Cyber insurance for UK businesses explained: what it covers, who needs it, and why your existing commercial policy almost certainly has a gap you don’t know about.
Most UK business owners assume their insurance covers everything that could go wrong.
It doesn’t.
One of the most significant gaps we find when we review a business’s insurance is cyber risk. Standard commercial policies almost always exclude it. And in 2026, that gap matters more than it ever has.
Here’s what you need to know.
Cyber attacks are no longer a large-business problem
There’s a common assumption that cyber attacks target big corporations with large IT departments and valuable data. That assumption is wrong, and it’s costing small and medium-sized businesses significantly.
In 2026, SMEs are one of the biggest targets for cyber crime in the UK. The UK government recorded 204 nationally significant cyber incidents in the year to August 2025, a 129% increase on the previous year. And 59% of UK businesses experienced at least one cyber incident in the last 12 months, up from 53% the year before.
The reason SMEs are targeted is straightforward. They hold valuable data, they take payments, they use cloud systems and email, and they typically have fewer controls in place than larger organisations. That makes them easier targets.
Phishing emails. Ransomware. Data breaches. System outages. These are no longer edge cases. They are everyday business risks.
Your existing insurance almost certainly doesn’t cover it
This is the part most business owners don’t know.
When you take out a standard commercial insurance policy, cyber risk is typically excluded. The policy covers physical risks: fire, flood, theft, liability. It does not cover what happens when someone accesses your systems without permission, encrypts your data and demands a ransom, or steals your customer records.
Even if your policy includes some form of business interruption cover, that cover is usually triggered by a physical event. A cyber attack is not a physical event. In most standard policies, it falls outside the scope of cover entirely.
We see this regularly when we review a business’s insurance. The business owner believes they are covered. They are not.
What cyber insurance actually covers
A dedicated cyber insurance policy is designed to provide cover towards the financial and operational impact of a cyber incident. Cover varies by policy, but most include a combination of the following.
Incident response costs. When a cyber attack happens, you need specialist help quickly. Forensic investigators to understand what happened. IT specialists to contain the damage. Legal advice on your obligations. A cyber policy can contribute towards the costs.
Business interruption. If a cyber attack takes your systems offline and you cannot trade, a cyber policy provides cover towards the loss of income during that period. This is the cover that standard business interruption policies typically do not provide for cyber events.
Data breach and regulatory costs. Under UK GDPR, if you suffer a data breach involving personal data, you have legal obligations. You may need to notify the ICO. You may need to notify affected individuals. There may be regulatory fines. A cyber policy can help financially towards the costs of managing the process.
Ransomware and extortion. If your systems are encrypted and you receive a ransom demand, a cyber policy can help cover the costs of responding to that situation, including specialist negotiation support.
Reputational damage. Some policies include cover towards the costs of managing the reputational impact of a cyber incident, including crisis communications support.
Who needs it
The honest answer is: most businesses.
If your business does any of the following, cyber insurance is worth serious consideration.
You store customer or employee personal data. Almost every business does. Names, email addresses, payment details, employment records. All of this is personal data under UK GDPR, and a breach carries legal implications and potential fines.
You take payments online or use cloud-based systems. If your payment systems, accounting software, or CRM are cloud-based, a cyber incident affecting those systems could stop you trading.
You rely on email to operate. Business email compromise, where attackers intercept or impersonate email communications to redirect payments or extract information, is one of the most common and costly forms of cyber crime affecting UK SMEs.
You work with larger clients or public sector organisations. Many larger businesses and public sector bodies now require their suppliers to hold cyber insurance as a condition of contract. If you don’t have it, you may find yourself unable to win certain work.
You are a micro-business or sole trader. Smaller businesses are often more vulnerable, not less, because they have fewer resources and controls. A cyber incident that would be manageable for a large business can be existential for a small one.
What it costs
This is where most business owners are surprised.
Cyber insurance for a small or medium-sized UK business is typically far less expensive than people expect. Entry-level cover can cost less than a mobile phone contract per month. For most businesses, the cost of a policy is a fraction of what a single cyber incident would cost to resolve.
The average cost of a cyber incident for a UK SME, including downtime, recovery costs, and any regulatory or legal exposure can run into tens of thousands of pounds. A ransomware attack that takes your systems offline for a week can cost far more than that.
The question is not really whether you can afford cyber insurance. It is whether you can afford not to have it.
The broker conversation you should be having
Cyber insurance is not a one-size-fits-all product. The right level of cover depends on the nature of your business, the data you hold, the systems you rely on, and the contracts you work under.
This is exactly the kind of conversation a broker should be having with you. Not just placing a standard policy, but understanding how your business actually operates and making sure the cover reflects your specific risk profile.
If you have never had a conversation about cyber risk as part of your insurance review, that is a gap worth addressing.
The bottom line
Cyber risk is becoming one of the most significant threats facing UK businesses of all sizes. Standard commercial policies do not cover it. And between a third and half of UK businesses still do not have appropriate standalone cyber protection.
If you are not sure whether your current insurance covers a cyber attack, the honest answer is that it probably doesn’t.
A proper policy review will tell you exactly where you stand. And if there is a gap, we can help you close it.
We offer a free, no-obligation policy review for UK businesses. To book yours, call us on 01829 706 436 or email info@portalinsurance.co.uk. You can also find out more at portalbrokinggroup.co.uk.