SEO meta - Title: Cyber Insurance Run-Off — Extended Reporting Period (ERP) Explained | Apex - Meta description: Cyber insurance run-off — the ERP mechanism, discovery-based first-party trigger, claims-made-and-notified for third-party liability, typical 6-year tail, UK GDPR continuing exposure, and ICO investigation timing. - Slug:
/commercial-run-off-cover/cyber-erp/- Primary keyword: cyber insurance run-off - Secondary keywords: cyber ERP, cyber extended reporting period, cyber tail cover, cyber after closure, post-closure cyber claim, retroactive cyber cover, cyber run-off pricing - Schema:Article+FAQPage+HowTo
Cyber insurance sits awkwardly in the run-off conversation because it does not behave like the conventional liability covers and it does not behave like the conventional first-party covers. Part of cyber is third-party liability written on a claims-made-and-notified basis (so run-off matters in the conventional sense); part of cyber is first-party loss written on an events-discovered basis (so the trigger is the discovery of the loss, not its occurrence); and the dominant exposure that drives most cyber claims — UK GDPR data subject claims following a personal data breach — has its own civil-litigation timeline that can be years between breach and claim.
For a closing commercial business, the cyber question is: what cover continues, what cover do I need to bind, for what period, and at what cost? This guide answers each.
General guidance only — your specific circumstances require specialist advice. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
A standard UK cyber policy has two principal cover groups.
First-party. Pays the insured’s own losses: incident response, forensic, legal, PR, notification, credit monitoring, ransomware, BI, data restoration, cyber crime (where included). The trigger is discovery of an insured event during the period of insurance.
Third-party. Pays the insured’s liability to others: data subject claims under UK GDPR Article 82, regulatory defence (ICO, FCA, PRA), PCI assessments, media liability, network security liability. The trigger is claim first made or circumstances first notified during the period of insurance.
The two groups have different run-off implications.
First-party cyber cover responds to events the insured discovers during the policy period. A cyber breach in 2024 that is discovered in 2027 is covered by the 2027 policy (subject to the retroactive date).
Implication for closure. Once the cyber policy ends, no future discovery is covered. A breach that occurred during trading but is discovered after closure has no cyber policy to respond — unless an extended discovery / run-off arrangement is in place.
The Extended Reporting Period (ERP) / run-off. Bound at cessation, the ERP covers events discovered during the ERP period that originated during the original policy term. A standard 6-year ERP gives 6 years of post-cessation discovery cover.
The retroactive date. The ERP’s retroactive date must extend back to cover the period during which the breach could credibly have occurred — i.e. at least the period during which the business was operating cyber-exposed systems. Typically the ERP retroactive date matches the original policy’s retroactive date.
Third-party cyber liability is claims-made-and-notified. A data subject claim in 2027 against a business that was breached in 2024 is covered by the 2027 policy if the policy retroactive date covers 2024.
Implication for closure. Without ERP, the policy ends at cessation; no claims first made after cessation are covered.
The ERP for third-party. The same ERP that covers first-party discovery typically covers third-party claims first made during the ERP period (subject to the underlying act being within the retroactive period).
Three factors make cyber run-off more consequential than conventional run-off.
The discovery delay. Breaches frequently take 6–24 months to detect. A business that closed in 2024 may have suffered a breach in 2023 that is discovered in 2025. Without ERP, the historic policy that should have responded has already lapsed.
The ICO investigation timeline. ICO investigations from notification to Notice of Intent typically run 12–24 months. A breach notified to the ICO in 2024 may generate a fine in 2026 — well after a closure that was not contemplated when the breach happened.
The civil claim timeline. Representative actions under UK GDPR Article 82 typically take 18–36 months from breach disclosure to settlement. A closure in 2024 followed by a civil action filed in 2026 needs the ERP to respond.
The combined picture: any business that experienced a cyber incident in the 24 months before closure has substantial run-off need. Any business with sustained UK GDPR exposure during trading has continuing breach-discovery risk for years post-closure.
Indicative cyber ERP pricing for UK commercial businesses in 2026:
Standard 6-year ERP. - Clean record, small/mid-market: 1.5x–2.5x last annual premium. - Standard record with no open notifications, mid-market: 2.0x–3.0x. - Open notifications or recent claims: 3.0x–5.0x. - Material data volume or regulated sector: 2.5x–4.0x.
