Cyber Insurance for UK Businesses: What It Is, What It Costs and What Insurers Actually Require

Posted byMichael WierciochPosted inApple MDM, Cyber Essentials, Security and Compliance
Cyber Essentials

Cyber Insurance for UK Businesses: What It Is, What It Costs and What Insurers Actually Require

Your business gets hit by ransomware on a Tuesday morning. Ransomware has encrypted every file on your server. Your systems are down, your team cannot work or your clients are calling. You need a forensics firm, need a lawyer and you need to notify the ICO within 72 hours.

What does that cost?

UK businesses paid out £197 million in cyber insurance claims in 2024, a 230% increase on the previous year. The average incident, ransomware, data breach or business interruption, costs a small business tens of thousands of pounds before you factor in reputational damage and lost clients.

Cyber insurance exists to cover those costs. But in 2026, securing cover takes significantly more work than it used to. Insurers have raised the bar significantly on what they require before they will offer a policy, and businesses that do not understand those requirements are either paying too much or finding their claims denied when they need cover most.

This guide covers what cyber insurance actually is, what it covers, what it costs, and most importantly, what UK insurers now require before they will insure you.

What is cyber insurance?

Cyber insurance is a commercial insurance product that covers financial losses arising from cyber incidents. It is not a substitute for good security. It is the financial safety net for the residual risk that remains after your security controls are in place.
A typical UK cyber insurance policy covers four broad areas:

Incident response and forensics – the cost of bringing in a specialist digital forensics and incident response firm to investigate and contain the breach. Typical claim costs run from £15,000 to £120,000.

Business interruption – lost revenue while your systems are down. Most UK policies cover business interruption from 8 to 12 hours after an incident, up to 12 to 24 months of lost income.

Data restoration – the cost of recovering or recreating data that ransomware encrypted, corrupted or destroyed.

Legal, regulatory and PR costs – legal fees, ICO notification costs, customer notification, fines where insurable under UK law and public relations support to manage reputational damage.

Some policies also cover cyber extortion, ransom payments and negotiation services though this coverage is increasingly excluded or sub-limited in 2026 policies.

Why small businesses need cyber insurance

There is a persistent myth that cyber attackers target large enterprises. The reality is the opposite.

50% of UK businesses reported a cyber attack in the last 12 months. Attackers frequently target small businesses precisely because they expect weaker defences. A successful ransomware attack on a 30-person business can be just as profitable as one on a larger enterprise, and significantly easier to execute.

The Information Commissioner’s Office can issue fines of up to £17.5 million for data breaches under UK GDPR. For a small business, even a fraction of that figure is potentially business-ending. Cyber insurance does not prevent the fine but it covers the legal costs of responding to the ICO investigation and in some circumstances the fine itself where insurable under UK law.

62% of small UK businesses now hold cyber insurance policies. If your competitors hold cover and you do not, and both businesses suffer the same incident, your business may not survive it while theirs does.

What does cyber insurance cost for a small business?

Cyber insurance in the UK costs £500 to £1,500 per year for a small business with £500,000 of cover, rising to £5,000 to £25,000 per year for mid-market businesses with £5 million of cover.

The premium you pay depends on several factors: your annual turnover, the volume and sensitivity of personal data you hold, your industry sector, your existing security controls and whether you hold certifications like Cyber Essentials.

The single most important factor affecting your premium in 2026 is the quality of your security controls. Evidence-based discounting of 10 to 40% is available to businesses that can demonstrate strong controls. Businesses that cannot demonstrate adequate controls face either significantly higher premiums or outright rejection. ContactOut

The free cover most businesses do not know about:

IASME bundles £25,000 of free cyber insurance with Cyber Essentials certification for UK businesses turning over under £20 million. It is not a full mid-market policy but it satisfies most supplier security questionnaires and is the most cost-effective baseline available in the UK market. Small businesses certifying for the first time receive this cover automatically as part of the process.

What UK insurers now require in 2026

Most businesses stumble at exactly this point. The cyber insurance market has changed dramatically in the last three years. Policies look very different compared to just a few years ago. Premiums are rising, requirements are stricter and coverage is more complex.

Insurers have moved from self-attestation, “yes we have security measures” to evidence-based underwriting. They want documented proof that your controls are actually in place, not just a checkbox on a form.

Most insurers now require MFA, EDR, backups and Cyber Essentials as preconditions for cover.

Here is what underwriters are specifically looking for:

Multi-factor authentication
MFA is no longer optional. Insurers now require MFA not just for email but for remote network access and admin accounts. If an attacker compromises that account, your insurer can void the claim entirely.

