Cyber Insurance for Small Businesses - What It Really Covers (and Why Security Still Comes First)

Cyber insurance is often sold as peace of mind.

“If something goes wrong, insurance will sort it.”

And while cyber insurance can be incredibly valuable, many small businesses only discover the limitations after an incident - when a claim is delayed, reduced, or refused entirely.

Here’s what cyber insurance really does, how pricing works, and why your security setup (and Cyber Essentials) matters more than most people realise.

What Does Cyber Insurance Actually Cover?

At its core, cyber insurance is designed to help your business recover after a cyber incident, not prevent one.

Most small business cyber policies typically cover:

✔ Incident response & professional support

• IT forensic investigations
• Legal advice and breach management
• Customer and ICO notification support
• PR and reputation management costs

✔ Business interruption

If systems are down, policies often cover:

• Lost revenue
• Extra costs to keep trading while you recover

✔ Ransomware & cyber extortion

Some policies include:

• Specialist negotiators
• Ransom payments (often capped)
• Recovery and system rebuild costs

✔ Data breach liabilities

• Legal defence costs
• Compensation claims
• Regulatory investigations

Sounds reassuring - but this cover is conditional.

Insurers expect you to have taken_reasonable steps_ to protect your business first.

What Cyber Insurance Often Doesn’t Cover

This is where expectations and reality often part company.

Claims may be reduced or rejected if:

• MFA wasn’t enabled on email or admin accounts
• Devices were unsupported or unpatched
• Backups weren’t properly configured or tested
• Security controls were overstated on the application

In simple terms:

If your security posture doesn’t match what you told the insurer, they can decline the claim.

How Much Does Cyber Insurance Cost?

Cyber insurance pricing is becoming increasinglyrisk-based, especially for small businesses.

Typical UK SMB annual premiums (indicative):

• 1–10 users: £250 – £750
• 10–50 users: £750 – £2,500
• Higher-risk sectors: £3,000+

What makes the difference isn’t company size alone - it’ssecurity maturity.

Why Security Directly Affects Your Premium

Insurers now price cyber insurance much like car insurance:

• Better controls = lower risk = lower premiums
• Poor controls = higher premiums or exclusions
• Some insurers simply won’t quote without minimum security standards

Common factors insurers look at include:

• MFA enforced on Microsoft 365
• Patch management and supported devices
• Central device management
• Reliable, restorable backups
• User security awareness

This is where Cyber Essentials becomes extremely relevant.

Cyber Essentials: More Than a Tick Box

Cyber Essentials aligns almost perfectly with what insurers want to see.

It demonstrates that your business:

• Protects against common cyber attacks

• Manages users, devices and access properly

• Has baseline cyber hygiene in place

Many insurers:

• Ask whether you’re Cyber Essentials certified

• Offer improved terms or lower premiums if you are

• Use it as supporting evidence during claims reviews

Put simply:

Cyber Essentials doesn’t replace insurance - it makes insurance work properly.

❌ Common Cyber Insurance Myths (Quickly Debunked)

“Cyber insurance replaces good security.”

No - insurers expect good security first.

“Ransomware is always covered.”

Not always. Many policies cap or exclude ransom payments.

“We’re too small to be targeted.”

Small businesses are often targeted because they’re perceived as easier to compromise.

“General business insurance already covers this.”

Standard policies rarely cover data breaches, ransomware, or recovery costs.

🧠 The Smarter Way to Think About Cyber Insurance

Cyber insurance should be treated like fire insurance.

It’s there to help when something goes wrong - but only if you’ve installed the smoke alarms first.

The most resilient small businesses:

1. Get the security basics right (MFA, patching, backups)
2. Achieve Cyber Essentials certification
3. Choose insurance that reflects real risks
4. Review both security and cover annually

How We Can Help

We help small businesses:

• Prepare for cyber insurance applications and renewals
• Align security controls with insurer expectations
• Achieve Cyber Essentials (and Plus where required)
• Reduce premiums by improving security posture

If you’d like a quick sense-check of your current setup — or your insurance assumptions — we’re happy to help.