decision-makers.

Sector-specific extras

  • Card-handling businesses: PCI DSS compliance evidence.
  • Healthcare: NHS DSPT submission, IG Toolkit equivalent.
  • Financial services: FCA-aligned controls, potentially DORA readiness for in-scope firms.
  • Public sector suppliers: Cyber Essentials Plus.

The single highest-leverage thing you can do to make insurance affordable: certify Cyber Essentials. Most insurers will quote you — CE alone signals you have the eight controls in place.

Free £25k cyber insurance with Cyber Essentials

If your UK business turns over under £20m, certifying Cyber Essentials through an IASME-licensed certification body automatically includes £25,000 of cyber liability insurance at no additional cost. Cover headlines:

  • Cover limit: £25,000 per claim and aggregate.
  • Excess: typically £1,000.
  • Underwritten by Mactavish via AXA / Sutton Specialty.
  • Triggered by data breach, ransomware, business interruption, regulatory investigation costs and customer notification expenses.
  • Includes 24/7 incident-response hotline.

For micro-businesses this is often genuinely sufficient as a primary policy. For larger businesses it’s a useful supplementary layer that stacks on top of any commercial cyber policy you also buy. Either way it’s a strong reason to certify even if a tender isn’t forcing you to. Full breakdown of the IASME cover.

Cyber insurance vs commercial general liability — do you need both?

Yes. Cyber events are explicitly excluded from standard UK commercial general liability and professional indemnity policies. Even when traditional PI policies appear to cover “errors and omissions in services,” they routinely exclude losses arising from a cyber incident under their cyber-act exclusion clauses. If you’ve been told by a generalist broker that your existing PI “probably covers cyber,” ask for written confirmation in the policy schedule before relying on it — you’ll usually find it doesn’t.

Common UK cyber insurance exclusions to watch for

Read the exclusions section before signing. Frequent gotchas:

  • Unencrypted device exclusion: No cover if data was lost from an unencrypted laptop / phone. Easy fix — turn on BitLocker / FileVault.
  • Patch lag exclusion: No cover if the breach exploited an unpatched vulnerability that had a fix available 30+ days earlier.
  • Insider exclusion: No cover for breaches caused by a current or former employee acting maliciously. Counter-intuitive but standard.
  • War & nation-state exclusion: Increasingly broad after the NotPetya rulings — some policies exclude any incident attributed to a nation-state actor, which is hard to disprove.
  • Sub-limits on social engineering: The full policy limit may be £5m, but funds-transfer-fraud is often capped at £100k–£250k. BEC is the most common UK B2B claim.
  • Retroactive date: Doesn’t cover incidents that started (even unknowingly) before the policy began. Negotiate a 12-month retroactive period.

How to compare cyber insurance quotes

UK cyber insurance quotes look superficially similar but differ wildly underneath. Comparison checklist:

  1. Aggregate limit vs per-claim limit: A £5m aggregate cap means all claims in the policy year together cannot exceed £5m. Important if you might have multiple incidents.
  2. Sub-limits: Map every section (BEC, ransomware, BI, regulatory) to its actual cap. The headline number is usually the largest section only.
  3. Waiting period for BI: 8 hours is standard; 12 or 24 hours means a small ransomware that’s contained in 6 hours pays nothing on the BI section.
  4. Indemnity period for BI: 6 months minimum; 12 months better.
  5. Approved DFIR panel: Some policies require you to use the insurer’s pre-approved incident-response firm, which may not be your preferred provider.
  6. Notification trigger: Some policies pay for any notification you make under UK GDPR; others only pay if you can demonstrate the notification was strictly required.
  7. Ransom-payment authorisation: Confirm in writing whether the policy will fund a ransom payment (within UK sanctions law) if you decide to pay.
  8. Renewal terms: Premium re-rate clauses, exit policy after a claim.

What happens if you make a UK cyber insurance claim?

Modern UK cyber claims are managed via 24/7 hotlines staffed by the insurer’s breach-response coordinator. Typical sequence:

  1. 0–4 hours: You call the hotline. The breach coordinator assigns a DFIR firm from their panel within 1–2 hours.
  2. 4–24 hours: DFIR firm starts containment work; legal counsel engaged for ICO notification analysis; PR firm briefed if reputation cover applies.
  3. 24–72 hours: Initial scope of breach established; first interim invoice typically authorised.
  4. Days 4–14: Forensics complete; data-subject notification decisions made; claim reserves set.
  5. Months 1–6: Restoration; regulatory engagement; customer-claim management; final settlement.

One consistent piece of feedback from UK businesses that have claimed: the post-incident insurer-led response is significantly better managed than what most companies could organise themselves. The 24/7 hotline and pre-vetted DFIR panel are arguably worth the premium independent of the claim payment itself.

