Cyber Insurance: What's Covered, What Isn't, and What Insurers Now Expect
Your company gets hit with ransomware. Systems locked. Revenue bleeding at thousands per day. You've been paying premiums for years, so you file a claim expecting the insurer to handle it. Three days later, the letter arrives: claim denied. Your policy required multi-factor authentication on all admin accounts, and the post-breach investigation found it wasn't enabled on 20% of them. Material breach of policy terms. You're looking at a six-figure recovery bill on your own.
This is happening to UK businesses right now. Not because the market has collapsed, but because the way cyber insurance is underwritten and enforced has quietly changed. If you haven't looked at your policy in the past 12 months, what you think you have and what youactually have are probably two different things.
What a cyber insurance policy covers
A standalone cyber policy covers two broad categories.
First-party costs are what your own business faces after an incident. In 2026, that means your insurer sends a forensics team, a professional ransom negotiator, legal counsel, and crisis PR. It covers business interruption: the income you lose while systems are down. The average downtime for a ransomware event sits around 15 days. For a small business, 15 days offline can be fatal.
It also covers data recovery, ransomware payments (the average ransom in late 2024 was around £380,000), and losses from cyber crime including social engineering, invoice fraud, and funds transfer manipulation. By 2024, cyber crime claims were running neck and neck with ransomware claims. That shift caught a lot of businesses off guard.
Worth knowing about separately: contingent business interruption. That covers losses you take because a vendor you depend on goes down. The CDK auto dealership incident is a good example, where a failure at a third party management platform cost £51 million over a single weekend. If your business relies on a cloud platform or a managed service provider, check whether your policy covers this. Many don't.
Third-party liability is the other half. If a data breach exposes customer records, this pays for legal defence, settlements, and damages. It can cover regulatory investigation costs and PCI-DSS fines if payment card data is compromised. The Marks and Spencer breach in April 2025 resulted in over £100 million in insurance payments being honoured.
Now scale that down. The all-in cost of a ransomware claim for a UK business with under £10 million in revenue currently averages around £950,000.Forensics, legal fees, lost business, notification, recovery. That number surprises people, but it shouldn't. Most of it is the downtime.
Where policies fall apart
It reads well on paper. The problems are in the fine print.
Misrepresentation
This is the single biggest cause of claim denials. When you fill out the application and tick the box saying MFA is enabled on all accounts, the insurer treats that as a contractual commitment. If their investigation after a breach finds it was only on 80% of accounts, or that legacy authentication protocols were still letting people log in with just a password, they can void the entire claim. Around 44% of denied claims fail because the business couldn't produce evidence that its stated controls were actually working when the breach happened.
War and nation-state exclusions
These have always been in policies, but they're getting more attention as the line between criminal hacking and state-sponsored operations blurs. The CrowdStrike outage in mid-2024 made the practical impact impossible to ignore: approximately zero insurance policies paid out.It wasn't classified as a cyber attack; it was a software update failure, so policies weren't triggered. Expect the definition of what counts as a “cyber event” to get tighter in every renewal from now on.
Ransomware sub-limits
This is one of the nastiest surprises in the market. A policy might show a £5 million total limit on the declarations page, but bury a ransomware sub-limit of £10,000 or £25,000deeper in the wording. That's the actual ceiling for an extortion event.If you haven't checked your sub-limits, do it today.
Social engineering and funds transfer fraud
Frequently excluded from standard policies. If an employee gets tricked into wiring money to a fraudulent account, coverage for that often requires a separate endorsement. These crime claims are now matching ransomware in frequency, so this exclusion is catching out businesses that assumed their policy covered “cyber” broadly.
Regulatory fines
Many policies cover the cost of responding to a regulatory investigation, the lawyers and the notification process, but explicitly exclude the fines themselves. If the ICO issues a penalty after a breach, check whether your policy covers the fine or just your response to the investigation.
Vendor and supply chain failures
If your cloud provider goes down and takes your operations with it, a basic policy may leave you with nothing. Losses from a failure at a third party are often not covered unless the policy specifically includes contingent business interruption.
What underwriters now require
The cyber insurance market between 2020 and 2023 was brutal. Premiums spiked, capacity shrank, underwriters tightened everything. By 2025 the market has softened again. There's more capacity, pricing is competitive, and a small business with decent security can get a £1 million aggregate policy for under £1,200 a year. But the technical bar for getting and keeping coverage has gone up.
The change is straightforward: insurers have stopped trusting what you say on the application. They want proof.
MFA on every account
Not most accounts. All of them. Remote access, email, admin and privileged accounts. If MFA covers 80% of your users but is missing for remote workers or a handful of service accounts, the answer to the application question is no. Ticking yes when it isn't fully enforced is the single most common reason claims get denied.
