A UK guide for manufacturers, retailers, hospitality groups, IT firms, charities, education providers and the professional services offices that sit behind them — the commercial buyers who hold a property policy, a business interruption policy, a crime policy and a liability policy, and are now being told they need a cyber policy on top.
This is the hub page in a series of nine detailed articles. If you only have ninety seconds, read the answer below. If you have an hour, read the whole guide. If you have a ransomware note on a screen in your warehouse right now, jump to the decision tree, work through the questions, and call your broker before you call the threat actor.
A sibling guide on this site covers the cyber–PI interaction for professional services firms. This guide is its commercial counterpart: where conventional commercial cover ends and where cyber begins for buyers whose core risk is not professional advice.
A modern UK commercial business typically buys a property policy, a business interruption (BI) policy bolted onto property, an employers’ liability policy, a public and products liability policy, a crime/fidelity policy of some sort, and increasingly a standalone cyber policy. Two of the most expensive heads of loss in the commercial economy — operational downtime and stolen money — now flow through cyber events as their dominant cause. And yet the conventional commercial covers were written, decades before cyber existed, to respond to physical perils. The result is a structural gap that catches buyers consistently.
The shortest possible decomposition:
Property responds to physical loss or damage to insured property by an insured peril. The hinge of cover is physical damage. If a server is destroyed by fire or flood, property responds. If a server is encrypted but undamaged, property typically does not.
Business interruption responds to loss of revenue or increase in working cost flowing from a property-damage insured peril. The hinge of cover is the same: damage triggers the BI extension. No damage, no extension.
Crime / fidelity responds to theft of money, securities or property by employees or third parties using identified perils — burglary, robbery, computer fraud, funds transfer fraud, forgery. The hinge of cover is the theft itself. The cyber crime sub-section will respond to fraudulent funds transfers and computer-based theft, but typically with a sub-limit far smaller than the main fidelity limit.
General liability responds to your legal liability to third parties for bodily injury, property damage and (where extended) financial loss. The hinge is third-party harm. Pure data breach claims usually fall outside.
Cyber is a hybrid policy designed to respond to the cyber event itself, both as a first-party event (the harm to you) and a third-party event (your liability to others). It plugs the gap that property/BI/crime/liability collectively leave for incidents whose cause is digital rather than physical.
Where it gets interesting is the very large class of incidents that look physical until you ask one question. A warehouse goes dark for three days. A retailer’s tills stop accepting cards on Black Friday. A factory’s robotic line shuts down. A hotel’s booking platform corrupts and ten thousand reservations vanish. A school’s pupil records are encrypted and exfiltrated. In each case property and BI may look like the natural home. In each case the cause is digital, the damage is not physical, and the cyber policy is the one that responds — if you bought one, with the right limit, and the right extensions.
This guide shows you exactly where the boundary sits, where the five most common overlaps are, where the five most common gaps are, and what a commercial buyer should do at renewal to make sure the programme actually responds when it matters.
Insurance and legal commentary, not advice on your specific cover. Cyber, property, BI, crime and liability wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
A typical UK mid-market commercial insurance programme will contain the following heads, separately or in a packaged combined policy.
Property damage. Cover for physical loss of or damage to insured property — buildings, contents, stock, machinery, computers as hardware — by an insured peril. Insured perils vary but typically include fire, lightning, explosion, aircraft, storm, flood, escape of water, theft, malicious damage, impact, riot, and on better wordings “all risks” subject to named exclusions. The trigger is physical loss or damage. A server destroyed by sprinkler water is covered. A server’s data destroyed by ransomware encryption typically is not, because there is no physical damage to the property — the property is unchanged; the data on it is not “property” in the traditional sense.
The position has been litigated. In Insurance Australia Ltd v HIH Casualty and General Insurance Ltd (and various UK first-instance authorities) the principle that data without physical embodiment is not “property” for property-insurance purposes has been broadly accepted. Some modern property wordings now include a specific data-restoration sub-limit; many do not.
Business interruption. Cover for loss of revenue (or gross profit) and increased cost of working flowing from a property-damage insured peril during the indemnity period. The trigger is the same as property — physical damage must have occurred. The BI extensions of denial of access, loss of attraction, suppliers’ premises and customers’ premises extend the geographic and contractual reach but still require an underlying damage trigger.
