2 min read
What a cyber insurance policy typically covers
Cyber policies generally split into first-party cover — your own costs following an incident — and third-party liability cover for claims made against you by affected clients or data subjects. First-party cover typically includes forensic investigation, crisis management and public relations, data restoration, business interruption from system downtime, and the costs of notifying affected individuals. Third-party cover responds to compensation claims and regulatory defence costs arising from a breach of personal data you held.
The GDPR dimension for UK businesses
Under UK GDPR, a personal data breach may need to be reported to the Information Commissioner's Office within 72 hours of you becoming aware of it. Many cyber insurers provide access to a breach response team as soon as you notify them, helping you assess severity, draft notifications, and manage the regulatory process. Legal penalties are not insurable in the UK, but the legal costs of defending an ICO investigation or responding to a subject access request following a breach can be substantial, and these are typically covered.
Ransomware: the most costly current threat
Ransomware attacks — where criminals encrypt your systems and demand payment to restore access — are the most commonly claimed-against cyber event for UK SMEs. Policy responses vary: some insurers cover the ransom payment itself (subject to conditions including notification to law enforcement), others do not. The costs of system restoration and lost trading during downtime are more consistently covered. Read the ransomware clause specifically and discuss the exclusions with your broker before binding cover.
Is it relevant to lenders and creditors
Commercial lenders are beginning to ask about cyber resilience as part of their due diligence on technology-dependent businesses, particularly those handling client data or running e-commerce operations. A serious cyber incident that destroys customer trust or triggers regulatory sanctions can impair revenue and debt-servicing capacity rapidly. Some invoice finance providers also consider cyber risk when assessing the quality of a debtor ledger held digitally.
Frequently asked questions
Does standard business insurance cover a cyber attack?
Generally no. Standard commercial combined policies are designed for physical risks. Some policies include a small cyber extension, but the limits are usually too low for a meaningful incident. A standalone cyber policy provides materially broader and higher-limit cover.
What steps can we take to reduce cyber insurance premiums?
Underwriters assess your cyber hygiene — multi-factor authentication, patched software, staff training, incident response plans, and regular backups stored offline. Demonstrating robust controls, often via a short questionnaire or Cyber Essentials certification, can positively influence premiums and the breadth of available cover.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.