Shorter periods. 3-year ERP typically 0.5x–0.8x of the 6-year price. 1-year ERP typically 0.25x–0.4x.
Longer periods. 10-year ERP typically 1.5x–2.0x of 6-year price. 12+ year ERP increasingly negotiable.
Single premium operations. Paid up-front at binding. Cannot generally be cancelled mid-period.
The 6-year ERP is standard because: - Six years matches the principal limitation period for UK GDPR claims under Article 82 (treated as breach of statutory duty, section 9 Limitation Act 1980). - Six years gives sufficient time for ICO investigation to conclude. - Six years matches typical D&O run-off binding for related director-level exposure.
Longer ERP (10+ years) should be considered where: - Material data volume or regulatory sector exposure. - Open notifications or anticipated regulatory action. - Specific contractual requirements (e.g. customer or vendor contracts requiring continued cyber cover for a defined period post-cessation).
Shorter ERP (1–3 years) may be appropriate for: - Small low-data businesses with clean record. - Businesses where the cessation context allows higher risk acceptance. - Cost-constrained insolvency contexts (with full awareness of the protection foregone).
UK GDPR exposure does not extinguish at company closure. The dissolved company can be pursued for breach of statutory duty for personal data processed during trading. The ICO can investigate post-closure. Data subjects can bring civil claims.
The restoration mechanism. As with other post-closure claims, CA 2006 section 1029 restoration may be needed. The restored company is the formal defendant; the policy responds (if bound and in force).
Director personal exposure. Directors are generally not personally liable for UK GDPR breaches unless they had personal knowledge or were the controlling mind in a way that pierces the corporate veil. The exposure is primarily corporate. D&O run-off may indirectly cover director-level matters.
The 6-year window. Section 9 of the Limitation Act 1980 (statutory duty) gives a 6-year limitation period. The 6-year ERP standard matches this.
A SaaS business serving UK SMEs, 28 employees, £6m turnover, customer base of 2,400 SMEs with combined data of approximately 1.2m records (employee records of SME customers’ staff). The business is wound up after the founders sell to a strategic acquirer that takes the customers but not the corporate entity (asset deal).
Asset deal structure. The customer contracts novate to the acquirer; the data transfers under the customers’ data processing arrangements; the corporate entity (original SaaS company) is wound up after the asset sale.
Cyber exposure during trading. - 1.2m records processed. - Some payment processing. - Some special category data (employee health for HR functions).
Trading-history cyber posture. - Mid-tier cyber controls; MFA on admin; EDR; segmented backups. - One minor incident in 2023 (a phishing event resulting in unauthorised access to one mailbox; contained promptly; ICO notification submitted; no further action). - Clean since.
At-closure cyber position. - Existing cyber policy: £5m limit, £25k retention, mid-market form, £18k annual premium. - The 2023 incident has been notified and closed but theoretically could re-surface (e.g. if a customer of the SaaS business identifies historic exposure of their data).
ERP decision. - 6-year ERP, £5m limit. - Quoted at £42k single premium. - Director-funded (the corporate estate has insufficient liquidity post-acquisition deal completion).
Asset deal allocation. - The acquirer takes responsibility for forward customer relationship; the seller retains responsibility for historic acts/omissions. - The DPAs novated to the acquirer cover the acquirer’s forward processing. - The seller’s cyber ERP is the residual cover for historic claims.
Post-closure scenario. - 2026: ERP bound and in force. - 2027: an SME customer identifies that a 2022 ESB period of unauthorised access in their account had exposed more data than the 2023 ICO notification captured. The customer brings a claim against the dissolved SaaS company. - Company restored; ERP responds (subject to retroactive coverage of 2022); defence and any settlement paid.
Where the closure is via sale to an acquirer (whether asset or share deal), the cyber position changes.
Share deal. The corporate entity transfers to the buyer along with its cyber policy. The buyer typically replaces the policy at next renewal with their own programme. The historic policy may continue to respond to historic-period incidents on a claims-made basis subject to retroactive coverage.
Asset deal. The corporate entity remains with the seller; cyber policy remains with the seller. Run-off (ERP) appropriate.
The acquirer’s cyber DD. Increasingly standard pre-deal. Acquirer assesses target’s cyber posture, breach history, regulatory exposure. Reps and warranties on cyber are standard. W&I may cover.
