If you run a UK firm with somewhere between 5 and 250 staff, cyber insurance has gone from a nice-to-have to something your clients, your bank, or your own board now ask about by name. The first question is almost always the same: what is this going to cost us?
The honest answer is a range, not a number. Most small and medium UK businesses pay between £350 and £5,000 a year for a standalone cyber policy. A micro business with light data and good controls can come in under £200. A 200-person firm in a regulated sector with millions of personal records can pay well into five figures. This guide breaks down where in that range you are likely to land, what moves the price, and the specific steps that bring a quote down rather than just talk about it.
Typical cyber insurance costs for a UK SME in 2026
Pricing depends heavily on turnover, headcount, the data you hold and the controls you have in place. As a rough guide based on current UK broker and insurer figures:
- Micro business (under 10 staff, £500k cover): roughly £175 to £1,500 a year. A small marketing agency or trades firm with little sensitive data often sits near the bottom of this band.
- Small business (10 to 50 staff, £1m cover): roughly £1,500 to £4,000 a year for most sectors.
- Medium business (50 to 250 staff, £1m to £5m cover): roughly £4,000 to £15,000 a year, and higher if you handle large volumes of personal data or work in a high-risk sector.
These figures are for cyber liability cover bought as its own policy. If you bundle cyber into a wider commercial package, the marginal cost can look smaller on paper, though the cover is often narrower, so read the limits and sub-limits before assuming a bundled add-on does the same job.
One more number worth knowing: an £800-a-year premium for a modest firm with limited sensitive data is common, while a financial services business handling large volumes of personal records can pay closer to £4,000 for similar limits. Same product, very different risk.
Why premiums have moved the way they have
Cyber claims in the UK have grown fast. The Association of British Insurers reported that £197 million was paid out in cyber claims in 2024, a 230% increase on 2023, with malware and ransomware making up 51% of all claims, up from 32% the year before. You can read the ABI’s own summary of those figures for the full breakdown.
That claims pressure pulls premiums in two directions at once. Insurers want to charge more to cover rising losses, but competition among carriers chasing the SME market has kept headline rates softer than the claims data alone would suggest. The practical result for a small business is this: the door is open, but only if you meet the minimum controls underwriters now insist on. Firms that cannot tick those boxes are either declined or offered a watered-down policy with exclusions that strip out the cover that matters.
What actually drives your quote
When an underwriter prices your risk, a handful of factors do most of the work.
Turnover and headcount
Bigger businesses mean bigger potential claims, so turnover and staff numbers are direct rating factors. A £500k-turnover firm pays considerably less than a £5m one for the same cover, all else being equal.
The data you hold
The number of personal records you process matters. Under around 25,000 individuals is usually comfortable for insurers. Once you cross 100,000 or 250,000 records, it starts to weigh on the price and the questions get harder.
Your sector
Some industries carry more risk and pay for it. Healthcare and care homes, legal firms, accountants, financial services, and retail or e-commerce typically pay 25% to 75% more than mid-band figures, because they hold sensitive data or are frequent targets.
Limits and excess
A higher cover limit costs more, and a higher excess (the amount you pay per claim before the insurer pays) brings the premium down. The trade-off is real money out of your pocket if you do claim, so set the excess at a level your cash flow can actually absorb.
Your claims history
A previous breach or cyber claim is a significant red flag. It can push your premium up by 25% to 50%, and in some cases an insurer will decline you outright.
The controls insurers now demand before they quote
This is the part that decides whether you get an affordable quote at all. UK underwriters have hardened their requirements since 2022 and moved from accepting statements to asking for evidence. Saying “we have antivirus” no longer cuts it; they want a named product, a current licence and a monitoring process.
Three controls come up on almost every application:
- Multi-factor authentication (MFA). MFA on all remote access, admin accounts and cloud services is close to a universal requirement. Many insurers will not offer cover without it.
- Endpoint detection and response (EDR). Modern EDR on every device, not just traditional antivirus, is increasingly expected.
- Tested backups. Regular, separated backups that you have actually restored from. Insurers want evidence that backups work, not just that they exist.
