Should cyber insurance become compulsory for UK businesses?

Here is why the threat of cyber attacks has paved the way for certain measures to be taken against them.

Cyber attacks affecting businesses are on the rise. As technology advances and UK firms become more reliant on computers, servers and networks, so do the risks become greater.

In fact, the Insurance Times recently reported that 60 per cent of small and medium-sized businesses in the UK have experienced some kind of cyber breach in the last year, with the average costing around £75,000. So it begs the question, should cyber insurance, along with employers liability, become an insurance that is compulsory for UK firms?

The scale of cyber attacks

The report by the Insurance Times continued to say that the cost of cyber attacks to businesses globally sits at around £200 billion each year.

See also: Most UK businesses have suffered cyber attacks due to employee error

Whether it is a hacking into your company’s server, obtaining sensitive information or a virus taking over your network, the potential costs to a business are huge including:

  • Law suits
  • Business interruption
  • Loss of profit
  • Hiring specialists to fix the cyber issues
  • PR to rescue your brand image

With 98 per cent of UK businesses without any cover in place, a strong case for compulsory cyber insurance emerges to protect UK businesses and above all, employment.

The plans to make cyber security compulsory

Computer Weekly explains that 46 out of 50 US states have made cyber security an obligatory requirement. The EU has drafted a reform to follow suit but with the UK’s future involvement with the EU currently uncertain, ‘the scale and timing of this regulation has been put on hold’.

What cover is available?

The cover available includes legal fees, loss of income, hacker damage, extortion costs, loss of third party data, PR and business interruption compensation.

Whilst some business owners might be fretting at the idea of paying for more insurance, cyber cover can be purchased for as little as £15 per month for small companies and receive cover for up to £5 million per year.

Insurers have to get an idea of the potential risk and how much value the company places on their IT infrastructure. Whether they have a lot of employees, sensitive information and the amount of security they have in place will affect the cost of their policies.

But as businesses becomes more reliant on the web and the need for cyber insurance increases, it is not simply a matter of if, but when.

Why cyber insurance is your secret weapon

Here, Sarah Adams, cyber risk specialist at PolicyBee, highlights the importance of getting cyber insurance to protect your business.

Phishing. Malware. Hacking.

Unless you’ve been living in a cave, it’s likely you’ve seen words very much like these in various places recently. From an SME’s point of view, what’s worrying is they’re often mentioned alongside big-name companies and their latest IT-related tale of woe.

Despite, presumably, throwing lots of money at cyber security, the bigger they are the harder they fall still holds true. No one’s safe, apparently.

If you’re thinking you’ll be OK because you’re too small to bother with, think again. Sure, you might not keep the sheer volume of data that cyber crims like to get their hands on, but everything is worth something on the dark web. Besides which, hijacking your systems and holding your business to ransom instead is always a profitable option for the unscrupulous. Every silver lining has a cloud.

So what can you do? If the big boys can’t plug the holes in the digital dam, what hope have you got?
The (virtual) reality is, unfortunately, you can only do so much. Prevention is always better than cure, of course, but sometimes you need to accept the odds maybe aren’t in your favour and put your efforts into a solid contingency plan instead.

Recovery position

So where do you start?

Because cybercrime is a hot topic, there’s a flourishing industry for those looking for protection. If you can afford it, it’s certainly worth finding an IT security expert to poke around in your servers looking for holes. If you can’t stretch to that, the government’s packed its Cyber Aware website with priceless info and resources, and it’s a great place to start educating yourself.

The next step is thinking about worst-case scenario and how to deal with it. What, exactly, will happen if your business is the next victim of cybercrime? Will things keep ticking over? How much will an attack cost to fix? Will there be consequences for your clients? Who do you go to for help?

If you answered most of these with a shrug, it’s time to take action.

Managed threat

Thankfully, you don’t need to be either an IT genius or a millionaire to get robust, reliable support.
One of the quickest, easiest and most sensible things you can do is get some cyber and data insurance: a good policy takes care of the cost, time and PR needed to recover from a cyber attack.

And getting it’s no longer the onerous task it used to be – you can buy good policies online quickly and cheaply from insurers and brokers alike.

But that doesn’t mean all policies are created equal. When it comes to insurance you get what you pay for and it’s worth taking the time to check your policy has what you need. If you’re not sure what that is, you’re looking at covering two basic areas:

1. Your direct financial losses

Hacker damage

Hardware is expensive. Software is expensive. Websites are expensive. Fixing, restoring or replacing them because of hacker damage is expensive. Cyber insurance should, as a basic box-tick, cover these costs.


Part of dealing with an attack means investigating how it happened, telling customers and regulators there’s a problem, and getting legal advice so you know where you stand. All this takes time and money, and your policy should take care of both.

Business interruption

If an attack forces you offline for a fortnight, say, how will your business cope? Can it still trade? If it can’t, your insurance should cover your lost income in the time you’re running around fixing things.


Holding your website, network or sensitive customer data to ransom is a cyber criminal’s favourite. Amounts demanded can run into millions of pounds, but just a few thousand can scupper a small business. Decent cyber insurance will cover the ransom, and the really good ones pay for a specialist consultancy to manage the situation for you too.

Crisis containment

Your reputation is hard-won and easily lost. Social media means bad news travels fast and damage limitation is essential to protect your good name. Any good cyber insurance covers the cost of getting a PR agency to make the right noises on your behalf.

2. Third party financial losses you’re liable for


If a security breach means your customers’ personal data is out in the open, you’re liable for it. And as you’re liable, your customers can sue you for failing to keep it secure. If that happens, any cyber insurance worth its salt pays a legal specialist to defend you, compensates your customers and pays the costs of a regulatory investigation.

Multimedia liability

Unfortunately, you can contribute to your own downfall by, for example, using an image on your website without the proper licence. Or inadvertently libelling a third party in a leaked email, say. Either way, your cover should protect your bank balance and your reputation by defending you and paying damages you’re liable for.

Levelling the playing field

Once you’ve decided to buy a policy, the next thing to consider is how much cover you need.

Ask an insurer or broker for an answer and, somewhat unhelpfully, you won’t get one. Not a definitive one, anyway. That’s because every business is different and what might be plenty for one might be nowhere near enough for another – even if they’re outwardly very similar.

If you want belt and braces, buy as much as you can afford. Sounds obvious, but you don’t need hindsight to tell you the difference between cheap and good value.

In any case, make your decision by thinking about:

  • How much your business relies on the internet, email and other systems
  • How much sensitive or personal customer data you store electronically
  • How big your business is (turnover, employees, clients)

It’s no exaggeration to say the right cover could save your business. Something to think about next time you see the word ‘cybercrime’ on the news.

Further reading:

Ben Lobel

Delphine Hintz

Ben Lobel was the editor of from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Leave a comment