Know the gaps in your UK cyber coverage, including GDPR liability limits, war exclusions, and how to negotiate broader protection.
UK cyber insurance exclusions are shaped by unique regulatory pressures: GDPR, the Information Commissioner's Office (ICO) enforcement power, and Lloyd's Market Association rules. Unlike the US patchwork, the UK has a unified regulatory framework, but this creates different gaps. The most critical gap: GDPR regulatory fines are uninsurable under UK law, and many policyholders don't realise this until they've suffered a breach.
This is the biggest exclusion in UK cyber insurance that catches businesses by surprise. Most UK cyber policies explicitly exclude GDPR fines (ICO penalties of up to 20 million GBP or 4% of global revenue, whichever is higher). Under UK law, regulatory fines cannot be insured β they're considered uninsurable as a matter of public policy.
What IS often covered is liability to affected individuals for breach of their rights (compensation for data loss, emotional distress, etc.). However, the insured amount is typically capped at 2 million GBP or 5 million GBP β much less than a major GDPR fine. If you process data for thousands of EU residents and suffer a major breach, the potential fine (10β20 million GBP) dwarfs your coverage.
What this means: Your cyber insurance covers liability to affected individuals, not regulatory fines. The only way to protect against GDPR fines is through strong security controls and incident response. Some policies carve out coverage for legal defence costs in defending an ICO investigation, but the actual fine is your responsibility.
UK policies (written under Lloyd's Market Association rules) include war and terrorism exclusions. However, cyber-specific carve-outs are increasingly standard (LMA5567, 5568, 5569, 5570). These explicitly cover cyber attacks attributed to foreign state actors or terrorist organisations, creating a distinction between traditional "war" and cyber-specific attacks.
If your policy was written before 2018 and doesn't include explicit cyber-war language, you have a significant gap. The definition of "terrorism" in the exclusion also matters: some policies exclude only attacks by listed terrorist organisations, whilst others are broader. Clarify the exact language of any war or terrorism exclusion in your policy schedule.
For critical infrastructure operators (energy, water, telecommunications) and businesses handling sensitive government information, war exclusions are particularly important. Ensure you have explicit cyber-war coverage in writing.
Many UK policies exclude coverage if you failed to meet GDPR obligations β lack of Data Protection Impact Assessments (DPIAs), no legitimate basis for processing, or failure to implement reasonable security measures under Article 32. If a breach occurs partly due to your own GDPR non-compliance, the insurer may reduce or deny coverage.
The risk is that "reasonable security measures" under GDPR are undefined, leading to disputes. GDPR requires security "appropriate to the risk" β but what's appropriate varies by organisation size and data type. Document your security rationale: encryption choices, access controls, and incident response procedures. This is your defense against exclusions for GDPR compliance failures.
UK policies typically cover ransomware payments where it's legal to do so. However, the trend toward sanctions compliance is creating new exclusions. Some policies now exclude ransom payments to entities listed on UK/US sanctions lists (OFAC or UK/EU sanctions designations). If your attacker is a sanctioned entity and you pay the ransom, the insurer may deny coverage or your payment may violate UK sanctions law.
This creates a dilemma: in a ransomware attack, you may not know who the attacker is until after payment. Some insurers now require legal guidance before approving ransom payments. Clarify in your policy whether the insurer will provide sanctions compliance advice before you're forced to decide on payment.
UK cyber policies cover business interruption from your own systems being compromised, but exclude interruption from pure infrastructure failures (ISP outages, power grid failures) unless those infrastructure failures were caused by a cyber attack. The boundary between "cyber incident affecting your systems" and "infrastructure failure" is important.
For businesses highly dependent on cloud services or third-party infrastructure, this gap is real. If AWS experiences a major data centre outage affecting thousands of customers, your cyber policy won't cover your lost revenue. However, if AWS is targeted by a cyber attack and is down, coverage may apply. Clarify the exact trigger for business interruption coverage.
UK cyber policies may exclude liability for contractual penalties that exceed your legal obligations. If your service-level agreement (SLA) with a customer promises 1 million GBP in compensation for 24-hour downtime, but UK law only requires you to pay 100,000 GBP, the insurer may only cover the legal minimum. This gap is growing as cloud service contracts include larger liquidated damages clauses.
For software-as-a-service (SaaS) providers and managed service providers, SLA penalties can represent the largest financial exposure in a cyber incident. Negotiate explicit coverage for contractual SLA penalties, not just legal minimums.
Get a UK-based specialist broker to review your policy and identify gaps specific to GDPR, ICO enforcement, and Lloyd's Market requirements.
Find a Broker Now β