Putting these in place does two things at once. It makes you insurable, and it tends to bring the price down. MFA, EDR, backups and staff awareness training together can reduce a premium by 10% to 30%.
How Cyber Essentials changes the maths
The single best-value move for an SME is Cyber Essentials certification. It is the UK government-backed scheme run by IASME on behalf of the National Cyber Security Centre, and it covers the core technical controls insurers look for. Since 27 April 2026, new certifications are assessed against version 3.3 of the technical requirements, using the Danzell question set that replaced the earlier Willow set. The government’s own Cyber Essentials overview is the authoritative starting point.
The assessment fees are tiered by size:
- Micro (1 to 9 staff): £330 + VAT
- Small (10 to 49 staff): £400 + VAT
- Medium (50 to 249 staff): £450 + VAT
- Large (250+ staff): £500 + VAT
Two reasons certification pays for itself. First, several UK insurers offer premium discounts of 10% to 25% for holding a current certificate, and a growing number now require it as a condition of cover. Second, basic Cyber Essentials certification comes with £25,000 of free cyber liability insurance for eligible UK-domiciled organisations with group turnover under £20 million, certified across the whole organisation. The cover is underwritten by Hiscox through IASME, runs for the 12-month life of the certificate, and includes incident response, legal costs, data restoration, business interruption and breach notification, with a £1,000 excess per claim. For the smallest firms, that free cover may genuinely be enough on its own. IASME also offers paid uplift policies up to £500,000 if you need more.
Budget realistically, though. The assessment fee is only part of first-year cost. For a typical 25-person SME, the real spend including the remediation work needed to pass first time is closer to £1,800 to £3,500. If you want a fuller breakdown of what certification involves and how to prepare for it, see our guide to the five Cyber Essentials controls.
How to bring your premium down
A few practical levers, in rough order of impact:
- Certify Cyber Essentials. It opens up quotes, earns discounts and bundles free cover.
- Get MFA, EDR and tested backups in place and be ready to evidence them with product names and licences.
- Set a sensible excess. A higher excess lowers the premium if your cash flow can take the hit on a claim.
- Right-size your cover. Buying a £5m limit when £1m matches your real exposure is money spent on headroom you may never use.
- Get three or four quotes through a broker who places cyber regularly. Shopping around can reveal differences of 20% to 40% on the same risk.
Frequently asked questions
Is cyber insurance a legal requirement in the UK? No. There is no law requiring a UK business to hold cyber insurance. It is often demanded contractually, for example by larger clients, public sector buyers or supply chain agreements, and many firms treat it as essential given that around 43% of UK businesses reported a cyber attack in the past year.
Will Cyber Essentials really lower my premium? For most SMEs, yes. Several insurers apply discounts of 10% to 25% for a current certificate, and some will not quote without it. Beyond the discount, certification also bundles £25,000 of free cover for eligible firms under £20m turnover, which offsets part of the certification cost.
What is the difference between cyber liability insurance and the free Cyber Essentials cover? The free Cyber Essentials cover is a £25,000 policy from Hiscox that comes with basic certification for qualifying UK firms. A standalone cyber liability policy is a separate product you buy directly, with much higher limits (commonly £1m to £5m for SMEs) and broader terms. The free cover is a useful floor, not a replacement for a properly sized policy.
How much cover does a small business actually need? It depends on your turnover, the data you hold and your recovery costs, not a fixed rule. Many SMEs buy between £1m and £5m. A useful sanity check is to estimate the cost of a serious ransomware incident, including downtime, data restoration, legal and notification costs, and make sure your limit covers that rather than the lowest available figure.
Why was my cyber insurance application declined? The most common reason is missing controls, usually no MFA, no modern EDR, or backups that have not been tested. Underwriters now ask for evidence rather than assurances. Closing those gaps, ideally through Cyber Essentials, typically turns a decline into a quote.
Can I just add cyber cover to my existing business insurance? Sometimes, as a bundled add-on. It can be cheaper on paper, but the limits and sub-limits are often narrower than a standalone policy, and important elements like ransomware response or business interruption may be capped low. Compare the actual cover, not just the headline price, before relying on a bundle.