Skip to main content

The Small
Business Guide
to Cyber

  • What it is
  • Why you need it
  • How to get it
  • What the future holds


what is cyber insurance?

Cyber insurance is a speciality insurance product that protects businesses from cyber risks, and those related to IT infrastructure and data management. Cyber insurance gives businesses the resources they need to respond to cyberattacks at a fraction of the real cost.

Businesses need cyber insurance because cyberattacks are not a threat – but a reality of everyday life. In the last 12 months, 39% of UK businesses identified a cyberattack and there is ample evidence to show that many attacks go undetected and unreported.

Those are scary figures, to be sure. But the one that proves that cyberattacks are a day-to-day reality is this one about cyber fatigue:

Cyber fatigue, or apathy to proactively defend against cyberattacks, affects as much as 42% of companies.

Cybersecurity is now so common that it’s boring. And when something looks boring, it becomes even more dangerous. Cyber insurance means that if you do experience a breach, you won’t lose your shirt in the process.

But cyber insurance won’t instantly solve all your cybersecurity issues, nor prevent a network breach. Just as homeowners with household insurance are expected to have adequate security measures in place, businesses must put measures in place to protect their digital environment

Why do small
businesses need
cyber insurance?

Most business liability insurance policies cover some aspect of cyber liability, up to a specific value. But, as with many insurance products, specific insurance provides more comprehensive coverage. Without insurance, businesses spend £3.6 million on average recovering from cybersecurity breaches. For an enterprise-level business, this cost hurts but can be absorbed. Small businesses face ruin if they’re caught by such sudden costs.

Most common cyber threats
to UK businesses

  • Phishing attempts
  • Denial of service
  • Malware
  • Ransomware

Phishing attempts

Social engineering tactics that are designed to trick people into sharing personal data or confidential business information. Phishing is the most common type of cyber threat to UK businesses. 83% of UK businesses that identify a cyberattack are hit by a phishing attempt.

Denial of service

Networks disrupted by an overwhelming volume of traffic, requests, and data.


Software designed to harm a computer, server, or network. It can steal information, delete files, or damage equipment.


Malware that encrypts your files and demands payment in exchange for decryption.

What does cyber
insurance cover?

Cyber insurance covers a
range of cyber risks, including:

  • Accidental privacy breaches
  • Business disruption
  • Denial-of-service attacks
  • Hacking, extortion, ransomware
  • Loss of income and data restoration
  • Malware

Some business liability insurance policies have additional features that cover dimensions of these risks. Dedicated cyber insurance also covers:

  • Hiring cybersecurity experts to investigate breaches and their causes
  • Additional activities required to meet regulatory requirements
  • Incident response
  • Implementing a system to notify affected individuals about data breaches
  • Credit monitoring services or anti-fraud protection for those affected
  • Public relations support to offset reputational damage

Types of cyber insurance

The type of cyber insurance your business chooses should be based on the risk appetite of your company and what needs protecting. When it comes to cyberattacks, the business that’s being attacked is not the only party that can potentially suffer losses. As we’ll discover later, other businesses in your supply chain could be targets too.

First-party vs third-party cyber insurance

First-party cyber insurance provides the cover for losses and recovery to your business.

Third-party cyber insurance provides cover to partners, suppliers, and contractors that are hit by a cyberattack. Third-party cyber insurance (like third-party car insurance) can also provide protection if another company makes a claim against you for errors that you’ve made which have led to losses or damages to them.

This is useful when we consider the fact that 82% of data breaches are due to human error – sometimes due to social engineering, but just as much as a result of genuine error or misuse.

Specific types of
cyber insurance

Within the field of cyber insurance, you can find specific types of coverage.

Business interruption

Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.

Computer data loss and restoration

Covers physical damage or loss of
computer-related assets. This can include the costs of data retrieval and restoration as well as replacing hardware, software, or other

Data restoration

Covers expenses related to the restoration or recreation of data that were lost due to security or system failure.


Malware that encrypts your files and demands payment in exchange for decryption.

Forensic investigation

Covers the services necessary to assess whether a cyberattack has occurred and to assess its impact.


Provides coverage for the costs associated with the investigation of threats to commit cyberattacks against your systems and for payments to extortionists who threaten to obtain and disclose sensitive information. It also covers the costs of paying encrypted data ransoms.

Reputation protection

Insurance against reputation attacks and cyber defamation. Breaches are bad publicity.

Theft and fraud

Covers loss of monies (or similar monetary instruments) resulting from unauthorised access to your network, which allows malicious actors to make fraudulent transfers.

Cyber insurance

So, what do you need to do to get cyber insurance?

To successfully apply for cyber insurance, most providers carry out a cyber insurance risk assessment as part of their underwriting process. Depending on the size of your company, this process can range from a simple questionnaire to a detailed forensic analysis that can take weeks to complete.

Part of the reason for this is that cyber insurance is a new, and thus volatile, market. The lack of historic data and the speed of technology’s evolution make it difficult for insurers to accurately access the risk to businesses. By setting minimum security standards for businesses, insurers can create a reasonable baseline.

If you’re interested in cyber insurance, you’ll need at least the following safety measures in place:

  • Equip PCs with malware protection
  • Protect your company network with firewalls
  • Securely and regularly back up business data
  • Create secure provisioning processes for user access rights and permissions
  • Schedule regular security updates

You may recognise these measures as the five technical controls of Cyber Essentials and you’d be right! Some UK insurers use Cyber Essentials as a minimum standard to keep risks – and premiums – at an acceptable level.

So, if you want cyber insurance, start by getting Cyber Essentials certified.

Cyber insurance costs

Just like health insurance, cyber insurance has a monthly premium. Costs vary and new products are entering the market to offer comprehensive cover at a price SMEs can afford.

But as we’ve already discovered, the lack of long-term data makes it difficult for insurers to assess the risk they are taking on. With an increased demand for coverage coupled with an alarmingly high rise in cybercrime hitting UK businesses, the price of cyber insurance is going up. According to one risk management firm, the cost of cyber insurance went up by 130% in the last quarter of 2021 alone.

The UK has the highest number of cybercrime victims per million Internet users at 4,783 in November 2022 – up 40% over 2020 figures.


Types of cyber
insurance claims

Here are three examples of the kinds of scenarios that
you can claim on your cyber insurance.

1. Business disruption due to

The website that your online building supplies business runs on crashes due to a cyberattack on the web service firm that hosts your site.

Your cyber policy pays out for all projected profits lost during your company’s downtime, even if the outage happened at a third-party business you depend on.
2. Ransomware shuts down your business

A member of staff accidentally opens a malicious email and downloads ransomware on to your business’s system. Your files are encrypted and the perpetrator is demanding a ransom in exchange for their decryption.

Your cyber insurance policy covers the ransom demand to unlock your system and covers profits lost due to business interruption.
3. Customers’ card details are stolen

The app-based POS system you use in your small retail store or market stall is hacked. Customers’ private card details are stolen by a nefarious actor. You must pay compensation and fines as a result.

Your cyber insurance policy covers your legal costs and compensation payments due to affected customers, as well as any fines for PCI DSS non-compliance.

Benefits of cyber

The benefits of cyber insurance are like those of any insurance product. You get peace of mind, support for when things go wrong, and can get back to your pre-disaster position faster. Another benefit of cyber insurance is that simply by meeting the requirements, you improve your general cybersecurity.

  • Peace of mind
  • Expert technical support
  • Get back to business faster
  • Improved in-house cybersecurity

As a specialist insurance product, cybersecurity covers the things that general business liability policies don’t. Not every general policy covers losses related to data breaches, especially when it comes to covering the loss of data.
Supplementing your insurance with cyber coverage can provide you with peace of mind that, in the event of an attack, your business’s financial and reputational well-being is protected.

5 Cyber insurance trends & challenges
for 2023

1. Phishing might be
popular, but ransomware is on the rise

83% of UK businesses that identified a cyberattack in 2021 were hit by a phishing attempt. But research by NCC Group reveals that ransomware attacks have risen by 92.7% in the last year.
Ransomware has a unique place within cyber insurance. The question as to whether or not to pay a ransom or simply take the loss and deploy recovery countermeasures is hotly debated. Businesses may have internal policies to refuse to pay ransoms even if they’re covered. Insurers may not cover ransoms because there’s no guarantee that you’ll get your data back even if you pay.
New threats mean that risk models need to change. Insurers need to move faster to keep up with the times and deliver products that businesses really need.

2. Premiums are on the rise

82% of cyber insurers expect to raise their premiums over the next two years. This is because the loss ratio (the losses an insurer incurs due to paid claims as a percentage of premiums earned) on cyber insurance is so high. In 2020, the loss ratio on cyber insurance was 66.9%. But, as Panaseer explains, “three of the insurers in the group saw losses exceed 100% of their total premiums”. So, it costs more to insure people than it’s worth.
The result is that more large businesses are self-insuring – putting cash aside to cover themselves in the event of a breach. That’s great for large businesses, but as we race into a recession, where does that leave small businesses?
Without intervention and cost-effective, comprehensive support, small UK businesses that are hit by a cyberattack will go under.

3. Cyber insurance adoption is low and claims are lower

UK government data from 2022 shows that 50% of small businesses have some type of cyber insurance, with 10% having a specific policy. These businesses tend to be in the financial and insurance sectors. We also see that claims are very low.

“Of those with some form of cyber insurance, a tiny proportion of businesses and charities report having made an insurance claim to date. It is less than one per cent among businesses and two per cent of those charities with cyber security insurance in place.

Cyber Security Breaches Survey 2022

This shows us that the cyber insurance market is still in an immature state, with plenty of room to grow. What this means for businesses is that there are opportunities for better, more relevant, and cost-effective products to meet specific needs.

The lack of claims may indicate the effectiveness of the cyber insurance minimum requirements. By having these elements in place, businesses are protected from over 90% of common cyberattacks.

4. Businesses and staff care about cybersecurity

The UK government’s 2022 Security Breaches Survey concluded that “ybersecurity is now seen as a high priority by a greater proportion of businesses than in any other year of the survey… In the qualitative interviews, it was found that this was driven by a good high-level understanding at the senior level of the risks cyberattacks pose.”

This trend suggests that SMEs are actively looking for cybersecurity tools and talent to bolster their businesses.

5. Supply chains are
increasingly under attack

Supply chains are an increasingly enticing target for hackers who exploit the trust enterprises have in suppliers. Research from ENISA suggests that 62% of attacks on enterprises take advantage of supply chain relationships. This is a major problem because FSB research suggests that 77% of smaller businesses within the UK are part of supply chains.

So, while your business might not be the true target of a cyberattack, a trusted customer further up the supply chain could be. As such, potential customers may start looking harder at the cybersecurity policies that potential suppliers and partners have in place.

Protect your
business with

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do?

Choose Active Protect from CyberSmart. Active Protect secures all employee devices that touch your company data. Simply send the downloadable link to your staff and Active Protect will check around the clock for the most common cyber threats and vulnerabilities – giving you everything you need to proactively manage risk.