Skip to main content

Insurance Cover

When a UK-domiciled organisation with a turnover under £20m achieves verified self-assessed Cyber Essentials certification covering their whole organisation, they are entitled to opt-in for £25,000 liability limit cyber insurance, terms apply.

The cover is delivered by our partner Superscript.

If you achieved Cyber Essentials on or before March 31st 2021, please see this page which details your cover underwritten by AXA XL.

If you achieved Cyber Essentials on or after December 1st 2021, please see this page which details your cover.

What’s covered by the insurance?

Cyber and privacy liability

Damages you are legally obliged to pay and defence costs because of a data breach, a security breach, your organisation’s failure to disclose a security breach or data breach and failure to comply with certain parts of your privacy policy.

Media and advertising liability

Damages you are legally obliged to pay and defence costs because of any defamation, libel, slander, infliction of emotional distress or harm to reputation arising out of the performance of professional services by you or anyone on your behalf.

Regulatory defence and penalties

Regulatory penalties and defence costs because of a regulatory proceeding for a data breach or a security breach.

Payment card liabilities and costs

PCI fines, expenses and legal costs because of a data breach or a security breach that involves credit or debit card numbers.

Website recovery services

Costs for to remedy a slow down or failure of your websites due to a denial of service attack.

Data recovery costs

Costs to regain access to, replace, or restore data that you incur due to a security breach.

Cyber business interruption costs

Reimbursement for cyber business interruption loss due to a security breach or a failure of your systems or a dependent business on which you rely for critical services.

Breach response services

In addition to the above cover, the insurer will provide the following services for up to 5,000 notified individuals if you reasonably suspect a data breach or security breach has happened or is in progress on your computer systems:

  • Lawyers to provide legal advice to help evaluate your obligations under breach notice laws or a merchant services agreement.
  • Computer security experts to help determine the existence, cause and scope, and assist in containing the data breach if it’s actively in progress on your computer systems.
  • PCI forensic investigators to help investigate the existence and extent of a data breach involving credit or debit card data, and qualified security assessors to certify and assist in attesting to your PCI compliance if required by a merchant services agreement.
  • The cost of notifying those individuals whose personal information was impacted by the data breach.
  • Call centre services to respond to your customer inquiries about the data breach.
  • Credit monitoring and identity monitoring for individuals whose personal information was impacted by the data breach.
  • Public relations and crisis management costs to mitigate reputational harm to your organisation.

What’s the limit of cover?

The limit is £25,000 in total for all covered losses during the policy period (the “basic cover”).

This limit may provide basic access to experts in the event of a minor data breach. However, it will be inadequate for serious incidents or if you suffer multiple incidents within the same policy period. 

After you opt into the basic cover, you will have the option to select a higher limit of up to £5m and choose from the below optional covers, which are available for an additional cost.

Optional covers

Cyber extortion costs

Reimbursement of money or digital currency you pay to a hacker to prevent or terminate a ransomware attack or threat to publish your data online, and for a specialist to assist you in negotiating with the hacker.


Reimbursement for financial loss sustained by you because of:

  • loss of money paid or transferred by you or your bank as a result of a fraudulent email or telephone instructions (social engineering).
  • a hacker accessing your VoIP phone system and making unauthorised calls.
  • a hacker accessing your computer system and launching a denial of service attack or hacking attack against a third-party (botnet attack).
  • a hacker accessing your computer system and using it for mining cryptocurrency (cryptojacking).

Worldwide jurisdiction

The basic cover is for claims brought in courts outside the USA and Canada. However, you can extend cover to include claims brought inside the USA and Canada for an additional cost.

What’s not covered by the insurance?

Losses resulting from a ransomware attack, unless you have opted to include cover for cyber extortion costs as detailed above.

A £500 excess applies to each loss and a 12-hour waiting period applies for cyber business interruption. 

See the policy wording for full details of what’s covered and not covered and the limitations and conditions that apply.

Who qualifies for the insurance?

All organisations that have completed Cyber Essentials certification with CyberSmart who:

  1. Are domiciled in the United Kingdom.
  2. Have an annual turnover of up to £20m.
  3. Agree to all the qualifying statements.

What are the qualifying statements?

You will only qualify for the insurance if you agree to all of these statements:

  1. You have a Business Continuity Plan in place, and you’ve successfully tested it to confirm that following an unexpected interruption of your computer systems, you can resume all your revenue-earning operations within 6 hours.
  2. If you handle credit or debit card transactions; you are compliant with the data security standard of PCI, or a PCI compliant payment processor such as Stripe or PayPal stores the credit or debit card numbers on your behalf. 
  3. You provide regular, documented information security training to all your employees, including phishing training at least annually.
  4. You install critical and high-risk patches across your computer systems within 1 month of release. 
  5. You keep backups separate from your network (‘offline’) or in a cloud service designed for this purpose. 
  6. You pre-screen emails for potentially malicious attachments and links (if you use a cloud-based email service such as Outlook or Gmail, these features may be built-in). 
  7. If you use a cloud-based email service; you enforce Multi-Factor Authentication (MFA). 
  8. You and your directors haven’t sustained any losses or been subject to any claims in the past 5 years that would have been covered under this insurance, nor are you aware of anything that may result in a loss or claim under this insurance in the future.

What if I don’t qualify or already have cyber insurance?

You should not opt into the insurance.

Superscript may still be able to provide cyber insurance that takes into account your Cyber Essentials certification. Please email or phone 0333 772 0759 for a quote.

When does the cover start and end?

The basic cover begins when you complete your Cyber Essentials certification and lasts for a period of 12-months. However, if you select a higher limit or choose to include optional covers, Superscript will collect the premium from your payment card each month, and the cover will continue until the policy is cancelled. The policy period will be shown on your policy schedule.

Who’s covered by the insurance?

The Cyber Essentials certified organisation shown as the named insured in the policy schedule.

Who provides the insurance?

Superscript is an insurance intermediary delivering smarter business insurance, designed to keep up with evolving risks like cyber insurance. The insurance is underwritten by certain underwriters at Lloyd’s.

CyberSmart is a trading name of CyberSmart Limited. CyberSmart Limited is registered in England and Wales under Company number 10088945. Registered Office: 68 Hanbury Street Hanbury Street, London, England, E1 5JL. CyberSmart Limited is an Introducer Appointed Representative of Enro Limited trading as Superscript, authorised and regulated by the Financial Conduct Authority. FCA Registration 656459. By opting into this insurance, you agree to be bound by Superscript’s terms of business.

How do I make a claim?

Call the Superscript claims helpline on 0800 772 3059 as soon as you become aware of a data breach, security breach or any other circumstances that the insurance may cover.

What if I don’t want cyber insurance?

When you complete the Cyber Essentials assessment, you can opt-out of the insurance. This does not change the cost of your certification.

Insurance for certifications before 1st April 2021

The information on this page relates to Cyber Essentials certifications after 1st April 2021. If you completed your Cyber Essentials before this date, please see your policy documents for details.