TL;DR:
- Cyber insurance covers immediate costs and liabilities after cyberattacks, both for your organization and affected parties. It requires mature security controls and offers services like incident response support to improve recovery and reduce claim severity. Proper policy selection and pre-established response relationships are critical for effective protection.
Cyber insurance is a specialised financial product that covers the costs a business incurs before, during, and after a cyberattack. Also referred to as cybersecurity insurance or cyber liability insurance, it addresses losses that standard commercial policies explicitly exclude. General liability insurance typically excludes data breaches, ransomware, and regulatory fines entirely. For any organisation that stores customer data, processes payments, or relies on digital infrastructure, a standalone cyber insurance policy is no longer optional. It is the financial floor beneath your incident response plan.
What does cyber insurance cover?
Cyber insurance splits into two distinct coverage categories: first-party costs and third-party costs. Understanding the difference determines whether your policy actually matches your risk exposure.
First-party coverage pays for losses your organisation suffers directly:
- IT forensics and investigation costs to identify the breach source
- Data restoration after ransomware or destructive attacks
- Ransomware payments, where legally permissible
- Business interruption losses during system downtime
- Crisis communications and public relations support
- Breach notification costs to affected individuals
Third-party coverage pays for claims made against your organisation by others:
- Legal defence fees and court costs
- Settlements or judgements from affected clients
- Regulatory fines and penalties under frameworks such as GDPR or HIPAA
- Credit monitoring services for affected data subjects
Cyber insurance also aids compliance with breach notification obligations under GDPR, covering both the notification costs and potential regulatory fines. That matters significantly for UK and European businesses, where notification deadlines are strict and fines can reach tens of millions of pounds.
Policy exclusions vary widely between insurers. Common exclusions include acts of war, infrastructure failures caused by a third party, and incidents arising from known, unpatched vulnerabilities. Read the exclusions section of any policy before signing.

Pro Tip: Ask your broker for a side-by-side exclusions comparison across at least three policies. The differences in war exclusion language alone can determine whether a nation-state attack is covered.
How much does cyber insurance cost?
The cost of cyber insurance depends on your sector, revenue, data volume, and existing security controls. Premiums vary considerably across industries.
Small businesses under £5 million revenue typically pay between $1,000 and $2,500 annually for $1 million in cyber liability coverage. Healthcare and finance organisations pay two to four times more, reflecting their higher data sensitivity and regulatory exposure. The average annual premium for $1 million in coverage with a $10,000 deductible sits at approximately $1,501.
Factors that drive your premium up
Four variables consistently push premiums higher:
- Volume of sensitive data. Organisations holding large volumes of personally identifiable information or payment card data carry greater breach liability.
- Revenue and transaction volume. Higher revenue signals greater financial exposure per incident.
- Sector classification. Healthcare, financial services, and critical infrastructure attract the highest rates.
- Security control maturity. Weak controls, such as the absence of multi-factor authentication or endpoint detection and response tools, increase both your premium and your risk of a claim being denied.
Coverage limits and deductibles
| Coverage limit | Typical deductible | Best suited for |
|---|---|---|
| $500,000 | $2,500–$5,000 | Micro businesses, low data volume |
| $1,000,000 | $5,000–$10,000 | SMEs with moderate data exposure |
| $5,000,000+ | $25,000+ | Mid-market and high-risk sectors |
Data breach costs frequently exceed $250,000 for small businesses. That figure means a $500,000 policy provides only a modest buffer, and a $1 million policy may be the realistic minimum for any organisation processing customer data at scale.
Does cyber insurance replace good cybersecurity?
Cyber insurance does not replace cybersecurity controls. It funds the response when those controls fail. The distinction matters because many business leaders treat insurance as a substitute for investment in security. It is not.
Insurers now require security controls such as endpoint detection and response (EDR) and multi-factor authentication (MFA) as prerequisites for eligibility. Failing to maintain these controls after policy inception can result in a claim being denied. The policy is contingent on your security posture, not independent of it.
"Cyber insurance is more than financial cover. It is a critical tool for raising cybersecurity awareness and rapid incident response access." — Munich Re, 2026
Rapid incident response funding is one of the most underappreciated benefits of a cyber policy. When a breach occurs, the immediate costs, including forensic investigators, legal counsel, and notification services, arrive before any revenue recovery. Insurance provides the liquidity to act fast. Delayed response consistently leads to greater data loss, higher regulatory exposure, and worse press coverage.
Modern policies also include pre-breach services such as risk assessments, employee training resources, and incident response retainers. These services reduce the probability of a claim and improve outcomes when one occurs. Choosing a policy purely on premium price, without evaluating these services, is a false economy.

