You probably have insurance for your premises, your vehicles, and your equipment. But what about your data, your systems, and your reputation? Here's what you need to know about cyber insurance — and why getting it wrong could be just as costly as not having it at all.

The number of small businesses buying cyber insurance is rising fast. According to the UK government's Cyber Security Breaches Survey 2025, 62% of small businesses now have some form of cyber insurance — up from just 49% the year before. Across the EU, the picture is more concerning: research by broker Howden found that more than 70% of businesses across Europe's four largest economies remain completely uninsured against cyber risk. That's a significant gap, and it reflects something most business owners are starting to realise too late: a cyberattack isn't a question of if, it's a question of when.

But here's the part most people don't talk about: having a policy and actually being covered when something goes wrong are two very different things. More on that shortly.

So, What Is Cyber Insurance?

Cyber insurance is a policy designed to cover your business for the financial fallout of a cyberattack or data breach. Depending on the policy, it can cover:

Some policies also cover third-party liability — meaning if a breach at your business causes harm to a client or supplier, you're protected there too.

There are two main types of cover. First-party cover protects your own business directly. Third-party cover protects you against claims made by others affected by a breach. Many policies now bundle both, but it's always worth checking exactly what's included.

Do Small Businesses Really Get Targeted?

This is the most common misconception we hear. The assumption that cybercriminals only go after large companies is simply wrong — and increasingly dangerous to believe.

42% of UK small businesses experienced a breach or attack in 2025, according to government data. For medium-sized businesses, the figure jumps to 67%. Across the EU, Howden's research found that 49% of businesses in Germany, France, Italy, and Spain reported at least one attack between 2020 and 2025.

Small businesses are often targeted precisely because they're seen as easier. They typically have weaker security controls, less dedicated IT resource, and are less likely to have formal incident response plans. Cybercriminals know this — and ENISA's 2025 Threat Landscape report, which analysed nearly 4,900 incidents across the EU, confirms that SMEs are increasingly high-value targets as criminal ecosystems professionalise and lower the barriers to launching attacks.

Phishing remains the most common attack vector by a significant margin — the UK's 2025 Cyber Security Breaches Survey found it was behind 93% of all cyber breaches against businesses. In the EU, ENISA found that 81% of cybercrime incidents targeting European organisations involved ransomware. It doesn't require sophisticated hacking. It just requires one person in your team to click the wrong link.

What Does a Claim Actually Cost?

The average cost of a cyber incident for UK small businesses sits between £1,600 and £3,500 for the most disruptive events, according to government data. That might sound manageable — but that figure covers the immediate financial loss only. It doesn't account for the full picture.

Factor in investigation costs, legal fees, customer notification, potential GDPR fines, and the business you lose while your systems are down, and the real number is considerably higher. For medium-sized businesses, a serious incident can reach into six figures. At the EU level, the scale is stark: cyberattacks cost businesses in Germany, France, Italy, and Spain a combined €307 billion between 2020 and 2025, according to Howden's research. Howden's modelling also found that improved cyber hygiene and wider insurance adoption could have prevented €204 billion of those losses.

For EU businesses specifically: only 22% of Italian companies hold cyber insurance, rising to 29% in France, Germany, and Spain. The UK sits higher at 39% — but all of these figures leave the majority of businesses exposed. Research suggests 29% of small businesses that suffer a data breach lose customers permanently as a result. That's not a cost that shows up on an invoice, but it's very real.

The Part Nobody Tells You: Claims Are Being Denied

Here's where things get uncomfortable — and where we'd be doing you a disservice if we didn't address it directly.

Having a cyber insurance policy does not guarantee you'll be paid out when you make a claim. Industry data from 2024 and 2025 shows that somewhere between 25% and 40% of cyber insurance claims are being rejected. The most common reasons:

Failing to have the right controls in place

Insurers are increasingly specific about what they require — multi-factor authentication (MFA), endpoint protection, regular patching, documented security policies. If you said "yes" to having these on your application but they weren't properly implemented when the incident happened, the insurer can deny your claim. Failure to maintain MFA alone accounts for 37% of denied claims, according to industry reporting.

Misrepresentation on the application

Cyber insurance applications ask detailed questions about your security setup. Many business owners complete these without a full understanding of what they're committing to. If there's a discrepancy between what you said and what was in place, the policy may be void — even if the misrepresentation was unintentional.

Not understanding what the policy covers

A report by the Federation of Small Businesses found that 38% of its members with cyber insurance don't know what their policy actually includes. That's a significant problem when it comes to making a claim.

Exclusions buried in the small print

Common exclusions include employee mistakes, failure to follow internal procedures, and incidents involving unpatched software. Some policies also exclude certain types of ransomware, or require you to report an incident within a very tight window — often 72 hours.

What Do Insurers Actually Look For?

When you apply for cyber insurance, insurers will typically ask about 15 to 30 security controls. The non-negotiables in 2026 are:

These aren't just boxes to tick on a form. They're the controls that will determine whether your claim is paid out if you ever need it.

So, Does Your Business Actually Need It?

For most small and medium-sized businesses — yes.

If your business stores any customer data, processes payments, relies on digital systems to operate, or would face regulatory obligations in the event of a breach (GDPR applies to all businesses handling personal data in the UK and EU), then cyber insurance is worth having.

The caveat is that a policy is only valuable if it actually covers what you think it covers. Before you buy — or before you renew — it's worth understanding:

  1. What controls the insurer requires you to have in place
  2. Whether those controls are actually implemented across your business
  3. What the policy does and doesn't cover, especially around exclusions
  4. What you're required to do in the event of an incident, and how quickly

If there are gaps between what the insurer expects and what you currently have in place, closing those gaps is the priority — not just for insurance purposes, but because they're the same things most likely to prevent an attack in the first place.

Not Sure If You'd Pass an Insurer's Checks?

Our free Cyber Insurance Readiness Check runs through the exact criteria UK and EU insurers use — and shows you where your gaps are, with a plain-English action plan.

Check Your Readiness Free → Talk to Us