top of page

Cyber Insurance for small businesses – understanding the pitfalls in an ever changing world

Prevention is generally always better than cure – and in the current cyber landscape that is truer now more than ever. Protecting yourself from the current range of cyber threats is safer and cheaper than responding to an incident that could cripple your business and turn away customers in droves.

With a recent government survey (2019) reporting that the average cost of a cyber security breach for a UK business was £4,180 in 2019 (£22,700 for larger companies), the cost of a cybercrime can be debilitating for companies both large and small. As a result, many companies include a cyber insurance policy as part of their overall business insurance coverage.

How are businesses being affected?

However, many small and medium sized businesses have put more and more faith into insuring their business from the threat of cyber, and not in preventing the attack in the first place. Currently the cost of a typical cyber insurance policy (£250 to £300) is about the same as the cost of the business putting into place Cyber Essentials.

Whilst insurance has an important place in protecting your business the implementation of basic cyber resilience

protocols should not be ignored. The threat of phishing to organisations continues to grow at an exponential rate with 44% of organisations globally reporting a successful phishing attack against their organisation in 2021. The impact on this is now being felt by the insurance industry itself and this will almost certainly cause insurance costs to be driven upwards as well.

Insurance companies have seen their loss ratios rocket in 2020, from a base of around 40% to over 70%. That means that for every pound received in premiums for cyber insurance they are now paying out more than 70 pence.

How are Insurance Companies responding

The latest news reporting is showing how Lloyds of London, who cover almost 25% of the global cyber market are looking to limit their liability. In particular exclusion clauses are likely to appear that excludes all losses caused by ‘war’. The actual definition of war is vague but includes state sponsored cyber terrorism – as has been reported widely, there are a number of countries now either funding or turning a blind eye to cyber attackers present within their own jurisdictions. As long as these hackers don’t affect the host country, what they do abroad, and particularly what they do to destabilise the west is largely ignored or actively encouraged . Whether the cyber attack which you are claiming against is within this ‘war’ definition will be decided upon by the insurance company themselves, and this is likely to be in the favour of the insurance company, not the claimant!

Cyber insurance premiums for industries hardest hit by cybercrime soared as much as 300% at renewal this year. Companies and organisations in education, government, health care, construction and manufacturing are among those bearing the brunt of those price increases.

Lloyd’s of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, industry sources told Reuters on condition of anonymity this month. It is clear now that more and more Insurers are changing their appetites, limits, coverage and pricing, with limits on the maximum sum insured falling by in excess of 50% in this year alone.

What should I do now?

As always we recommend that you come to our site and sign up for free membership. We will start you off on your cyber resilience journey and help you protect yourself from the threat of cyber-attack.

And with the threat of cyber becoming ever more significant we would also recommend that you have a look at the government’s accreditation process around Cyber Resilience – called Cyber Essentials it mitigates fully or partially against 99.0% of the current cyber threats. Find out more at Cyber Essentials & Plus Training & Certification ¦ ECRC (

In conclusion, cyber insurance should only ever be seen as part of the solution to the cyber threat – it is likely that SMEs will face higher premiums and higher standards of cyber resilience to even get cover. So here at the centre our advice is to jump now before you are pushed and before it is too late.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page