Pro Tip: Request evidence of your insurer's incident response retainer network before purchasing. The quality and speed of their panel providers will determine how quickly your business recovers.
How to choose the right cyber insurance policy
Selecting a cybersecurity insurance policy requires more than comparing premium prices. The right policy aligns with your specific risk profile, sector obligations, and incident response capability.
Work through these five considerations before committing:
-
Map your first-party and third-party exposure. A law firm faces high third-party liability from client data breaches. A retailer faces high first-party costs from payment system downtime. Your coverage mix should reflect your actual risk, not a generic template.
-
Set limits based on realistic breach costs. Use your sector's average breach cost as a baseline. For most UK SMEs, $1 million is a starting point, not a ceiling. Review the financial impact of cyber incidents for your sector before finalising limits.
-
Evaluate insurer panel services. The best policies include access to pre-vetted digital forensics firms, legal counsel, and crisis communications specialists. Check whether the insurer's panel covers your geography, particularly if you operate across the UK, Gibraltar, or Europe.
-
Scrutinise exclusions and sub-limits. Social engineering fraud, cyber extortion, and cloud provider outages each carry separate sub-limits in many policies. A $1 million policy with a $100,000 sub-limit on ransomware payments is not a $1 million ransomware policy.
-
Assess claims handling reputation. Ask your broker for claims payment data. An insurer with a pattern of disputed claims is a liability, not an asset. Specialist cyber insurers generally outperform generalist carriers on claims speed and technical understanding.
Understanding incident response clauses within your policy is equally critical. Some policies require you to use the insurer's approved panel for forensics and legal work. Others allow you to appoint your own specialists. The latter gives you greater control over response quality and speed.
Key takeaways
Cyber insurance is the financial foundation that makes a credible incident response plan possible. Without it, breach costs routinely exceed what organisations can absorb without lasting damage.
| Point | Details |
|---|---|
| Standalone policy required | General liability excludes cyber losses; a dedicated policy is the only reliable protection. |
| Two coverage types matter | First-party covers your own losses; third-party covers claims from affected clients and regulators. |
| Limits must match breach reality | Breach costs frequently exceed $250,000 for small businesses; $1 million is a realistic minimum. |
| Security controls affect eligibility | EDR and MFA are now prerequisites; weak controls can void a claim. |
| Policy services add real value | Pre-breach risk tools and incident response retainers reduce both probability and severity of claims. |
Makkari's view: insurance without response capability is half a plan
Working directly with organisations after breaches, the pattern is consistent. The businesses that recover fastest are not necessarily those with the largest policies. They are the ones whose policies are backed by a tested incident response capability.
Underinsurance is the most common and most avoidable mistake. Boards approve a $1 million policy and consider the risk managed. Then a ransomware attack causes three weeks of downtime, triggers a GDPR investigation, and generates client litigation. The policy covers a fraction of the total loss. The gap between the policy limit and the actual cost is the number that keeps risk managers awake.
The second pattern is equally predictable. Organisations purchase a policy but have no relationship with a digital forensics provider before an incident occurs. When the breach happens, they spend the first 48 hours finding a qualified firm rather than containing the threat. Those 48 hours are when the most damage occurs.
Insurers are tightening eligibility requirements because the claims data supports it. Organisations with mature security controls, tested incident response plans, and pre-established forensics relationships file fewer claims and recover faster when they do. The insurance market is, in effect, pricing the value of preparedness.
The advice from the front line is straightforward. Buy the right limits. Read the exclusions. Know your insurer's panel. And have a qualified incident response partner engaged before you need them.
— Makkari
Makkarisecurity: incident response that supports your claim
When a breach triggers your cyber insurance policy, the quality of your incident response determines both the outcome and the claim.

Makkarisecurity specialises in Digital Forensics and Incident Response (DFIR) across the UK, Gibraltar, and Europe. Our proprietary forensic engine delivers live memory capture and chain-of-custody verified results that hold up in regulatory investigations and litigation. The Eviction Pledge guarantees that once a threat actor is evicted, they will not return for a minimum of 60 days, or you pay nothing. For insurers and their policyholders, that is a measurable, contractual assurance. Explore our incident response capabilities or review our breach counsel and panel support services to understand how Makkarisecurity integrates with your cyber insurance programme.
FAQ
What is cyber insurance?
Cyber insurance is a specialist financial policy that covers the costs of responding to and recovering from cyberattacks, including ransomware, data breaches, and business interruption. It covers both first-party losses and third-party liability claims.
Does my general liability policy cover cyber incidents?
No. General liability insurance explicitly excludes data breaches, ransomware, and regulatory fines. A standalone cyber policy is required for meaningful protection.
How much does cyber insurance cost for a small business?
Small businesses under $5 million in revenue typically pay between $1,000 and $2,500 annually for $1 million in coverage. High-risk sectors such as healthcare and finance pay two to four times more.
What security controls do I need to qualify for cyber insurance?
Most insurers now require multi-factor authentication and endpoint detection and response tools as minimum eligibility criteria. Weak controls can result in higher premiums or a denied claim.
What is an incident response retainer in a cyber policy?
An incident response retainer is a pre-arranged agreement, often included or subsidised by a cyber policy, that gives you immediate access to forensic investigators and legal counsel after a breach. It eliminates the delay of sourcing qualified help under pressure.