The reps and warranties insurance interaction. W&I covers breach of warranty; the cyber-specific warranties (controls in place, no undisclosed incidents, regulatory compliance) are within scope subject to the policy.
A particular cyber run-off scenario: a business that was historically a customer of a breached supplier. The supplier breach affected the customer’s data; the customer notified; some claim activity occurred. The customer subsequently closes.
Forward exposure. Other data subjects may bring claims; the ICO investigation may continue; the customer (as historic data controller) remains the legal defendant.
Insurance position. The historic cyber policy was the one that responded to first-party costs. ERP is needed for forward third-party claims.
The supplier’s own cyber. Continues to respond to the supplier’s exposure; not generally available to the closed customer.
For any commercial business closing with material data exposure:
Bind cyber ERP at cessation. The cost is modest relative to the protection.
6 years standard. Longer for material exposure or known incidents.
Confirm retroactive date extends to cover the longest credible breach-occurrence window.
Document the breach history and any open ICO matters. The ERP application requires honest disclosure under Insurance Act 2015 section 3.
For asset-deal sellers, ensure the ERP is bound by the seller. The acquirer’s own cyber covers forward acts; the seller’s residual exposure needs separate cover.
Maintain a single point of post-closure contact for cyber claims handling — the broker, a continuing principal, or a professional archive service.
Document the data inventory at cessation. The future ICO defence depends on knowing what was processed and retained.
Consider D&O run-off alongside cyber run-off. Director-level cyber-related exposure (board oversight of cyber, response decisions) is increasingly a D&O matter.
Q1. How long after closure can a cyber claim arise? Six years is the working ceiling for UK GDPR Article 82 civil claims. ICO investigations typically conclude within 24 months of notification but can extend further. PCI proceedings can extend several years. Six-year ERP covers the standard case.
Q2. What if I bind only 3 years and a claim arises in year 4? The claim is uncovered. ERP cannot generally be extended once bound. Choose the period carefully at binding.
Q3. Does the ERP cover events that occurred before the original policy retroactive date? No. The retroactive date is the floor; events before that date are not covered by either the original policy or the ERP.
Q4. What if my cyber insurer goes out of business during the ERP? FSCS protection applies to authorised UK insurers. Foreign and unauthorised insurers more complex.
Q5. Can I buy ERP from a different insurer than the original policy? Sometimes. The cleaner position is to bind ERP with the original insurer because they hold the policy archive and the retroactive date is consistent. Cross-insurer ERP exists but is less common.
Q6. Does the ERP cover ransomware? The first-party ransomware head responds to events discovered during the ERP that originated during the original policy. For a discovered-during-trading ransomware that requires post-trading recovery, the original policy responds. For a ransomware payload that detonated during trading but is discovered post-closure, the ERP responds.
Q7. What about ICO fines on dissolved companies? The ICO can pursue dissolved companies subject to restoration. The fine is paid by the company (if restored) and the cyber ERP responds to the extent the fine is insurable as a matter of law.
Q8. Do directors face personal cyber exposure? Direct personal exposure is limited but increasing — particularly around regulatory enforcement and shareholder action where board oversight failures are alleged. D&O run-off addresses.
Q9. What about cyber crime sub-limits in the ERP? The ERP typically follows the original policy’s structure. Cyber crime sub-limits continue at the same level. Standalone increase at ERP binding is rare.
Q10. Can I extend ERP beyond the original binding? Difficult. Some markets will negotiate but it is unreliable. Bind the right period at the start.
UK GDPR Articles 82 and 83. Data Protection Act 2018. Limitation Act 1980, section 9 (statutory duty). Companies Act 2006, section 1029. ICO Regulatory Action Policy. Lloyd v Google LLC [2021] UKSC 50. Stadler v Currys Group Ltd [2022] EWHC 160 (QB). Insurance Act 2015. FSCS rules. Various cyber market wordings (Lloyd’s market and London company market).
Index: Commercial Run-Off Deep-Dives Deep-Dive 1: Commercial run-off architectural overview Deep-Dive 4: D&O run-off after dissolution Commercial Cyber Overlap Hub — for the cyber market overview.
Disclaimer: General guidance only. Specific cessation and cyber insurance decisions require specialist advice. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote