If you’re running a business, you need to have cyber insurance in your toolkit. This kind of coverage can help you deal with the aftermath of data breaches, security failures, or any other nasty stuff that cybercriminals might throw your way. And let’s face it, cyberattacks can be a real headache – they can cost you a lot of time and money to fix. So, whether you’re a small startup or a big corporation, cyber insurance can help you build up your defences and deal with the risks of the digital age. Reinsurance expert, Torsten Jeworrek, says:

“Cyber insurance is fundamental for the successful digitalisation of the economy.”


Applying for cyber insurance? You might have to spill the beans about your security setup. That means all the technical, procedural, and human stuff that keeps your business safe from hackers. And getting that info might mean talking to a bunch of people in your company or even outsourcing to some IT whizzes. Here’s the thing: you need to figure out what’s most valuable to your business –  what are your crown jewels? Also, think about the kind of worst-case scenarios you absolutely can’t afford. Don’t just settle for the bare minimum security standards that your insurance company wants you to follow. You need to take a closer look and make sure you’re protecting what matters most to you. Luckily, the NCSC has some tips on how to manage cyber risk, so you’re not just flying blind.


If your organisation already has some kick-ass cyber security defences, you might be able to score a discount on your insurance policy. So, make sure you let your insurance broker know if you’ve got any certifications like Cyber Essentials or Cyber Essentials Plus. These schemes aren’t just about saving you some cash though. They also show your customers, partners and suppliers that you’re serious about protecting their data.


If you’ve already got the Cyber Essentials certification, you might be eligible for cyber liability insurance from the IASME Consortium. But just because they offer it doesn’t mean it’s the right fit for your business. Be sure to check the details and ask questions to make sure the insurance meets your needs. As a rule of thumb, if your business has a turnover of £20 million and achieves self-assessed certification covering the whole organisation to either the basic level of Cyber Essentials or the IASME Standard, you’ll get £25,000 limit of indemnity. Unfortunately, that’s only enough to cover a small data breach and won’t cover you for a serious problem.


Before buying cyber insurance, it’s important to understand how crucial your organization’s data, systems, and devices are to your operations so that you can get the right amount of coverage. Make sure you know exactly what the policy covers and what’s excluded. For example, some policies won’t cover losses due to business email compromise (BEC) fraud. This is just one example where a standard cyber security policy may not cover a common incident. If this is a concern for you, check that your policy covers it. Keep in mind that cyberattacks are always evolving, and you may become a victim of a new type of attack that didn’t exist when you took out the policy. Check with your broker to see if you’d be covered in case of a new type of cyberattack that’s not inherent to your current policy.


  • Consider if the cyber insurance policy covers claims for compensation by third parties or loss of personal data due to a data breach.
  • Check the limits of the policy and ensure they are appropriate for your organization.
  • Find out what services the insurer provides in the immediate response to an incident to help manage recovery and improve resilience.
  • Ensure that your organisation can learn from what went wrong and adapt to be stronger in the future.


According to the 2022 Verizon Data Breach Investigations Report, ransomware accounted for 25% of all cybersecurity breaches. IBM revealed that the average ransomware payment is around £700,000 for companies who opt to cough up. That said, in June 2021 the meat-processing vendor, JSA USA, was hit by an attack and reportedly paid $11 million in ransom to criminals that were using the REvil ransomware. As such, insurers can be wary about covering ransomware or might offer it at a premium price. Josephine Wolff, a Professor of Cybersecurity Policy at Tufts University in Massachusetts, says of the rise in ransomware:

“Policyholders started filing a lot more ransom claims, and the insurers were making a lot less money – and they were worried that would even start losing money. I definitely think that having insurance coverage for ransom payments changes the calculus for companies deciding whether or not to pay. It’s the difference between, ‘Am I going to be out of this money myself, or am I going to file a claim with my insurer and have them cover most or all of it?’”


Some insurers will offer additional services that can be really helpful if your organisation experiences a cyber security incident. These could include things like IT forensic services, legal assistance, or public relations support. They may even connect you with their own in-house cyber incident response team, or a third-party Cyber Incident Response (CIR) organisation. The NCSC has also published guidance on Incident Management that could help you plan and build an effective cyber incident response capability. When it comes to actually dealing with the impact of a cyberattack, most cyber insurance policies will focus on restoring your network systems and data as quickly as possible, while also minimising any losses due to business interruption. If any legal action arises from data breaches, your policy should help cover the costs of defence and settlement. Some policies will also cover other types of cyber-related incidents, such as computer-enabled fraud.


Most cyber insurance policies are checked every year, so it’s up to you to keep your organisation’s cyber security details accurate and up-to-date. Insurers need to know what kind of security measures you’ve got in place and any other relevant info. And if your situation changes, like if you add new tech or software, you need to let your insurer know so you stay covered. If you tell your insurer you’ve got security measures when you don’t, they might not pay out any claims if something goes wrong. Honesty is the best policy so always be upfront about your cybersecurity.


As a cybersecurity expert with more than 20 years of experience supporting the IT of London-based SMEs, I understand the importance of robust cybersecurity and best-practice cyber hygiene. If you are looking to become Cyber Essentials certified or need advice on taking out cyber insurance, look no further. I can provide you with as much support and guidance as you need. Let’s get together soon and get your data and your business safe and secure.

Leave a comment