The UK Supreme Court’s decision in FCA v Arch Insurance (UK) Ltd [2021] UKSC 1 confirmed that BI cover for non-damage triggers (in that case, a disease BI extension) is to be construed by reference to the policy’s natural meaning and intended commercial purpose, not by reference to artificial restrictions on causation. That said, the decision did not abolish the underlying requirement that BI extensions need their trigger to be met. A cyber event is not a property-damage trigger, and a non-damage BI extension that does not contemplate cyber will not respond to a cyber event.
Crime / fidelity. Cover for theft of money, securities, stock or property by perils including employee dishonesty, computer fraud, funds transfer fraud, social engineering, forgery, counterfeit, and external burglary. Sub-limits are the dominant control: a £2m crime policy will frequently sub-limit funds transfer fraud at £100k–£500k. The drafting distinction between computer fraud (where a criminal causes a transfer by manipulating the insured’s computer system) and funds transfer fraud (where the insured is induced to make the transfer by fraudulent instruction) is the boundary that catches most claims.
Public and products liability. Cover for legal liability to third parties for bodily injury, property damage, and (where extended) financial loss. The trigger is third-party harm caused by the insured’s negligent act, error or omission. The standard market wording on most commercial liability policies excludes pure financial loss (so a customer whose order is delayed and who claims lost profit has no liability cover unless extended) and excludes cyber events in increasingly explicit terms (the LMA5400 series of cyber exclusions, or analogous wordings, are now found on most commercial liability policies).
Employers’ liability. Statutory cover for employee injury claims. Largely outside the cyber question, but increasingly relevant where a workplace incident involves an employee deceived into making a fraudulent transfer and seeking employment-law remedy.
Directors’ and officers’. Cover for directorial exposure including failure to implement appropriate governance — relevant where cyber governance failures are alleged in a shareholder action or regulatory enforcement context. Treated in a separate guide on this site.
Cyber insurance is the hybrid policy that fills the gap conventional cover leaves around digital events. Part of it is first-party (it pays you for your own losses) and part of it is third-party (it pays others when you’re liable to them).
The classic cyber policy responds to:
First-party heads. Incident response and forensics, legal advice on notification, breach notification costs, credit monitoring, public relations and reputation management, ransomware (the ransom itself where lawful plus the negotiation and crypto handling), business interruption flowing from the cyber event (your lost gross profit during the period of restoration plus extra expense), digital asset restoration including data reconstruction, and in many policies cyber crime cover for funds transfer fraud, social engineering and invoice manipulation often sub-limited.
Third-party heads. Liability to data subjects whose personal data you held and lost, defence and indemnity for regulatory investigations (ICO, FCA, PRA, sector regulators), civil-side fines and penalties where insurable as a matter of law, PCI fines and assessments for card data breaches, media liability for content you published, network security liability where you have been the conduit through which a third party was attacked, and increasingly a contingent business interruption or failure to deliver head that responds where the cyber event has caused your failure to perform an obligation to a customer.
Cyber is generally written on a claims-made basis for the liability heads but the first-party heads operate on an events-discovered basis — the policy in force when you discover the incident pays.
What is important is that cyber insurance is event-driven. It needs a cyber event to trigger it. If a manufacturer’s losses arise from a fire that incidentally took out the IT room but had no digital cause, the cyber policy is not your home. Conversely, if a retailer’s losses arise from a ransomware attack that left the property unscathed, the property policy is not your home — even though the disruption looks the same.
These are the five recurring commercial scenarios where the same incident sits inside both a conventional commercial policy and the cyber policy. Each is covered in much more depth in the linked spoke article.
A manufacturer is hit by ransomware on a Sunday night. Monday morning, the production line cannot start because the MES (manufacturing execution system) cannot connect to the encrypted ERP. Output is lost. The property policy looks at it: no physical damage to insured property. Property does not respond. The BI policy is a property BI — same answer. The cyber policy responds to the incident response, the ransom (subject to sanctions), the data restoration, and the BI of lost gross profit for the manufacturer.
But a smart broker will have negotiated a non-damage business interruption extension to the property policy that includes cyber events. Where that extension exists, both policies are engaged. The question becomes which is primary, which excess, and who coordinates.
→ See Spoke 1: Ransomware claim handling — cyber vs property vs BI
A retailer’s finance director receives an email apparently from the CEO requesting an urgent transfer of £380,000 to a “new supplier” for a confidential acquisition. The transfer goes. The supplier does not exist; the email was spoofed.
