Cyber insurance for small businesses

Cyber attacks and data breaches are no longer just a big-company problem; small businesses are frequently targeted and can be hit hard. Cyber insurance helps a business survive and recover. This guide explains cyber insurance for small businesses: what it covers, why it differs from other cover, and what insurers now expect of you.

What cyber insurance is

Cyber insurance covers the costs your business faces from a cyber attack or data breach, from the immediate response and recovery to claims that others may bring against you. As businesses of every size rely on computers, online systems and customer data, the financial damage from an incident can be severe. Cyber cover has become a mainstream business insurance, sitting alongside public liability and professional indemnity as a core protection for modern businesses.

Why small businesses are targeted

It is a myth that only large organisations are attacked. Small businesses are often targeted precisely because their defences may be weaker, and an attack such as ransomware or a data breach can be devastating for a business with limited resources. The costs of investigating, recovering and dealing with the fallout can threaten a small firm's survival, which is why cyber cover matters as much for small businesses as for large ones, if not more.

First-party and third-party cover

Cyber insurance generally has two sides. First-party cover pays for your own losses and recovery, such as investigating the breach, restoring data and systems, and lost income while you are offline. Third-party cover pays for claims others bring against you, such as customers whose data was exposed. A good policy covers both, because an incident can both cripple your own operations and lead to claims, and you may need protection on both fronts.

What it covers

A cyber policy typically covers the cost of responding to a breach, including forensic investigation to find out what happened, restoring lost or corrupted data, dealing with ransomware, notifying affected individuals and the regulator, legal costs, and the loss of income while your systems are down. It may also cover liability to third parties affected by the breach. The exact cover varies, so check what response and recovery services the policy provides.

How it differs from other cover

Cyber insurance fills gaps that public liability and professional indemnity do not. Professional indemnity covers claims that your advice or work harmed a client, while cyber covers the cost of recovering your own systems and handling a breach, as our guide to professional indemnity insurance explains. Public liability deals with physical injury and damage, as our guide to public liability insurance explains, not digital incidents. Cyber cover handles the specifically digital risks the others miss.

Data protection and the ICO

If a breach exposes personal data, your business has obligations under data protection law, including potentially notifying the Information Commissioner's Office and affected individuals, which itself carries costs. Cyber insurance often helps with these obligations, covering notification costs and the expert help needed to handle a breach correctly. Given the legal duties around personal data, this support can be valuable, helping you respond properly as well as covering the financial cost.

What insurers now expect of you

The bar for cyber cover has risen, and insurers increasingly expect businesses to have basic security controls in place before they will offer cover or pay claims smoothly. Measures such as multi-factor authentication, regular backups, software updates and staff awareness are commonly expected, and recognised standards can help. Putting sensible cyber security in place not only reduces your risk but is increasingly a condition of getting affordable cover, so the two go hand in hand.

Is it worth it?

For most small businesses that rely on computers, hold customer data or trade online, cyber cover is increasingly worthwhile, because the cost and disruption of an incident can be severe and hard to absorb. As with any cover, weigh the premium against the potential loss, but bear in mind that a serious cyber incident can threaten a small business's survival. Combined with good security practice, cyber insurance provides a valuable safety net.

Common cyber incidents

The incidents cyber insurance responds to are varied. They include data breaches where customer or staff information is exposed, ransomware that locks your systems until a ransom is demanded, phishing and fraud that trick staff into transferring money or credentials, and attacks that take your website or systems offline. Each can cause direct financial loss, disruption and reputational harm. Cyber cover is designed to help a business respond to and recover from this range of digital incidents.

Ransomware in particular

Ransomware, where attackers encrypt your data and demand payment to release it, has been one of the most damaging threats to businesses. Beyond any ransom, the cost of restoring systems, lost trading time and handling the fallout can be severe. Cyber policies often provide specialist support to respond to ransomware, including expert negotiators and recovery services. Good backups, kept separate from your main systems, are one of the best defences and are increasingly expected by insurers.

The human factor

Many cyber incidents begin with human error, such as a staff member clicking a malicious link or being deceived by a convincing email. This means cyber security is not only about technology but about people. Training staff to recognise threats, and having clear procedures, reduces the risk considerably. Insurers increasingly value this, and some policies include support for staff awareness. Combining cover with a security-aware team is far stronger than relying on either alone.

Cyber and your other policies

Cyber cover works alongside, not instead of, your other business insurance. Directors may still face personal exposure from a cyber incident, which is where directors' and officers' cover comes in, as our guide to directors' and officers' insurance explains, and a packaged business policy may bundle cyber with other covers. Understanding how cyber fits with the rest of your insurance ensures the digital risks are covered without assuming another policy already deals with them.

For almost any business that depends on computers, data or online trading, cyber cover combined with sensible security has become a basic part of protecting the business, because a single serious incident can be more than a small firm can absorb on its own.

Treat strong security and good cyber insurance as two halves of the same plan: the controls reduce the chance of an incident, and the cover protects the business if one happens anyway, which is increasingly how insurers expect businesses to approach the digital risks they all now face.

In short

Cyber insurance covers the costs of a cyber attack or data breach, including investigation, data recovery, ransomware, breach notification, legal costs and lost income, plus claims from affected third parties. Small businesses are frequently targeted, and cyber cover fills gaps that public liability and professional indemnity leave. Insurers now expect basic security controls like multi-factor authentication and backups. For businesses reliant on data and systems, it is increasingly essential.

Where to get help and next steps

Read our guides to professional indemnity insurance, public liability insurance, and directors' and officers' insurance. This is general information, not financial or legal advice.