Patching and updates
Stricter exclusions mean policies may not cover incidents caused by unpatched systems. If attackers exploit a vulnerability in an unpatched system, your insurer may deny the claim outright.

Backups
Immutable, tested, offsite backups are now a standard underwriting requirement. Insurers will ask about your backup regime and when your team last tested it.

Cyber Essentials certification
Most UK insurers align their questionnaires directly with the government-backed Cyber Essentials standard. Holding the accreditation puts you in the lower-risk category and many insurers automatically offer reduced premiums to Cyber Essentials certified businesses. Without it, insurers treat you as high-risk and price accordingly.

The trap businesses fall into:
Saying “MFA is enabled” when it is optional is misrepresentation. Insurers investigate every claim.. Misrepresentation voids policies. Insurers are increasingly using technical verification to confirm controls are actually in place rather than just taking your word for it.

The Cyber Essentials connection

The UK government backs Cyber Essentials as the baseline certification covering the five technical controls most likely to prevent a cyber incident: firewalls, secure configuration, access control, malware protection and patch management.

The connection to cyber insurance is direct and significant.

Businesses with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Insurers know this. It is reflected in premiums.

For businesses pursuing cyber insurance for the first time, getting Cyber Essentials certified before approaching insurers is the single most effective way to reduce your premium and improve the quality of cover offered. It demonstrates to underwriters that your basic controls are in place, verified by an independent assessor rather than self-attested.

For businesses running Apple devices, this matters in a specific way. Cyber Essentials v3.3, which came into force in April 2026, includes MFA on all cloud services as an automatic failure point and brings personal devices used for work within scope. A Mac fleet without MDM enrolled, without MFA enforced through Okta or a similar identity platform, and without a consistent patching regime will fail a Cyber Essentials assessment and increasingly will also fail an insurer’s underwriting questionnaire.

The path to affordable, comprehensive cyber insurance for an Apple-first or mixed-fleet business runs through managed Apple IT support, MDM and Cyber Essentials certification. In that order.

What cyber insurance does not cover

Understanding the exclusions is as important as understanding the coverage.

Unpatched systems
If a breach exploits a known vulnerability in a system that had not been updated, many policies will not pay out. Patch management is not just good practice it is a condition of your policy.

Social engineering and business email compromise
Most base UK cyber policies exclude funds transfer fraud caused by social engineering, where an employee was deceived into authorising a payment. A specific social engineering endorsement adds the cover back, usually at additional premium. Business email compromise is now among the most frequent claim types in the UK mid-market. Check your policy specifically for this.

Prior acts
Events that occurred before your policy start date are excluded entirely. If you switch insurers, check whether the new policy includes a retroactive date covering acts before inception.

Bodily injury and property damage
Cyber policies cover digital and financial loss only. Physical consequences require general liability or product liability cover.

Misrepresented controls
If your application states that controls are in place that were not actually implemented, your insurer can void the policy entirely, not just deny the specific claim.

How to approach cyber insurance as a small business

The right sequence for a small business approaching cyber insurance for the first time is:

First, get your controls in place. MFA enforced across all cloud services. Devices enrolled in MDM. Regular patching. Tested backups. These are the controls insurers are checking for and the controls most likely to prevent an incident in the first place.

Second, get Cyber Essentials certified. The certification is verified evidence that your basic controls meet the government standard. It unlocks the free £25,000 IASME cover, reduces your premium with most insurers and satisfies the supplier security questionnaires that many enterprise clients now require.

Third, approach insurers or a broker with your Cyber Essentials certificate and documented evidence of your controls in place. The combination of certification and evidence-based documentation is what moves you from the high-risk to the low-risk underwriting bracket.

The businesses that skip steps one and two and go straight to step three end up either paying significantly more than necessary, getting cover with exclusions that make it nearly worthless, or having claims denied when they need to make them.

Where nDuo fits

We do not sell cyber insurance. What we do is put the controls in place that make you insurable and keep your premium as low as possible.

That means Cyber Essentials certification, Apple/Windows MDM implementation for device management and patch enforcement, Okta, Google Workspace or Entra ID for MFA across all cloud services, and managed IT support that maintains those controls continuously rather than only at renewal time.

If you are approaching a cyber insurance renewal and you are not sure whether your controls would pass an underwriter’s questionnaire, a free readiness review is the fastest way to find out.

Book a free Cyber Essentials readiness review and find out exactly where your security posture stands before your next insurance renewal.