Is this a crime claim? Yes — the crime policy’s social engineering or funds transfer fraud sub-section responds. Is it a cyber claim? Often yes — the cyber policy’s cyber crime head will respond in parallel. The two will not necessarily co-ordinate. Each has its own sub-limit. The crime policy may carry a £250k social engineering sub-limit; the cyber policy a £100k. The retailer may end up with £250k of indemnity for £380k of loss, depending on the other insurance clauses.
Worse: if the email account from which the spoof appeared to come was an actual employee’s compromised account, both policies engage but on different theories. The crime policy’s computer fraud sub-section requires the criminal to have manipulated the insured’s computer; the cyber policy’s funds transfer fraud head requires the insured to have been deceived into authorising the transfer. The factual analysis decides which sub-limit applies.
→ See Spoke 2: Wire-fraud and social-engineering — where crime cover stops
A retailer’s e-commerce database is compromised; 240,000 customer records including card primary account numbers and CVV (where stored in breach of PCI DSS) are exfiltrated. The ICO opens a regulatory investigation. A representative-action firm signals an intent to bring a claim on behalf of affected customers under Article 82 of UK GDPR.
Three streams of loss: ICO defence costs and any fine; PCI fines and assessments from the card schemes; civil claims by data subjects. The cyber policy responds to all three to the extent each is insurable. The conventional liability policy almost certainly does not — the modern commercial general liability wording excludes data breach liability explicitly. The boundary between civil-insurable and criminal-uninsurable for fines turns on the legal characterisation of the penalty; for ICO monetary penalty notices, the position is currently unsettled and most cyber policies indemnify to the extent insurable as a matter of law.
→ See Spoke 3: GDPR fines vs civil claims — what’s insurable
A retailer’s payment processor is compromised. The processor’s breach exposes the retailer’s customer card data. The retailer’s cyber policy responds to the retailer’s first-party costs (incident response, notification, PR). The retailer has contractual recourse against the processor — but the processor’s PI / cyber may be limited. Multiple downstream victims of a single vendor breach (the MOVEit, Kaseya, SolarWinds pattern) each have their own cyber policy responding to their own loss, but the aggregate cost of the vendor breach is spread across a long chain.
The retailer’s cyber policy may also have a contingent business interruption or system failure head that responds where the loss is caused by the failure of a critical IT service provider, even where the insured’s own systems were not compromised. This head is increasingly important and increasingly fought over.
→ See Spoke 4: Supply chain cyber — where multiple policies interact
A manufacturer’s industrial control systems are attacked. A safety interlock on a pressing line is disabled by the attack. A press operates outside its safety envelope and the machine itself is damaged. A worker is injured.
Property responds to the physical damage to the press. Employers’ liability responds to the worker’s injury claim. The cyber policy responds to the incident response, the digital element of the loss, and (in better wordings) the bodily injury and physical damage where caused by a cyber event. The boundary between cyber-physical loss and pure cyber loss is where modern manufacturing cyber claims live. Many cyber policies historically excluded bodily injury and property damage; the better modern wordings carve back coverage for cyber-physical events.
→ See Spoke 5: Cyber for manufacturers — IIoT, OT, IT/OT convergence
These are the losses that no insurance product reliably covers. Commercial buyers consistently underestimate how big each one can be.
ICO fines under UK GDPR can reach the higher of £17.5m or 4% of global annual turnover. The general English-law principle is that criminal fines and penalties cannot be insured because indemnity would defeat deterrence (Askey v Golden Wine Co Ltd [1948] 2 All ER 35; Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472). Civil-side regulatory fines are sometimes insurable depending on regime and wording.
Cyber policies typically pay defence costs in respect of an ICO investigation; many indemnify civil-side fines and penalties to the extent insurable as a matter of law; very few pretend to cover a criminal penalty. Most commercial liability and property policies do not engage at all with regulatory fines.
After a public breach a commercial business typically loses customers. For a retailer or hospitality operator the brand-loyalty hit is measurable in lost basket spend and lost bookings for months. For a B2B manufacturer it shows up as renegotiated contracts and lost preferred-supplier status with key customers.
Cyber policies offer PR and crisis communications cover, sometimes with sub-limits of £100k–£500k. This pays for the agency drafting the press release and managing media handling, not for the revenue lost over the following three years. BI cover responds during the period of restoration of affected systems, not during the long tail of customer churn. No conventional commercial cover responds to reputational loss as a head of loss.
