Cyber Insurance for Small Businesses: What UK Insurers Actually Want to See

Cyber insurance has moved, in the space of five years, from a specialist product that few small businesses had heard of to something that clients, partners, and regulators increasingly expect to see evidence of. At the same time, the market has hardened significantly: premiums have risen, underwriting requirements have become more stringent, and exclusion clauses have expanded to cover scenarios that policy holders assumed were covered.

This guide explains what UK cyber insurers are currently looking for, what the common exclusions mean in practice, and how demonstrable security controls affect both your ability to obtain cover and your ability to make a successful claim.

What Cyber Insurance Covers

Cyber insurance policies vary considerably between insurers, but most UK SMB policies include some combination of the following coverage areas:

• First-party costs: Your own costs arising from an incident — forensic investigation, system recovery, data restoration, business interruption losses, and crisis communications.
• Regulatory defence: Legal costs and fines arising from regulatory action — most commonly ICO investigation and enforcement for GDPR breaches.
• Third-party liability: Claims from clients, suppliers, or other third parties whose data was compromised or whose operations were disrupted as a result of an incident originating in your systems.
• Ransomware and cyber extortion: Costs associated with a ransomware attack, including ransom payments where the insurer agrees payment is appropriate, recovery costs, and negotiation services.
• Business email compromise: Financial losses arising from fraudulent payment instructions. This coverage is increasingly subject to sub-limits and specific conditions.

What the Underwriting Questions Are Actually Asking

The application process for cyber insurance has become considerably more rigorous. Where early policies asked little more than "do you have antivirus?", current underwriting questionnaires probe your security controls in detail. Understanding what these questions are actually assessing helps you answer them accurately and improve the controls that matter most to insurers.

Multi-factor authentication

Almost every current cyber policy asks whether MFA is in place, specifically on email systems, VPN and remote access, and privileged accounts. Insurers know that credential phishing is the primary entry vector for most claims, and MFA is the most effective single control against it. "No" on this question will either deny cover, significantly increase your premium, or both.

Endpoint detection and response

Insurers increasingly distinguish between traditional antivirus and modern EDR (Endpoint Detection and Response) tools. Antivirus blocks known malware. EDR detects and responds to malicious behaviour — including zero-day threats and living-off-the-land techniques that antivirus misses. The distinction matters to insurers because it's a proxy for the likelihood and severity of a successful claim.

Security monitoring and logging

"Do you have 24/7 security monitoring?" is now a standard underwriting question for policies above a certain threshold. The ability to demonstrate continuous monitoring — not just "we have antivirus" but "we have a named analyst watching our network and we receive monthly security reports" — has a measurable impact on both premium and terms.

Patch management

Policies increasingly include warranty clauses requiring that critical patches are applied within a specified window. Cyber insurance claims arising from exploitation of a vulnerability for which a patch had been available for 30 days or more can be disputed by the insurer on the basis that the policyholder failed to meet their obligations under the policy. Cyber Essentials certification provides documented evidence of a patch management process.

The Most Important Exclusions

Understanding what your policy doesn't cover is at least as important as understanding what it does.

Inadequate security controls

Most policies contain a warranty clause requiring the policyholder to maintain the security controls they declared in their application. If a claim arises from a breach that exploited a control that you said you had but didn't — or that you had but allowed to lapse — the insurer has grounds to dispute the claim. This is not theoretical. Disputed claims on this basis are a growing proportion of cyber insurance litigation.

War and nation-state exclusions

Many policies contain exclusions for attacks attributed to nation-state actors. The scope of these exclusions and how "nation-state" is defined varies between policies and has been the subject of significant litigation. For organisations in sectors that attract nation-state attention — defence supply chain, critical infrastructure, healthcare — this exclusion warrants specific legal advice.

Social engineering sub-limits

Business email compromise and social engineering fraud are frequently subject to sub-limits significantly lower than the main policy limit, and to conditions — such as telephone verification of payment instructions — that many organisations don't have in place. Read the social engineering section of your policy carefully.

How the Government-Backed Scheme Works

Organisations that achieve Cyber Essentials certification automatically qualify for the government-backed Cyber Liability Insurance scheme administered through the NCSC. This scheme provides meaningful coverage at no additional cost as part of the certification package, and is specifically designed to be appropriate for the risk profile of organisations that have implemented the five Cyber Essentials controls.

For many small businesses, this represents a considerably more straightforward path to cyber insurance than navigating the commercial market — with the added benefit that the coverage is aligned to the controls you've already demonstrated having in place.