Does UK cyber insurance cover GDPR fines?

Most UK cyber insurance policies exclude GDPR fines under UK law, as government-imposed penalties are generally uninsurable. However, policies typically cover the costs of responding to an ICO investigation, breach notification, regulatory defence, and credit monitoring services required under GDPR.

What cyber insurance coverage is needed for Cyber Essentials Plus certification?

Cyber Essentials and Cyber Essentials Plus primarily focus on technical security controls (firewalls, antivirus, patching, etc.) rather than insurance. However, having cyber insurance is increasingly viewed as part of good cyber governance. Some government contractors require both Cyber Essentials certification and appropriate cyber insurance as part of due diligence.

Does UK cyber insurance cover business interruption from ransomware?

Yes. Most UK cyber policies cover business interruption losses (lost revenue while systems are down) resulting from ransomware attacks. Incident response, recovery costs, and business interruption are typically included. Some policies offer separate ransomware extortion coverage, though ransom payments themselves are often excluded or limited.

Are UK cyber insurance premiums affected by Cyber Essentials status?

Many UK insurers offer 5-15% discounts for organisations with Cyber Essentials certification, and larger discounts (up to 20%) for Cyber Essentials Plus. Discounts reflect lower risk profile and demonstrated commitment to security controls. Having a documented security posture and incident response plan also qualifies for discounts.

What Does Cyber Insurance Cover in the UK? Coverage Guide

UK cyber insurance coverage overview

UK cyber insurance covers financial losses arising from cyber incidents in a regulatory environment dominated by GDPR, the UK Information Commissioner's Office (ICO), and sector-specific requirements like Cyber Essentials and the Network and Information Systems (NIS) Regulations. Coverage is split into first-party (your direct costs) and third-party (liability to others), with heavy emphasis on data protection compliance, incident notification, and regulatory defence.

First-party coverage: your direct costs

First-party coverage reimburses your organisation's immediate response and recovery costs following a cyber incident.

Incident response and forensics: Professional investigation, breach containment, and emergency support to stop attacks and understand what happened. Typically covered up to £50K–£250K depending on policy size.
Data recovery and system restoration: Costs to rebuild systems, restore data from backups, and return to normal operations.
Business interruption losses: Compensation for lost revenue while systems are down and the business cannot operate. Includes emergency overtime and expedited recovery costs. Sub-limits often range £100K–£1M+.
GDPR breach notification costs: Notifying affected individuals as required by GDPR Articles 33 and 34. This is a mandatory cost under GDPR and typically one of the largest components. Usually sub-limited to £50K–£250K.
Credit monitoring and identity protection services: Providing affected individuals with credit monitoring and fraud resolution services following a data breach involving personal data.
ICO and regulatory defence costs: Legal fees to respond to investigations and enforcement actions by the Information Commissioner's Office, including preparation of subject access request (SAR) responses and data protection impact assessments.
Public relations and reputation recovery: Costs for crisis communications, media response, and reputation repair following a high-profile breach.
Ransomware-related costs: Many policies cover incident response, recovery, and business interruption from ransomware. Ransom payments are often excluded or strictly limited.
Cyber extortion and negotiation: Some policies cover costs of negotiating with extortionists and ransom demand management, though actual extortion payments are often excluded.

Third-party coverage: claims from others

Third-party liability coverage protects your business when other parties hold you liable for losses caused by your cyber incident.

Legal defence costs: Attorney fees to defend against lawsuits from affected individuals, customers, or partners claiming losses from your data breach or security failure.
Compensation payments: Settlements and court-ordered compensation to individuals or organisations claiming damages from your incident.
ICO enforcement costs: Limited coverage for costs associated with regulatory action by the ICO. Most policies exclude fines but cover investigative and defence costs.
Privacy liability: Claims from data subjects alleging your organisation mishandled personal data, failed to obtain valid consent, or breached GDPR obligations.
Network security liability: Coverage if your systems are compromised and used to attack other organisations, and those organisations hold you liable.
Errors and omissions (professional liability): Claims that your IT services, advice, or software caused financial loss to customers.
Media liability: Claims arising from content published on your website or social media platforms alleging defamation or similar.

UK-specific regulatory requirements

UK cyber insurance is heavily shaped by GDPR, the ICO, and other regulatory frameworks:

GDPR (UK GDPR post-Brexit). The UK retained GDPR provisions following Brexit, with the ICO as the supervisory authority. GDPR requires data protection by design, incident notification within 72 hours (to the ICO and affected individuals where there is high risk), and breach response plans. Fines up to 4% of annual revenue are excluded from insurance, but response and defence costs are typically covered.
ICO guidance and enforcement. The ICO publishes expectations for data breach response, including notification procedures, handling of subject access requests during investigations, and cooperation with regulatory inquiries. Insurance covers costs of compliance with these requirements.
Cyber Essentials and Cyber Essentials Plus. A UK-government-backed scheme promoting essential security controls. Whilst primarily technical, Cyber Essentials Plus certification can reduce cyber insurance premiums by 5-20%. Some government contractors require organisations they work with to hold Cyber Essentials certification.
Network and Information Systems (NIS) Regulations. Apply to critical infrastructure operators in energy, transport, water, and healthcare. NIS-regulated organisations face additional incident reporting requirements and regulatory oversight affecting insurance costs.
Mandatory incident notification for critical infrastructure. Critical infrastructure operators must report serious incidents to relevant authorities. Insurance typically covers investigative and response costs.
Sector-specific regulations. Financial services companies are regulated by the FCA (Prudential Regulation Authority and Financial Conduct Authority), healthcare by NHS England, and others by relevant bodies. Incident response and regulatory cooperation costs are insurable.

Coverage limitations and sub-limits

Many UK cyber policies apply sub-limits — separate maximum amounts for specific coverages, separate from the overall policy limit. For example, a £1M policy might sub-limit breach notification to £100K and business interruption to £250K. Once these are exhausted, the insurer stops paying for that coverage type, even if the overall limit isn't reached.

Coverage Type	Category	Typical Sub-Limit (GBP)
Incident response and forensics	First-party	£50K – £250K
Business interruption loss	First-party	£100K – £1M+
GDPR breach notification	First-party	£50K – £250K
ICO regulatory defence	First-party	£50K – £150K
Legal defence costs	Third-party	No separate limit
Compensation payouts	Third-party	Up to policy limit
Social engineering fraud	Additional	£25K – £100K

Additional optional coverages

Social engineering and funds transfer fraud: Coverage when employees are tricked into transferring money or revealing credentials. Increasingly standard.
Dependent business interruption: Covers losses when a critical supplier or customer is breached and their downtime impacts your operations. Important for supply chain resilience.
Cyber extortion negotiation: Professional negotiation services with extortionists and costs associated with ransom demand management (though actual payments often excluded).
Cryptojacking: Unauthorised use of your computing resources for cryptocurrency mining or other malicious purposes.
Invoice manipulation fraud: When attackers intercept email and redirect invoices or payment instructions to fraudulent accounts.
Cyber-related reputational harm: Limited coverage for losses caused by reputational damage following a breach.

Find the right cyber insurance for your UK business

A specialist broker can help navigate GDPR requirements, ICO enforcement risks, and ensure adequate sub-limits for breach notification and business interruption.

Get a personalised quote →

Last updated: April 2026

What Does Cyber Insurance Cover in the UK?