For most commercial businesses with a public-facing brand, the long-tail reputational loss after a public breach is uninsured.
Cyber BI cover responds to your loss of gross profit during the period systems are down — but the period of indemnity is usually shorter than the property BI (often 90 to 180 days), the waiting period is usually 8 to 24 hours, and the calculation of “but-for the cyber event you would have earned X” is brutally argued. Where the cyber event also affects suppliers or customers, the contingent extensions may or may not apply.
The gap most commercial businesses don’t see: their property BI policy was written for a 12-month or 24-month period of indemnity, their cyber BI for 90 days. A major cyber-induced disruption that takes 9 months to fully resolve has 3 months covered and 6 months uncovered.
When a cyber event causes physical damage — a pump destroyed, a press damaged, a piece of infrastructure burnt out — the property policy historically responded under the “all risks” formulation. The market trend post-NotPetya is the cyber exclusion in property policies (the LMA5400 series and analogous clauses) which excludes loss caused by a cyber event. Where this exclusion bites and the cyber policy does not include bodily injury and property damage cover, the loss is uninsured.
The carve-back in better property wordings is for cyber events that are not connected to state-sponsored hostile activity — but the line between criminal ransomware and state activity is increasingly blurred, and the cyber exclusion’s exception for non-state cyber events is where the litigation is.
The frontier exposure. A cyber attack on a hospital trust delays surgery and a patient dies. A cyber attack on critical infrastructure causes a road accident. A cyber attack on connected medical devices causes patient harm. The legal causation question is novel; the insurance question is novel; the cyber policy may exclude bodily injury entirely; the employers’ liability and public liability policies may exclude cyber. There is no settled market answer.
For commercial buyers operating safety-critical OT (manufacturers, transport, healthcare, utilities), the cyber-induced bodily injury question is the most consequential and least settled coverage question in modern programmes.
When an incident lands on your desk and you need to decide which broker to call first, work through this tree.
Step 1: Was there physical loss or damage to property? If yes → property is potentially engaged. Continue to Step 2. If no → property is probably not engaged. Skip to Step 3.
Step 2: Was the physical damage caused by a cyber event? If yes → property may decline under cyber exclusion; cyber must respond to the property damage element if so written. Both notified. If no → conventional property/BI claim.
Step 3: Was there unauthorised access, data theft, denial of service, ransomware, or social engineering? If yes → cyber policy is engaged. Continue to Step 4. If no → cyber policy probably not engaged. Skip to Step 5.
Step 4: Was money or property stolen by the cyber event? If yes → cyber crime head plus standalone crime policy both potentially engaged. Both notified. If no → cyber only.
Step 5: Is a third party claiming financial loss caused by your operations? If yes → general liability potentially engaged; check cyber exclusion in liability. If no → general liability not engaged.
Step 6 (always): Is the firm subject to a regulatory obligation to notify the ICO, FCA, sector regulator? This is independent of the insurance question. The 72-hour ICO obligation runs from awareness of a personal data breach. Sector-specific notification obligations (PCI DSS, FSA where applicable, education sector, healthcare) run on their own clocks. Do not let the insurance question delay the regulatory question.
┌──────────────────────────┐
│ Incident occurs │
└──────────────┬───────────┘
│
┌───────────────▼────────────────┐
│ Physical damage to property? │
└────┬─────────────────┬─────────┘
│ YES │ NO
▼ │
┌────────────────────┐ │
│ Caused by cyber? │ │
└────┬───────────┬───┘ │
│ YES │ NO │
▼ ▼ │
┌──────────────┐ ┌──────────┐ │
│ PROPERTY │ │ PROPERTY │ │
│ may decline │ │ + BI │ │
│ + CYBER for │ │ engaged │ │
│ physical │ └──────────┘ │
│ damage head │ │
└──────────────┘ ▼
┌────────────────────────┐
│ Cyber event present? │
│ (UAR/data theft/ │
│ ransomware/SE) │
└────┬───────────────┬───┘
│ YES │ NO
▼ ▼
┌────────────────┐ ┌─────────────────┐
│ Money stolen? │ │ Third-party │
└─┬────────────┬─┘ │ financial loss? │
│ YES │ NO └─┬────────────┬──┘
▼ ▼ │ YES │ NO
┌────────────┐ ┌──────┐ ▼ ▼
│ CRIME + │ │ CYBER│ ┌────────┐ ┌────────┐
│ CYBER both │ │ only │ │ GL │ │ Not │
└────────────┘ └──────┘ │engaged │ │ standard│
└────────┘ └────────┘
The tree intentionally over-simplifies in one place: in practice the regulatory notification clock runs in parallel to the insurance clock and is independent of which policy answers.
