Cyber Essentials and Cyber Insurance: What You Need to Know

What Is Cyber Insurance?

Cyber insurance is a specialist policy that covers the financial losses and costs a business incurs following a cyberattack or data breach. Standard business insurance policies do not cover cyber incidents. As attacks become more frequent and more costly, cyber insurance has moved from a niche product to an essential consideration for UK SMEs of all sizes.

UK SME premiums typically range from £1,000 to £5,000 per year depending on revenue, sector, and the strength of existing security controls. Businesses in high-risk sectors such as legal, financial services, or healthcare will pay more — and will face stricter requirements from insurers.

What Cyber Insurance Covers

Incident Response Costs

When a breach occurs, specialist help is needed immediately. Cyber policies typically cover the cost of forensic investigators to identify what happened, legal advisors to manage notification obligations under UK GDPR, and public relations support to manage reputational damage. These costs can reach tens of thousands of pounds within the first 48 hours of a serious incident.

Ransom Payments

Many policies include coverage for ransomware payments, though this is an area of ongoing debate and insurers are increasingly scrutinising claims in this category. Policies typically require the payment to be a genuine last resort and for certain security controls to have been in place.

Regulatory Fines and Legal Liability

Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious data breaches. Cyber policies can provide coverage for legal defence costs and, subject to policy terms, some regulatory penalties. Third-party liability cover protects against claims from customers or partners whose data was exposed.

Business Interruption

If a ransomware attack or system failure prevents your business from trading, the resulting lost revenue can be covered. Business interruption cover is often the most significant element of a cyber claim for SMEs. Policies typically have a waiting period of 8 to 12 hours before cover begins.

What Insurers Require Before Providing Cover

The cyber insurance market has hardened significantly since 2021. Insurers now conduct detailed security assessments before offering terms, and many require evidence of specific controls:

• Cyber Essentials or Cyber Essentials Plus certification — increasingly a baseline requirement
• Multi-factor authentication (MFA) on all remote access, email, and cloud services — non-negotiable for most insurers
• Tested offsite backup — insurers want evidence that you can recover without paying ransom
• Endpoint detection and response (EDR) on all devices
• Patch management — evidence that critical vulnerabilities are remediated promptly
• Staff security awareness training — documented training programme

Businesses that cannot demonstrate these controls may be declined cover, offered significantly higher premiums, or find that claims are rejected on the basis of inadequate security controls at the time of the incident.

How AMVIA Helps Businesses Become Insurable

AMVIA works with UK SMEs to implement the technical controls that cyber insurers require. We can help you achieve Cyber Essentials certification, deploy MFA and managed EDR, establish a backup and recovery process, and provide documented security awareness training — all of which directly improve your insurability and reduce your premium. Our team can work alongside your insurance broker to provide the evidence insurers need during the underwriting process.