Managed detection and response, running 24/7
Standalone antivirus or basic EDR is no longer enough for most underwriters. They want managed monitoring with the telemetry to prove it's configured correctly across all endpoints, including remote devices. If nobody is watching the alerts at 2am on a Saturday, that's a problem.
Offline, immutable backups
Three copies of your data, on two different media types, one stored offline and unreachable from your main network. Daily backups, with verification logs proving they actually ran and completed. Backups that an attacker can reach from inside your network don't count for much after a ransomware event.
Patching within 30 days
Documented patch reports showing dates and coverage percentages. If there's a known critical vulnerability and you've left it open for weeks, that's grounds for denial when the breach exploits it.
A tested incident response plan
Having a plan in a drawer doesn't count. Insurers want evidence of tabletop exercises, ideally tied to something like NIST or CIS Controls. They want to see that your leadership knows what happens on day one of a breach because they've rehearsed it.
Security awareness training with records
Phishing simulations, training modules, and documented proof that employees completed them. The annual slide deck from 2024 isn't going to cut it.
Privileged access management
Admin accounts locked to the strongest MFA available, rights restricted to the minimum needed, monitoring in place. If someone is browsing the web and reading email on an account with admin privileges, that's an underwriting red flag.
Some underwriters are also running external vulnerability scans on your public facing infrastructure before they'll even quote. And a growing number of applications now ask how your business uses and secures AI tools. That one is new for 2026, and it isn't going away.
The gap between what SMEs think they have and what they actually have
Around 85% of UK businesses still don't have a standalone cyber insurance policy. Many of those that do are relying on a small cyber endorsement bolted onto their general business policy, offering maybe £50,000 to £100,000 of cover. That is not going to absorb a £950,000 ransomware claim.
There's also a common assumption that “having insurance” means“being covered.”It doesn't, necessarily. If your policy says you'll report a breach within 48 hours but nobody on your team knew that requirement existed, or if you claimed daily backups on the application but they actually run weekly, those gaps will matter at claim time.
The other thing worth checking is whether your policy pays on your behalf or reimburses you after you've already paid. For a larger business, fronting £400,000 during a crisis and claiming it back later is painful but survivable. For a 20 person company, finding that cash during a ransomware event can be the difference between recovering and shutting down.
How to prepare for your next renewal
Treat the renewal as a security audit. Not a form filling exercise.
Get the right people in the room
Filling out a cyber insurance application accurately isn't a one person job. You need IT for the technical controls, the CFO for financial exposure, HR for onboarding and offboarding policies, and whoever handles data privacy. The questions span the whole business. One person can't answer them all accurately, and getting answers wrong is worse than leaving them blank.
Audit your controls against reality
Walk through MFA enforcement, patching cadence, backup configuration, endpoint protection, and your incident response plan. Check what's actually happening on the ground. What the policy document says should be happening and what's really happening at 3pm on a Friday are often different things.
Gather your evidence before the conversation
MFA logs showing full enforcement. Patch reports with dates and coverage percentages. Backup verification logs. MDR telemetry confirming round the clock monitoring. Security awareness training completion records. Insurers who see verifiable proof offer better terms. Some firms have seen premiums drop from over £110,000 to £28,000 after presenting a strong evidence package.
Read the actual policy
Not the summary. Not the broker's overview. The policy wording. Check for ransomware sub-limits. Check whether social engineering is covered or excluded. Look at the war exclusion language. Ask your broker whether the policy pays on your behalf or requires you to pay upfront and seek reimbursement. Ask which incident response firms are on the approved panel. Ask whether contingent business interruption is included.
Fill in the application accurately
If MFA isn't on every account, say so. If patching is behind, say so. An inaccurate application doesn't just risk denial; it can be treated as fraud, voiding the policy entirely. The renewal questionnaire isn't a test you need to pass. It's a description of your actual security posture. Lie on it and you're paying premiums for something that will never pay out.
Shop around
The market has softened. Premiums are competitive. If you've improved your security since last year, don't just auto-renew out of habit. Take your evidence package to multiple brokers. Loyalty is not rewarded in insurance, and brokers know it.
What this comes down to
Cyber insurance in 2026 is more accessible and cheaper than it's been in years. But it is also more conditional than it has ever been. Checkbox applications are dead. Insurers now function as active incident response partners, deploying forensics and legal teams on day one of a breach, and they expect their clients to hold up their end of the deal.
If your controls work and you can prove it, you'll pay less for better coverage and have a real safety net when something goes wrong. If you can't prove it, or worse, if what's on your application doesn't match what's on the ground, you'll find out what your policy actually says at the worst possible moment.
That's a bad time to discover the answer is nothing.
Bluestone Cyber helps UK businesses prepare for cyber insurance renewals as part of our security assessment services. If you want to know where you stand before your next conversation with your broker, get in touch. We'll give you a straight answer.