Cyber insurance: is your cover still fit for purpose?

Cyber insurance has become an integral part of business resilience. For UK SMEs, a cyber incident can quickly become more than an IT problem. It can stop people working, delay customer service, disrupt cash flow and create legal or reputational issues.

The latest UK Government Cyber Security Breaches Survey found that 43% of businesses reported a cyber security breach or attack in the previous 12 months, which equates to around 612,000 UK businesses. That does not mean every incident was severe, but it does show how common cyber risk has become.

Cyber insurance can help organisations recover by providing financial cover and access to specialist support. But having a policy is not the same as being properly protected. Cover varies, and many businesses only discover the gaps when they need to make a claim.

Why cyber insurance is important

A serious cyber incident can lead to liability downtime, lost income, data breach response costs, legal costs, forensic investigation and the need to notify clients, suppliers or regulators. For an SME, those costs can be difficult to absorb without support.

The Association of British Insurers says cyber insurance may cover first party losses, such as theft of funds, theft of data and damage to digital assets, as well as third party losses, such as litigation, regulatory investigation costs and compensation payments.

Just as importantly, many policies include access to experts who can help in the first hours of an incident, including cyber specialists, legal advisers, ransomware negotiators, PR support and forensic investigators. When systems are down and decisions need to be made quickly, that guidance can be extremely valuable.

Real UK incidents show why cover matters

The British Library’s 2023 cyber attack is a useful reminder that recovery is not always quick or simple. Its own incident review explained that some major software systems could not simply be restored as they were, partly because some were no longer supported or would not work on the new secure infrastructure being introduced.

Capita’s 2023 cyber incident also shows how cyber attacks can create long-term consequences. In 2025, the Information Commissioner’s Office fined Capita a combined £14 million after personal data was stolen during the attack, affecting millions of people.

Marks & Spencer has also shown the value of insurance in a major cyber incident. In its 2025 half year results, M&S reported £101.6 million of incident-related costs, with the impact partly mitigated by £100 million of insurance proceeds.

Most SMEs will not face incidents on that scale, but the lesson is still relevant. Smaller organisations often have less capacity to absorb lost revenue, recovery costs and reputational damage.

What should your cyber insurance policy include?

Cyber insurance policies are not all the same, so it is important to look beyond the headline cover amount. A sensible review should ask what would actually happen if your organisation suffered an attack tomorrow.

Areas to check include:

• 📉 Business interruption cover, including whether this applies if not only your systems are unavailable, but if third party platforms or software that you rely upon are also hit.  Will the policy pay for lost custom due to reputational harm suffered in a cyber event? Are you protected for lost or missed bids? It’s also possible to insure against loss you suffer because a key supplier or customer suffers a cyber attack and stops supplying you or buying from you
• 🚨 Incident response support, including 24/7 access to forensics specialists, legal advisers, ransomware negotiators and crisis communications support.
• 🔓 Data breach costs, including notification expenses, legal fees and regulatory response.
• 💻 Ransomware and cyber extortion cover, will your insurer pay costs on your behalf, or are you expected to pay first and recover later? The difference can place huge stress on your cash flow.
• 💸 Social engineering and funds transfer fraud, will the policy pay for funds transfer frauds, invoice manipulation and delivery diversion fraud.

It is also worth checking whether your policy reflects how your organisation works today. For example, does it cover your reliance upon Microsoft 365, cloud platforms, remote working, mobile devices and outsourced IT arrangements?

This is where it can help to involve both your IT partner and your insurance adviser. Partners& describes cyber insurance and cyber risk management as vital for businesses of all sizes, with advisers helping organisations understand their exposure and build protection that reflects their circumstances. That joined-up view matters, because your cyber security controls and your insurance cover should ideally align with each other for maximum effect.

Common pitfalls to avoid

One of the biggest mistakes is assuming cyber cover is automatically included in another business insurance policy. The National Cyber Security Centre advises organisations to check whether they already have cyber insurance through existing policies, such as business interruption or property insurance, because these may provide very limited cover or specifically exclude cyber incidents.

Another common issue is not meeting the insurer’s security requirements. A policy may expect controls such as multi-factor authentication, regular patching, backups, staff training or endpoint protection. If those controls are not in place, it could affect a claim.

The most common pitfalls include:

• renewing the same policy each year without checking whether the business has changed
• choosing cover based only on price or headline limit
• failing to understand exclusions
• not knowing who to call first during an incident – most cyber policies require you to notify insurers immediately so that help can be provided quickly
• assuming insurance will pay out even if required security controls are missing

Cyber insurance should support good cyber security, not replace it.

Make sure your cyber insurance matches your risk

Cyber insurance should be reviewed at least annually, and whenever your organisation changes significantly. That might include moving more systems to the cloud, adopting new software, growing headcount, changing payment processes or handling more sensitive data.

A good review should involve your leadership team, finance lead, insurance broker and IT partner. Partners& highlights the importance of understanding what cyber risk looks like in both your industry and your organisation, which is exactly the right starting point. The aim is not just to renew a policy, but to make sure your insurance, security controls and incident response plans all work together.

ramsac helps organisations strengthen their cyber resilience, understand their IT risks and put the right safeguards in place. If you are reviewing your cyber insurance, our team can help you assess whether your current cyber security controls support your policy requirements and your wider business resilience plans.

ramsac and Partners&

We are very proud to be partnering with Partners&, to bring specialist insurance advice to our clients. Partners& is a next-generation insurance advisory business. With access to specialist cyber insurers, Partners& help organisations map the risks facing their business and implement practices that protect the organisation. Providing a seamless approach to risk management, insurance and claims ensures organisations receive the most effective protection.

Cyber Insurance – FAQs