This is the trap that catches commercial buyers most often.
Cyber policies typically require notification as soon as practicable on becoming aware of a cyber event, and many have hard 72-hour notification windows that mirror the GDPR breach notification deadline. Some impose conditions precedent.
Property and BI policies typically require notification as soon as practicable and often have specific timelines (some as short as 24 hours for theft, longer for other perils). The property policy may not appear obviously engaged at first — the absence of physical damage is the default reading. A precautionary notification under property is good practice for any incident that might turn out to involve damage.
Crime policies are usually claims-made and typically have a relatively short notification window after discovery of the loss. Late notification can be a condition precedent.
General liability is usually written on a claims-made basis (occurrence basis on older wordings) and requires notification of circumstances likely to give rise to a claim. The Insurance Act 2015 has limited the previously harsh consequences of late notification but has not eliminated them.
The risk: a commercial business focuses on the urgent cyber notification (regulator, cyber insurer) and forgets to notify the circumstances under property, BI, crime or liability. Six months later when a customer claim, a supplier claim, or an employee-induced loss is identified, the relevant insurer says: you knew about this incident six months ago, this is a notification under the policy in force then, and we are not on risk because you have failed your duty.
The remedy is straightforward: treat every cyber incident as a potential property circumstance, a potential BI circumstance, a potential crime circumstance, and a potential liability circumstance. Notify everything. The cost of a precautionary notification is essentially zero; the cost of a missed one can be the entire claim.
→ See Spoke 1: Ransomware claim handling
Once you have notified, the next question is how losses aggregate.
Each policy has its own aggregation mechanism. Cyber policies typically aggregate by reference to one security event, one related series of events, or sometimes by system affected. Property aggregates by event. BI aggregates by reference to the underlying property damage. Crime aggregates by single act, series of related acts, or aggregate per period of insurance. Liability aggregates by occurrence, by cause, or by event depending on wording.
The result: a single underlying incident might be treated as one cyber claim, multiple BI claims (if several locations affected), multiple crime claims (if multiple fraudulent transfers), and multiple liability claims (if multiple customers affected). Limits and excesses behave differently across the programme.
Aggregation is governed at common law by the Lloyds TSB v Lloyds Bank [2003] UKHL 48 line of authority and the Supreme Court’s decision in AIG Europe v Woodman [2017] UKSC 18 which held that “claims arising from one series of related acts or omissions” requires a real-world unifying factor. The aggregation hub on this site walks through worked examples; the same principles apply across the multi-policy commercial programme.
A short checklist for commercial businesses approaching the next renewal cycle:
Read the cyber exclusion in your property, BI and liability policies. The market has moved decisively toward explicit cyber exclusions in property and liability wordings since 2020. Where the exclusion is present, the cyber policy must respond to the head that property/liability used to cover, or you are uninsured.
Negotiate a non-damage business interruption extension to your property policy that contemplates cyber events as a trigger. Where the property BI period of indemnity is longer than the cyber BI period, this extension means cyber-triggered losses can run on the longer property BI clock for the period beyond the cyber policy’s 90 or 180 days.
Check the contingent business interruption and system failure heads of your cyber policy. The market norm is that BI responds where the insured’s systems are affected. Better wordings extend to losses caused by failure of a critical IT service provider (cloud, managed service, payment processor) even where the insured’s own systems are uncompromised.
Check social engineering and funds transfer fraud sub-limits across cyber and crime. The two policies frequently have different sub-limits for what is effectively the same loss. Standardise where possible. Market norm for cyber crime is £100k–£500k; for crime FTF £250k–£2m. Negotiate up if your finance function processes significant payments.
Match retroactive dates across cyber and any PI cover. A cyber breach discovered today may have started a year ago; the cyber policy needs to respond to events occurring before the current policy inception.
Ask for an explicit no-overlap, no-gap statement from your broker. If your broker is placing the whole programme, ask them to write to you confirming where overlap exists between policies, where gaps exist, and which policy is intended to respond as primary for each of the five overlap scenarios above.
