What is cyber insurance?
Cyber insurance is a specialist type of business insurance that covers losses and liabilities caused by cyber attacks, data breaches, system failures, and cyber crime. It protects your business financially when something goes wrong with your digital systems or data.
Unlike traditional business insurance (which covers physical damage or theft), cyber insurance covers intangible losses like stolen data, business interruption, legal costs, and ransom demands. If your systems are attacked by hackers, infected with ransomware, or if customer data is stolen, cyber insurance helps you manage the financial fallout.
Cyber insurance combines two main types of coverage: first-party (which covers your own losses) and third-party (which covers your liability to others). This is crucial because a data breach harms both your business and the people whose data was exposed.
For a detailed explanation of how cyber insurance works, read our complete guide to cyber insurance.
What does cyber insurance cover?
Cyber insurance policies typically include two main categories of coverage:
First-party coverage
This covers losses to your own business:
- Data breach response costs (forensics, notification, credit monitoring)
- Business interruption (lost income while systems are down)
- Ransom payments and extortion
- Cryptocurrency theft and wire fraud
- Costs to restore your own data and systems
- Legal and regulatory fines
Third-party coverage
This covers your liability when customer or client data is exposed:
- Breach notification costs (letters, credit monitoring, call centre)
- Regulatory fines and penalties from privacy authorities
- Privacy liability lawsuits from affected individuals
- Media liability claims (if you publish false information)
- Costs to defend against claims
Coverage limits vary widely. Small businesses often buy policies with Β£1β2 million in coverage, while larger companies may carry Β£5β20 million or more.
For a comprehensive breakdown of what cyber insurance covers, see our detailed coverage guide.
Common exclusions
Cyber insurance policies don't cover everything. Understanding what's excluded is as important as knowing what's covered. Common exclusions include:
- Unpatched vulnerabilities: If you haven't applied security patches, the insurer may deny your claim
- Insider threats: Many policies exclude losses from your own employees or contractors acting maliciously
- Poor password practices: If your breach happened because of weak passwords or missing multi-factor authentication, cover may be denied
- Pre-existing conditions: Known vulnerabilities discovered before your policy date are often excluded
- War and terrorism: Damages from state-sponsored attacks or designated terrorist organisations may not be covered
- Certain types of malware: Some policies exclude specific types of attacks or malware variants
- Failure to secure data: Storing sensitive data without adequate encryption or security controls can void your claim
This is why insurers require you to maintain certain security controls before they'll issue a policy. Read more about common cyber insurance exclusions.
How much does cyber insurance cost?
Cyber insurance premiums vary widely based on company size, industry, revenue, security controls, and the level of coverage you choose. On average, businesses in the UK pay between Β£1,500 and Β£10,000+ per year for cyber insurance.
Here's what you can typically expect to pay based on company size:
| Company Size | Annual Premium Range | Coverage Typical |
|---|---|---|
| Small business (1β50 employees) | Β£1,500βΒ£4,000 | Β£1β2 million |
| Medium business (51β250 employees) | Β£4,000βΒ£10,000 | Β£2β5 million |
| Enterprise (250+ employees) | Β£10,000βΒ£50,000+ | Β£5β20 million+ |
These are rough ranges. Your actual premium depends on factors like your industry (healthcare and financial services pay more), your security maturity, annual revenue, and claims history. Industries that handle sensitive data or face heavy regulation pay significantly higher premiums.
Want detailed pricing data? See our full cyber insurance pricing guide.
Best cyber insurance providers
The cyber insurance market includes two types of providers: specialist cyber insurers who focus exclusively on cyber risk, and traditional insurance companies that have added cyber coverage to their product lines.
Specialist insurers
Specialist cyber insurers understand the nuances of cyber risk better than generalist providers. They typically offer more flexible policies, faster claims handling, and better support for breach response. They also have in-house incident response teams who can help you manage an actual breach.
Traditional insurers
Large insurance companies like AXA, Chubb, and Liberty Mutual offer cyber coverage, often as part of a broader commercial package. These can work well if you want all your insurance in one place, but they may not have the same cyber expertise as specialists.
What matters more than the insurer's name is whether they offer:
- Coverage that matches your specific risks and industry
- Quick, transparent claims processing
- Incident response support (not just money)
- Reasonable premiums for the coverage you get
- Good customer reviews and claims history
For a detailed analysis of leading cyber insurance providers, see our providers guide.
Compare cyber insurance
Because cyber insurance policies are highly customizable, comparing quotes is essential. Two policies from different insurers β even at the same price β can have dramatically different coverage and exclusions.
When you compare policies, look beyond the premium. Ask:
- What coverage limits are included for first-party losses and third-party liability?
- What are the deductibles (or "excesses") and how will they affect a claim?
- Which specific threats and attack types are covered?
- What security controls are required before the insurer will issue a policy?
- Does the policy include incident response support, or just money?
- How long does the insurer typically take to pay claims?
- Can the insurer provide references or case studies from similar businesses?
Never choose a cyber insurance policy based on price alone. A cheap policy with poor coverage and a history of denied claims will cost you far more in the long run.
Learn more about comparing policies effectively in our cyber insurance comparison guide.
Cyber insurance by country
Cyber insurance requirements, regulations, and best practices differ significantly by country. Here are the guides for the four largest markets:
United Kingdom
GDPR, ICO enforcement, and FCA-regulated brokers.
UK guideUnited States
State privacy laws, HIPAA, SEC rules, and the largest market.
US guideAustralia
Notifiable Data Breaches scheme, Privacy Act, and APRA guidance.
Australia guideCanada
PIPEDA, provincial privacy laws, and mandatory breach reporting.
Canada guideCyber insurance by industry
Different industries face different cyber risks, which means your cyber insurance needs should be tailored to your sector. Here are guides for the industries most at risk:
Small Business
Essential coverage for businesses with 1β50 employees.
Small business guideHealthcare
HIPAA compliance, patient data protection, and ransomware risk.
Healthcare guideLaw Firms
Client confidentiality, privileged information, and regulatory requirements.
Law firms guideSaaS Companies
Customer data, platform security, and supply chain liability.
SaaS guideFinancial Services
Regulatory compliance, financial data, and business continuity.
Financial services guideMSPs & IT Providers
Client systems liability, network security, and incident response.
MSP guideRequirements and controls
Before cyber insurance companies will issue a policy, they require you to have certain basic security controls in place. These aren't optional β they're essential to getting covered.
Most insurers require:
- Multi-factor authentication (MFA): Required for all remote access and administrative accounts
- Regular backups: Daily or weekly backups stored offline and tested regularly
- Endpoint protection: Antivirus, antimalware, and EDR (Endpoint Detection and Response) tools on all devices
- Patch management: A documented process for applying security patches promptly
- Password policies: Strong passwords (or better: passphrases) with regular changes
- Access controls: Limiting who can access sensitive systems and data
- Employee training: Annual security awareness training for staff
- Incident response plan: A documented plan for responding to cyber incidents
- Vulnerability scanning: Regular scans of your systems and networks
If you don't meet these minimum requirements, you won't be able to get cyber insurance β and if you do get a policy without them, your claims may be denied if you suffer an attack.
For a complete checklist of what insurers require, see our security requirements guide.
Cyber insurance and ransomware
Ransomware attacks are the most common type of cyber incident that leads to insurance claims. In a typical ransomware attack, criminals encrypt your files and demand a ransom payment to unlock them.
Cyber insurance covers ransomware in several ways:
- Ransom payments: If you choose to pay the ransom, insurance covers the cost (though some policies discourage this)
- Incident response: Costs for forensics, negotiation, and technical recovery
- Business interruption: Lost income while your systems are encrypted and unavailable
- Notification and credit monitoring: If personal data was stolen during the attack
- Regulatory fines: If the attack resulted in a data breach and regulatory penalties
However, ransomware coverage often has conditions. For example, insurers may deny your claim if:
- You failed to apply critical security patches
- You didn't have MFA enabled on vulnerable accounts
- Your backups were not properly isolated (so the attacker encrypted them too)
- You didn't maintain an incident response plan
The best protection against ransomware is prevention. Insurers strongly recommend: MFA, regular backups (stored offline), vulnerability scanning, and employee security training.
Learn more about ransomware insurance in our ransomware coverage guide.
Data breach insurance
Data breach coverage is a core component of cyber insurance. When customer, employee, or client data is stolen or exposed, the costs can be staggering: forensics, notification, credit monitoring, regulatory fines, and lawsuits.
A typical data breach involving 5,000 people can cost Β£500,000βΒ£2 million when you factor in:
- Forensic investigation (Β£50,000βΒ£200,000)
- Notification (letters, emails, calls)
- Credit monitoring services (typically 2β3 years for affected people)
- Call centre costs (answering victim questions)
- Regulatory fines (up to 4% of global revenue under GDPR)
- Lawsuits from affected individuals
- Reputational damage and lost customers
Good data breach insurance covers all of these costs. But keep in mind: the insurer will expect you to have basic data security controls in place (encryption, access controls, regular backups) before they'll issue a policy.
For a detailed guide to data breach insurance, see our data breach coverage guide.
Do you need cyber insurance?
In 2026, cyber insurance is essential for almost every business. The question isn't whether you need it β it's what level of coverage you need.
You definitely need cyber insurance if you:
- Collect or store customer data (names, emails, payment details, health information)
- Operate online (e-commerce, SaaS, web applications)
- Accept payment cards or handle financial transactions
- Are in a regulated industry (healthcare, financial services, law)
- Have employees who work remotely
- Use cloud services (AWS, Microsoft 365, Salesforce)
- Have valuable intellectual property or trade secrets
- Serve other businesses or government agencies
Even if you don't think you need it:
If you're a small business with just a few employees and no customer data, you might still benefit from basic cyber insurance. The cost is low (Β£1,500βΒ£3,000 per year), and the protection is valuable.
The key question:
If you suffered a cyber attack today β ransomware that encrypted your files, a data breach, or a hack of your payment system β could your business survive the financial impact? If the answer is no, you need cyber insurance.
For help assessing your actual need, see our need assessment guide.
How to get a cyber insurance quote
Getting a cyber insurance quote is straightforward. Here's the typical process:
1. Assess your needs
Before you talk to anyone, think about your business: What data do you handle? What would a cyber attack cost you? What coverage limits make sense? Do you need incident response support?
2. Gather your information
Insurers will ask for details about:
- Your business type and size
- Annual revenue
- Number of employees
- The data you collect and store
- Your current security controls
- Your claims history (if any)
- Your IT infrastructure (on-premises, cloud, hybrid)
3. Get multiple quotes
Never accept the first quote. Talk to at least 3β4 providers or brokers. Prices vary widely, and so does coverage.
4. Compare and negotiate
Don't just compare premiums. Compare coverage limits, deductibles, exclusions, and the insurer's claims reputation. A cheaper policy is worthless if your claims get denied.
5. Ask questions
Before you sign anything, ask:
- What happens if we suffer a breach? What's the process?
- Do you provide incident response support?
- What security controls do we need to maintain to stay covered?
- How long does it typically take to pay a claim?
- Can we speak to other customers who've made claims?
6. Review the policy terms
Read the full policy document. Don't rely on the summary. Look for exclusions that might affect your business specifically.
7. Purchase and maintain
Once you've chosen a policy, remember: cyber insurance only works if you maintain the security controls required. Review your policy annually to make sure it still matches your needs.
For a step-by-step guide to getting a quote, see our quote process guide.