How to lower your cyber insurance premium

Practical steps that genuinely reduce premium at next renewal:

  • Certify Cyber Essentials Plus (typical 5–15% premium reduction).
  • Move from quarterly to monthly phishing-simulation training and share the click-rate trend with the underwriter.
  • Implement a privileged-access management tool (CyberArk, Delinea, BeyondTrust) and document admin-access reviews.
  • Move to immutable backup storage (AWS S3 Object Lock, Azure Immutable Blob, Wasabi Immutable). Insurers underwrite ransomware risk significantly lower with immutable backups.
  • Add an incident-response retainer with a CREST-accredited UK firm. Insurers often require this anyway.
  • Run a tabletop exercise annually and share the after-action report with the underwriter.

Don’t lower your premium by reducing limits below realistic claim sizes — that’s a false saving. UK ransomware claims regularly exceed £500k once forensics, restoration, BI and notification costs are added together.

Frequently Asked Questions

For most UK businesses with employees, customer data and a reliance on email, yes. The 2024 UK Cyber Security Breaches Survey found 50% of businesses suffered an attack in the previous year, with the average medium-business breach costing £3,540 and serious incidents routinely topping £100,000. Cyber insurance typically costs £500–£1,500/year for a micro-business — substantially less than even a contained incident’s direct costs. If you certify Cyber Essentials and turn over under £20m, £25,000 of free IASME insurance is included.

Common UK cyber insurance exclusions: incidents caused by current or former employees acting maliciously, breaches exploiting unpatched vulnerabilities with fixes available 30+ days earlier, data lost from unencrypted devices, damage to your physical hardware (covered by property insurance instead), trademark or copyright disputes arising from data, and increasingly, nation-state-attributed attacks. Always read the exclusions section before signing — the headline limit is rarely the practical cover limit once exclusions and sub-limits are applied.

Sometimes — subject to UK sanctions law and your specific policy wording. Most UK cyber policies cover ransom payments where it’s lawful to do so (i.e. the threat actor isn’t on a sanctions list), but several major UK insurers have started excluding or sub-limiting ransom cover. Even when paid, the ransom is only one cost — you also need DFIR, restoration, legal review and customer notifications, which are usually higher than the ransom itself. The current NCSC and ICO guidance is to avoid paying where possible and rely on backups instead.

A reasonable rule of thumb: cover should be at least 3–6 months of revenue, or the cost of recovering and notifying after a worst-case data-breach scenario, whichever is higher. For most UK businesses turning over under £5m, £1m of cover is the practical floor; mid-market businesses usually carry £2–5m. Cyber sub-limits matter as much as the headline figure — ensure BEC / funds-transfer-fraud has at least £250k sub-limit, and BI is at least 6-month indemnity.

Yes, this is now the leading cause of UK cyber-claim rejection. Most modern UK policies require MFA, EDR, backups and patch management as preconditions, and you sign a declaration in the proposal form attesting to all of them. If a post-incident forensic investigation finds that MFA wasn’t enforced on the compromised account, the insurer will likely reject — even if the breach itself wouldn’t have been prevented by MFA. Always make sure your stated controls match reality, and get sign-off from your IT team before completing the proposal.

Yes — for micro-businesses, often as a primary policy; for larger businesses, as a useful supplementary layer. The cover is real, underwritten by a credible market (Sutton Specialty / AXA), includes a 24/7 hotline, and triggers on the same incidents as a commercial cyber policy. Limitations: the £25k aggregate limit is genuinely small for anything more than a contained micro-business incident, the cover is only available if you certify through an IASME-licensed body, and you must turn over less than £20m. Worth claiming as part of certification regardless.

Comparing cyber insurance quotes? Make sure your underlying controls will pass the underwriter’s questionnaire first — request a free Cyber Essentials gap analysis and we’ll identify the controls you need to put in place before applying. For more on choosing a UK cyber security partner, see our best cyber security companies UK 2026 comparison.

Related Articles

Affordable Business Mobiles UK 2026: Quality Deals Without the Premium Price

"Affordable" doesn't mean cutting corners. The best affordable business mobile deals give you proper business billing, reliable coverage, dedicated support,…

Read more →

Ofcom’s 6 GHz Consultation: What It Means for UK Businesses

The regulator is exploring expanded access to the 6 GHz spectrum band for both commercial mobile networks and next‑generation Wi‑Fi services,…

Read more →

Business Mobile Deals for Solicitors Birmingham 2026

Business Mobile Deals for Solicitors in Birmingham 2026Birmingham is home to one of the UK's largest legal sectors outside London,…

Read more →

IT Support for Law Firms & Solicitors UK 2026: Complete Guide

Quick Answer IT support for law firms costs from £45–75/user/month and should include SRA-compliant cybersecurity, case management system support, secure…

Read more →

Call Recording for Business UK 2026: Laws, Setup & Best Practices

Updated April 2026 ✅ Quick Answer Yes, business call recording is legal in the UK with proper consent. Under the…

Read more →

Business Electricity Deemed Rates UK 2026: 25 Suppliers Compared

Quick Answer: UK business electricity deemed rates in 2026 sit between 32p and 45p/kWh with standing charges of 60-95p/day —…

Read more →

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap
Get an IT Quote 0333 015 2615

Need managed IT support?

Proactive UK-based IT support, cybersecurity and cloud services. Free, no-obligation quote.

Get an IT Quote →

Or call 0333 015 2615