Get a breach response retainer in place. The cyber policy’s incident response panel usually includes the law firm, the forensic firm, the PR firm, the negotiator and the crypto facility. Identify them now. Have the phone numbers in a printed playbook (because if your systems are down you cannot read a PDF on a hard drive you cannot access).
Test backups quarterly. The single most preventable factor in ransomware incidents is backup failure. Test restores, not just backup completion. Cyber underwriters now require evidence of tested offsite immutable backups; property and BI underwriters increasingly do too.
Document cyber controls. Cyber insurers will not write cover without evidence of MFA, EDR, regular patching, encrypted backups, password discipline, segmented networks (especially OT segmentation for manufacturers) and (for many) phishing simulation training. The cyber underwriter’s standard questionnaire is now thirty to fifty questions deep. Treat it as a free risk audit.
Map your data inventory. Know what personal data you hold, where, in what volume, with what retention. The ICO investigation defence is dramatically faster (and cheaper) when this information exists at the moment of breach rather than being built under pressure.
Q1. If I have cyber, property, BI and crime policies and an incident triggers several, who pays first? There is no single market answer. The other insurance clauses in each policy determine the order — many policies are excess-of-other-insurance, some are contribution-based. Where the cyber policy is primary for the digital event and other policies are excess, the cyber excess applies once and other policies engage on top. Where two policies cover the same loss with different sub-limits, the higher sub-limit usually leads. Brokers can pre-negotiate co-ordination at placement.
Q2. Do I need cyber insurance if my conventional commercial cover is broad? Yes. The 2020-onward market trend has been explicit cyber exclusions on property, BI and liability wordings. Even the broadest “all risks” property policies now exclude cyber events. Without a standalone cyber policy, ransomware, data breaches, social engineering above sub-limits, regulatory investigations, and cyber-induced BI are uninsured.
Q3. What’s the typical cyber policy limit for a mid-market UK commercial business? Limits range from £1m–£25m depending on turnover, data volume, industry and risk appetite. The 2025–2026 market has hardened; most mid-market UK commercial buyers (£10m–£100m turnover) buy £2m–£10m cyber limits, often with sub-limited extensions for cyber crime, contingent BI and regulatory defence.
Q4. Does my cyber policy cover the ransom itself? Most cyber policies will pay the ransom subject to two conditions: it is lawful under applicable sanctions (OFSI, OFAC); and the policy has not been exhausted by wider incident response. Payment is preceded by the insurer’s panel performing sanctions and threat-actor analysis. UK law does not categorically prohibit ransom payment but the legal environment is hardening; OFSI has consulted on stronger restrictions.
Q5. If I’m a regulated business (FCA-authorised, healthcare, education), do regulatory fines come from cyber? Defence costs typically yes. Civil-side fines and penalties: cyber will indemnify to the extent insurable as a matter of law. Criminal fines: no. ICO monetary penalty notices are administrative penalties; insurability is unsettled. Most cyber policies use the to the extent insurable formulation as a hedge.
Q6. What does “claims-made-and-notified” mean for cyber breaches discovered years later? Cyber liability heads are claims-made-and-notified — the policy in force when the claim is made or circumstances notified responds, not the policy in force when the underlying breach occurred. The retroactive date is critical: a cyber breach discovered today but originating 18 months ago is covered only if the current cyber policy’s retroactive date extends back far enough.
Q7. Does cyber cover apply when I’m the conduit through which my customer gets attacked? Often yes, under the network security liability head. If your business was the entry point for an attack that propagated to a customer’s systems, the third-party liability head of your cyber policy is the home for the customer’s claim. The general liability policy will typically exclude this under the cyber exclusion.
Q8. What’s the typical cyber policy notification window? The standard market is “as soon as reasonably practicable, in any event within X days” where X varies between 30 and 90. Many cyber policies have a hard 72-hour reporting requirement for personal data breaches to align with UK GDPR Article 33. Late notification can be a condition precedent under pre-2015 wordings; under post-2015 wordings the Insurance Act 2015 sections 10 and 11 have limited the effect of late notification to material prejudice, but the protection is not absolute. Always read the wording.
Q9. Can the same event affect two cyber policy years? Yes if the cyber event and the discovery straddle a renewal. The aggregation language and the “first discovered” trigger typically pull the loss into the policy in force on discovery. The Insurance Act 2015 reform of late-notification protection helps where the practical handling has overlapped policy years.
