TL;DR:
- Sort MFA, tested backups, and endpoint protection before applying — they affect both approval and price
- A typical UK small business policy costs £400–£1,500/year depending on size and sector
- Compare using a five-point checklist: ransomware, breach notification, business interruption, social engineering, and legal defence
Cyber insurance for small business has moved from optional extra to baseline expectation. In 2026, clients ask for it before signing contracts, commercial landlords include it in lease terms, and banks consider it during loan applications.
The reason is straightforward maths. The average cost of a cyber claim for a UK small business runs £45,000–£90,000. A ransomware attack that locks your systems, forces customer notifications under UK GDPR, and triggers legal disputes lands squarely in that range. Most businesses don’t have that sitting in a contingency fund.
Why clients and banks now require it
Three situations now regularly create an insurance requirement. Healthcare, legal, and financial services companies routinely require proof of cyber coverage before they’ll sign a supplier contract. Serviced offices increasingly include cyber liability insurance in their tenancy agreements. And some business loan applications now treat absent cyber coverage as a risk factor.
The underlying logic is simple: an uninsured small business hit by a cyber incident often folds, leaving contracts incomplete and clients exposed.
What cyber insurance covers
Every policy differs, but these coverages appear most commonly.
Ransomware response covers the ransom payment itself (where legally permitted), specialist negotiator costs, and system restoration. Most UK insurers require you to contact them before paying any ransom — don’t make that decision alone.
Data breach notification costs — under UK GDPR and the Data Protection Act 2018, you must notify the ICO within 72 hours of discovering a personal data breach, and potentially notify affected individuals too. That process costs real money: legal review, credit monitoring, postage, call centre time.
Business interruption covers lost revenue while your systems are down. Check the waiting period (often 8–12 hours before cover kicks in) and coverage duration (typically 30–90 days).
Legal defence costs — if customers sue you over a breach, defence is expensive even when you win.
Forensic investigation — determining exactly what happened requires specialist digital forensics. Even for small incidents this can cost thousands.
What cyber insurance doesn’t cover
Unencrypted devices are a common exclusion — if a stolen laptop wasn’t encrypted, the resulting breach may not be covered. Known unpatched vulnerabilities are another: if you were breached through a flaw you hadn’t patched, the insurer may deny the claim.
Social engineering and invoice fraud are among the most common losses for UK small businesses, yet they’re often excluded from standard policies or only available as a paid add-on. Ask specifically about this. Employee data theft — a disgruntled employee walking out with your customer database — usually requires a separate crime or fidelity policy.
When comparing quotes, run this checklist: ransomware, breach notification, business interruption, social engineering, legal defence. The cheapest policy is usually the one with the most exclusions.
What insurers require before they’ll cover you
This surprises most first-time applicants. The application is a detailed security questionnaire, and failing it means no coverage or significantly higher premiums.
MFA is non-negotiable. Multi-factor authentication on business email, remote access, and cloud services is a baseline requirement at virtually every UK insurer.
Offsite backups — and they must be tested. “We have backups” isn’t enough. “We have automated daily backups to [cloud service], last tested in [month/year]” is what they want.
Endpoint protection on all devices. Basic antivirus is no longer sufficient. Insurers look for EDR (Endpoint Detection and Response) — software that actively monitors for suspicious behaviour, not just known malware signatures.
Additional requirements for higher-risk businesses include email filtering beyond basic Gmail or Outlook, a written incident response plan (a single page satisfies most insurers), and privileged access management — limiting who has administrator-level access.
Sort these gaps before applying. They affect both approval and future claim validity.
What cyber insurance costs in the UK
Sole trader / freelancer: £150–£400/year
5–20 employees: £400–£1,500/year
20–50 employees: £1,500–£5,000/year
What drives your premium up: higher revenue, handling health or payment card data, operating in healthcare, legal, or financial services, and weak security controls.
What brings your premium down: documented security controls (particularly Cyber Essentials certification, which UK insurers respond well to), a clean claims history, and paying annually rather than monthly.
First-party vs third-party coverage
First-party coverage covers your own costs: ransomware payments, forensic investigation, business interruption, breach notification.
Third-party coverage covers costs when someone else is affected: if a customer sues you over their compromised data, legal defence and compensation are third-party costs.
Most SMB policies include both. Confirm before purchasing — a policy covering only one type leaves meaningful gaps.
Where to get a quote in the UK
Hiscox has an online quote tool specifically for small businesses and is one of the most established cyber insurers in the UK market. AXA and Markel are both strong for professional services. CFC Underwriting specialises in cyber and is worth a look.
Working with an independent broker who approaches multiple insurers is genuinely worth the effort — they can present your security controls in the best light and explain exclusions before you buy, not after you need to claim.
Bottom line
Cyber insurance sits on top of solid security hygiene — not instead of it. Close the security gaps (MFA, tested backups, endpoint protection) before applying, then get at least two quotes from specialist brokers. Compare coverage, not just price. A good policy on top of strong controls is one of the better risk management decisions a UK small business can make.