Cyber Insurance for UK SMEs: What Is Actually Covered

Cyber insurance for UK SMEs typically covers data breach response costs, ransomware extortion payments, business interruption losses, and third-party liability claims following a cyber incident. What it does not cover is just as important, and exclusions are where many UK businesses discover gaps only after a claim is rejected.

The UK Government’s Cyber Security Breaches Survey 2025 found that while 45% of UK businesses have some form of insurance, only 7% hold a standalone cyber policy. Understanding exactly what a standalone policy covers is the first step to closing that gap properly.

What First-Party Coverage Includes

First-party coverage pays for losses your own business suffers directly from a cyber incident. This is the core of most UK cyber insurance policies.

Data breach response costs are covered, including forensic investigation to determine what happened, legal advice on notification obligations, and the cost of notifying affected customers. This is usually the first cost incurred after any incident.

Ransomware and cyber extortion payments are covered by most policies, alongside the cost of negotiation specialists and recovery support. Some insurers require you to use their approved incident response panel to claim this benefit.

Business interruption losses cover lost income while your systems are down. Most policies define a waiting period, often 8 to 12 hours, before this cover activates.

Data restoration costs cover rebuilding or recovering data and systems following an attack, including the cost of specialist IT support brought in to do the work.

Reputational harm cover, increasingly included as standard, pays for PR support and crisis communications following a public breach disclosure.

What Third-Party Coverage Includes

Third-party coverage protects you against claims made by others as a result of a breach affecting their data or systems.

Privacy and security liability covers legal defence and settlement costs if customers, partners, or other third parties sue following a breach involving their data.

Regulatory defence costs cover legal representation if the ICO investigates following a reportable breach under UK GDPR. Some policies also cover the fines themselves, though this varies significantly by insurer and jurisdiction.

PCI DSS-related costs are covered by some policies, including the cost of a mandatory PCI Forensic Investigation if cardholder data is compromised. Always confirm this specifically if you process card payments, as it is not universal.

Media and multimedia liability covers claims arising from defamation, copyright infringement, or privacy violations connected to your digital content and communications.

What Cyber Insurance Does Not Cover

This is where UK SMEs most often get caught out.

Pre-existing vulnerabilities you knew about and did not fix. If you were aware of a security gap and failed to remediate it before the incident, insurers can decline the claim on the basis of misrepresentation at application.

Social engineering and authorised push payment fraud, in many standard policies, is excluded or capped at a much lower limit than other coverage. This matters significantly given how common invoice fraud and CEO impersonation scams have become.

Acts of war and state-sponsored attacks are commonly excluded following high-profile insurance disputes after major nation-state cyber incidents. Some insurers now offer specific cover for this, but it is not standard.

Failure to maintain basic security hygiene. Policies increasingly require evidence of multi-factor authentication, patch management, and staff training. Claims have been declined where a business could not demonstrate these were in place.

Outdated or unsupported software. Running software past its end-of-life date, where the vendor no longer issues security patches, is a common and often overlooked exclusion trigger.

Betterment costs. Most policies will not pay to upgrade your systems beyond their pre-incident state, even where the incident exposed the need for better security.

Why Exclusions Matter More in 2026

Brokers surveyed for the Insurance Business UK 2026 report ranked clarity around what is and is not covered as one of the most significant shifts in priority this year, with education about policy wording rising sharply in importance. This reflects a market correction.

For several years, UK SMEs bought cyber insurance with limited understanding of exclusions, then found claims rejected on technicalities. Insurers are now expected to explain coverage in plain language rather than dense policy wording.

Industry experts have noted that the biggest underwriting challenge for most UK SMEs is that they lack a clear picture of their own cyber posture, making it difficult to answer the questions insurers ask during application. This is precisely why choosing the right cyber insurance policy for your UK business should start with an honest internal security assessment, not a quote comparison.

What Insurers Now Expect Before They Will Cover You

Underwriting has tightened. Most UK insurers will ask, at minimum, whether you have:

• Multi-factor authentication on all remote access and email accounts
• Regular, tested, offline backups
• A documented incident response plan
• Up-to-date endpoint protection across all devices
• Staff security awareness training completed in the last 12 months

A tested cyber incident response plan that insurers increasingly require before issuing cover is no longer a nice-to-have. Several major UK insurers now decline cover outright or apply significant premium loading to businesses without one.

What Happens If You Are Underinsured

The real cost of a ransomware attack for UK SMEs without adequate insurance cover extends well beyond the ransom demand itself. Legal costs, forensic investigation, lost revenue, and regulatory exposure routinely add up to far more than businesses expect.

A policy with a low coverage limit, or one with exclusions that apply to your specific risk profile, can leave you covering the majority of a six-figure incident yourself. Reviewing your policy limit against a realistic incident cost scenario, not just against your budget, is the only way to know if your cover is adequate.

Frequently Asked Questions

What does cyber insurance cover for UK SMEs?

Most policies cover data breach response, ransomware extortion, business interruption, data restoration, and third-party liability claims following a cyber incident.

Does cyber insurance cover ransomware payments?

Yes, most UK policies cover ransomware extortion payments, though many require using the insurer’s approved incident response provider to claim this benefit.

Is social engineering fraud covered by cyber insurance?

Often only partially. Many standard policies cap or exclude social engineering and payment fraud losses, so this should be checked specifically before buying.

Will cyber insurance pay out if we had no MFA in place?

Possibly not. Insurers increasingly ask about MFA and other basic controls during underwriting and can decline claims if controls were misrepresented at application.

Does cyber insurance cover regulatory fines from the ICO?

This varies by insurer. Some cover legal defence costs only, others cover fines directly. Always confirm this specific point before purchasing.

How much cyber insurance coverage does a UK SME need?

Coverage should reflect a realistic incident cost scenario for your business, not just budget. Many SMEs are underinsured relative to actual breach costs.