Q10. If my SaaS or cloud vendor is breached, who pays my loss? Your cyber policy will typically respond to your first-party loss (BI, incident response, data restoration where the data is yours). Your vendor’s PI or cyber may respond to their customers’ losses including yours, but only to the limit they purchased. Contractual remedies against the vendor may not be financially recoverable if the vendor is small or has limited-liability clauses. The contingent BI and system failure heads in better cyber wordings are the natural home.
Q11. Are deepfake / AI-impersonation fraud incidents covered? The market is evolving. Some cyber policies have introduced explicit cover for deepfake-impersonation fraud against the insured; many have not. The funds transfer fraud head may respond to a deepfake-induced wire fraud where the wording covers fraudulent instructions in good faith. A 2024 Hong Kong case (the Arup deepfake video conference fraud) brought the issue into mainstream commercial focus. Ask explicitly at renewal.
Q12. Does my D&O policy come into this? Yes in some scenarios. A D&O policy responds to directorial exposure — actions of the board, including failure to implement appropriate cyber governance. Shareholder actions and regulatory enforcement against directors after public breaches have been increasing. The interaction is generally a separate question from the cyber/commercial interaction discussed here, but for larger businesses the multi-policy interaction is now standard. The D&O run-off deep-dive on this site covers the post-closure version of the same exposure.
Q13. What about Lloyds Market Association exclusions like LMA5400, LMA5402, LMA5403? These are the cyber exclusion clauses now standard across many commercial wordings. LMA5400 is the broad cyber exclusion; the LMA5401–5403 series provide variants with different carve-backs. The LMA5400 series for property/liability is functionally equivalent to (and predates) the equivalent exclusions in PI. Understanding which clause is on each of your policies, and what the carve-back says, is the central technical task of any modern commercial programme review.
Q14. Are biometric data and AI exposures covered? UK exposure is currently more limited than the US (no UK equivalent of the Illinois BIPA damages-per-violation structure). But the trajectory is clear. The EU AI Act is in force for any business serving EU customers. The UK’s pro-innovation approach is being developed. PI policies have not been written with this exposure in mind; cyber policies are evolving. Specific extensions should be negotiated.
Q15. Where do I read more?
Each of the eight spoke articles linked from this hub takes one scenario in depth. The cross-link map at 00-cross-link-map.md shows the entire structure. The sibling PI cyber overlap hub addresses the same question for professional services firms.
The spokes drill into specific scenarios with worked numerical examples, the regulatory framework, the case law where relevant, and a practical buyer takeaway.
The PI/cyber overlap hub: the professional-services counterpart to this guide. The aggregation hub: how series-clauses and originating-cause clauses operate across a programme. The Insurance Act 2015 case-law walkthrough: fair presentation, proportionate remedies, condition-precedent reform. The Building Safety Act 2022 hub: the parallel hard-floor regulatory environment for property exposure. The commercial run-off deep-dives: the parallel cessation-of-trading guide for commercial buyers.
UK GDPR and Data Protection Act 2018, especially Articles 33 and 82 of the UK GDPR and Schedule 1 of the DPA 2018. Lloyd v Google LLC [2021] UKSC 50 (representative actions and damages for loss of control). Vidal-Hall and others v Google Inc [2015] EWCA Civ 311 (misuse of private information; distress damages). Stadler v Currys Group Ltd [2022] EWHC 160 (QB) (limitations on data subject claims). FCA v Arch Insurance (UK) Ltd [2021] UKSC 1 (business interruption construction). AIG Europe Ltd v Woodman [2017] UKSC 18 (aggregation; series clauses). Lloyds TSB General Insurance Holdings Ltd v Lloyds Bank Group Insurance Co Ltd [2003] UKHL 48 (aggregation; unifying factor). Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472 (uninsurability of penalties). Insurance Act 2015, sections 3 (fair presentation), 10 and 11 (terms not relevant to the actual loss), and ICOBS rules. FCA SYSC 4.1 (organisational requirements) and SUP 15.3 (notification obligations). PRA “Operational resilience: Impact tolerances for important business services” (March 2021). ICO enforcement decisions and guidance on personal data breach notification. PCI DSS v4.0 — the Payment Card Industry Data Security Standard. NCSC ransomware response guidance and the NIS Regulations 2018 (where applicable). Lloyd’s Market Association cyber-related exclusion clauses including the LMA5400 series.
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber, property, BI, crime and liability wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote