What is cyber insurance?

Businesses need cyber insurance because cyberattacks are not a threat– but a reality of everyday life.

In the last 12 months, 39% of UK businesses identified a cyberattack and there is ample evidence to show that many attacks go undetected and unreported.

Those are scary figures, to be sure. But the one that proves that cyberattacks are a day-to-day reality is this one about cyber fatigue:

Cyber fatigue, or apathy to proactively defend against cyberattacks, affects as much as 42% of companies. – Cisco

Cybersecurity is now so common that it’s boring. And when something looks boring, it becomes even more dangerous. Cyber insurance means that if you do experience a breach, you won’t lose your shirt in the process.

But cyber insurance won’t instantly solve all your cybersecurity issues, nor prevent a network breach. Just as homeowners with household insurance are expected to have adequate security measures in place, businesses must put measures in place to protect their digital environment.

Why do small
businesses need
cyber insurance?

Most business liability insurance policies cover some aspect of cyber liability, up to a specific value. But, as with many insurance products, specific insurance provides more comprehensive coverage. Without insurance, businesses spend £3.6 million on average recovering from cybersecurity breaches. For an enterprise-level business, this cost hurts but can be absorbed. Small businesses face ruin if they’re caught by such sudden costs.

Professional services by numbers

The security landscape

The professional services industry is prone to attack. Cybercriminals target organisations three times a week, on average. Threat actors know there’s a lot on the line for their victims, which gives them an incentive to attack.

Why Do Cybercriminals Target Supply Chains?

For many cybercriminals, suppliers represent the weakest point in the target’s digital defences. Especially at the enterprise level.

Breaching an enterprise’s digital defences is tough. With substantial resources at their disposal, enterprises can afford to invest in the best cybersecurity tools and processes to keep their assets safe. But cybercriminals have learned that they don’t need to target a corporate giant directly to get what they want.

Suppliers and service providers can’t afford the same level of protection. By attacking the weakest link in a supply chain, cybercriminals can side-step the product or service provider’s defensive perimeter and gain access to their systems.

Supply chain attacks are particularly effective because of the implicit trust businesses place in their suppliers. Only 13% of UK businesses assess the cyber risks posed by their immediate suppliers, according to recent government data. And that figure drops to just 7% for the wider supply chain. Cybercriminals exploit this confidence to target richer pickings further downstream.

Most common cyber threats to UK businesses

checkmark icon

Phishing Attempts

Social engineering tactics that are designed to trick people into sharing personal data or confidential business information. Phishing is the most common type of cyber threat to UK businesses. 83% of UK businesses that identify a cyberattack are hit by a phishing attempt.

checkmark icon

Denial of service

Networks disrupted by an overwhelming volume of traffic, requests, and data.

checkmark icon


Software designed to harm a computer, server, or network. It can steal information, delete files, or damage equipment.

checkmark icon


Malware that encrypts your files and demands payment in exchange for decryption.

What does cyber
insurance cover?

Cyber insurance covers a range of cyber risks, including:

checkmark icon

Accidental privacy breaches

checkmark icon

Business disruption

checkmark icon

Denial-of-service attacks

checkmark icon

Hacking, extortion, ransomware

checkmark icon

Loss of income and data restoration

checkmark icon


Some business liability insurance policies have additional features that cover dimensions of these risks.

Dedicated cyber insurance also covers:

checkmark icon

Hiring cybersecurity experts to investigate breaches and their causes

checkmark icon

Additional activities required to meet regulatory requirements

checkmark icon

Incident response

checkmark icon

Implementing a system to notify affected individuals about data breaches

checkmark icon

Credit monitoring services or anti-fraud protection for those affected

checkmark icon

Public relations support to offset reputational damage

Types of cyber insurance

The type of cyber insurance your business chooses should be based on the risk appetite of your company and what needs protecting. When it comes to cyberattacks, the business that’s being attacked is not the only party that can potentially suffer losses. As we’ll discover later, other businesses in your supply chain could be targets too.

  • Business interruption

    Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.

  • Computer data loss and restoration

    Covers physical damage or loss of
    computer-related assets. This can include the costs of data retrieval and restoration as well as replacing hardware, software, or other.

  • Data restoration

    Covers expenses related to the restoration or recreation of data that were lost due to security or system failure.

  • Ransomware

    Malware that encrypts your files and demands payment in exchange for decryption.

  • Forensic investigation

    Covers the services necessary to assess whether a cyberattack has occurred and to assess its impact.

  • Ransom/extortion

    Provides coverage for the costs associated with the investigation of threats to commit cyberattacks against your systems and for payments to extortionists who threaten to obtain and disclose sensitive information. It also covers the costs of paying encrypted data ransoms.

  • Reputation protection

    Insurance against reputation attacks and cyber defamation. Breaches are bad publicity.

  • Theft and fraud

    Covers loss of monies (or similar monetary instruments) resulting from unauthorised access to your network, which allows malicious actors to make fraudulent transfers.

If you’re interested in cyber insurance, you’ll need at least the following safety measures in place:

  • Equip PCs with malware protection
  • Protect your company network with firewalls
  • Securely and regularly back up business data
  • Create secure provisioning processes for user access rights and permissions
  • Schedule regular security updates

You may recognise these measures as the five technical controls of Cyber Essentials and you’d be right!

Some UK insurers use Cyber Essentials as a minimum standard to keep risks – and premiums – at an acceptable level.

So, if you want cyber insurance, start by getting Cyber Essentials certified.

Cyber insurance costs

Just like health insurance, cyber insurance has a monthly premium. Costs vary and new products are entering the market to offer comprehensive cover at a price SMEs can afford.

But as we’ve already discovered, the lack of long-term data makes it difficult for insurers to assess the risk they are taking on. With an increased demand for coverage coupled with an alarmingly high rise in cybercrime hitting UK businesses, the price of cyber insurance is going up. According to one risk management firm, the cost of cyber insurance went up by 130% in the last quarter of 2021 alone.

Big fact

The UK has the highest number of cybercrime victims per million Internet users at 4,783 in November 2022 – up 40% over 2020 figures.


Types of cyber
insurance claims

Here are three examples of the kinds of scenarios that you can claim on your cyber insurance.

Business disruption due to

The website that your online building supplies business runs on crashes due to a cyberattack on the web service firm that hosts your site.

Your cyber policy pays out for all projected profits lost during your company’s downtime, even if the outage happened at a third-party business you depend on.

Ransomware shuts down your business

A member of staff accidentally opens a malicious email and downloads ransomware on to your business’s system. Your files are encrypted and the perpetrator is demanding a ransom in exchange for their decryption.

Your cyber insurance policy covers the ransom demand to unlock your system and covers profits lost due to business interruption.

Business disruption due to

The app-based POS system you use in your small retail store or market stall is hacked. Customers’ private card details are stolen by a nefarious actor. You must pay compensation and fines as a result.

Your cyber insurance policy covers your legal costs and compensation payments due to affected customers, as well as any fines for PCI DSS non-compliance.

  • Phishing might be popular, but ransomware is on the rise

    83% of UK businesses that identified a cyberattack in 2021 were hit by a phishing attempt. But research by NCC Group reveals that ransomware attacks have risen by 92.7% in the last year. Ransomware has a unique place within cyber insurance. The question as to whether or not to pay a ransom or simply take the loss and deploy recovery countermeasures is hotly debated. Businesses may have internal policies to refuse to pay ransoms even if they’re covered. Insurers may not cover ransoms because there’s no guarantee that you’ll get your data back even if you pay. New threats mean that risk models need to change. Insurers need to move faster to keep up with the times and deliver products that businesses really need.

  • Premiums are on the rise

    82% of cyber insurers expect to raise their premiums over the next two years. This is because the loss ratio (the losses an insurer incurs due to paid claims as a percentage of premiums earned) on cyber insurance is so high. In 2020, the loss ratio on cyber insurance was 66.9%. But, as Panaseer explains, “three of the insurers in the group saw losses exceed 100% of their total premiums”. So, it costs more to insure people than it’s worth. The result is that more large businesses are self-insuring – putting cash aside to cover themselves in the event of a breach. That’s great for large businesses, but as we race into a recession, where does that leave small businesses? Without intervention and cost-effective, comprehensive support, small UK businesses that are hit by a cyberattack will go under.

  • Cyber insurance adoption is low and claims are lower

    The UK government’s 2022 Security Breaches Survey concluded that cybersecurity is now seen as a high priority by a greater proportion of businesses than in any other year of the survey… In the qualitative interviews, it was found that this was driven by a good high-level understanding at the senior level of the risks cyberattacks pose.” This trend suggests that SMEs are actively looking for cybersecurity tools and talent to bolster their businesses.

  • Supply chains are increasingly under attack

    Supply chains are an increasingly enticing target for hackers who exploit the trust enterprises have in suppliers. Research from ENISA suggests that 62% of attacks on enterprises take advantage of supply chain relationships. This is a major problem because FSB research suggests that 77% of smaller businesses within the UK are part of supply chains. So, while your business might not be the true target of a cyberattack, a trusted customer further up the supply chain could be. As such, potential customers may start looking harder at the cybersecurity policies that potential suppliers and partners have in place.

“Of those with some form of cyber insurance, a tiny proportion of businesses and charities report having made an insurance claim to date. It is less than one per cent among businesses and two per cent of those charities with cyber security insurance in place.”

Cyber Security Breaches Survey 2022

This shows us that the cyber insurance market is still in an immature state, with plenty of room to grow. What this means for businesses is that there are opportunities for better, more relevant, and cost-effective products to meet specific needs.

The lack of claims may indicate the effectiveness of the cyber insurance minimum requirements. By having these elements in place, businesses are protected from over 90% of common cyberattacks.

Protect your business with CyberSmart

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do?

Choose Active Protect from CyberSmart. Active Protect secures all employee devices that touch your company data. Simply send the downloadable link to your staff and Active Protect will check around the clock for the most common cyber threats and vulnerabilities – giving you everything you need to proactively manage risk.