Cyber insurance UK — the 2026 guide for professional firms and small businesses

Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026

Cyber insurance has moved from a nice-to-have to a working assumption for most UK firms that hold client data, take card payments or rely on email to run. This guide sets out what a cyber policy is actually for, how it fits alongside professional indemnity, where the notification clocks sit under UK GDPR, and what a specialist broker looks at when placing your cover. It is written for professional firms and small businesses that want to understand the product before they see a quote.

What cyber insurance is — and what it is not

Cyber insurance is a specialist commercial line that responds to losses arising from an attack on, or failure of, your information systems and the data those systems hold. The product name is unhelpful because it suggests a single peril; in practice a modern cyber policy is a bundle of first-party covers (losses you suffer directly) and third-party liability covers (claims that others bring against you) written on a single wording. It is not a substitute for professional indemnity, employers' liability or commercial property insurance, and it is not a warranty that a breach will not happen. It is a contract that funds the response.

Why every UK business now has to take this seriously

The regulatory floor has risen sharply since 2018. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 impose obligations on any organisation that processes personal data — which is almost all of them. The Financial Conduct Authority's Consumer Duty (PRIN 2A) requires regulated firms to avoid causing foreseeable harm to retail customers, and a poorly handled data breach is a textbook foreseeable harm. Operators of essential services and relevant digital service providers sit inside the Network and Information Systems Regulations 2018 (NIS Regulations). For everyone else, the Privacy and Electronic Communications Regulations (PECR) govern marketing communications and cookies, and the Information Commissioner's Office (ICO) enforces the lot.

None of that goes away because a firm is small. A sole practitioner accountant handling client tax records is a data controller. A three-partner solicitor's firm running a client account is a data controller. A one-person IT consultancy with production credentials for a client's systems is both a data processor and, in effect, a soft target for supply-chain attackers.

What a cyber insurance policy typically covers

Wordings vary by insurer, so what follows is a description of the categories you tend to see rather than a promise about any specific policy. A specialist broker will read the wording against your submission and tell you where it is strong and where it is thin.

First-party covers — losses you suffer directly.

Third-party covers — claims and regulatory action against you.

What is typically excluded

The exclusions are where most disputes happen at claim time. Expect to see, in some form:

The UK GDPR notification clock

Article 33 of the UK GDPR requires a data controller to notify the ICO of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 requires notification to affected data subjects without undue delay where the breach is likely to result in a high risk. The Data Protection Act 2018 sits behind the UK GDPR, dealing with law enforcement processing and specific derogations.

The 72 hours starts running when the controller becomes aware. That is a factual test, not a diary entry. The moment the incident response team confirms a plausible personal data breach is the moment the clock starts, whether or not the full scope is known. A defensible notification usually includes what you know, what you do not yet know and what you are doing to find out. The ICO does not expect a finished report on day one.

PECR governs electronic marketing and cookies and carries its own enforcement regime. NIS Regulations 2018 impose separate incident notification duties on operators of essential services and relevant digital service providers, with a shorter clock in some cases. Regulated firms will also owe reports up the chain to their sectoral regulator — SUP 15.3.1R for FCA-authorised firms is the obvious one, and the SRA, ICAEW, RICS and ARB each have their own notification expectations.

Cyber versus professional indemnity — the overlap that trips firms up

The two products meet on the same event but respond for different reasons. Consider a solicitor's firm where a threat actor compromises the conveyancing team's email and diverts completion funds from a buyer. The buyer sues the firm for negligence in failing to protect its funds. That claim is a PI claim — the firm has been sued for a failure of professional service, and the SRA-mandated PI wording responds. The forensic investigation, the ICO notification, the letters to affected data subjects and the ransom demand for the encrypted files sit on the cyber policy.

The failure mode most often seen at claim time is a gap between the two: an event that neither wording clearly picks up because the PI insurer says it is a cyber loss and the cyber insurer says it is a professional negligence claim. A specialist broker aligns the two wordings so there is no daylight between them, checks for overlapping exclusions (particularly around cyber losses being carved out of PI covers, which some insurers have introduced quietly), and makes sure the same event triggers claims cooperation between the two insurers.

How underwriting a cyber risk actually works

Cyber underwriting is a controls-driven exercise. Insurers price on evidence of a small number of practical safeguards more than on the size of the firm. Expect to be asked about multi-factor authentication on remote access and privileged accounts, endpoint detection and response (EDR) rather than legacy antivirus, offline or immutable backups tested at least annually, patch cadence, staff phishing training, and the incident response plan. Firms that answer no to the basic questions will find themselves outside the mainstream market or facing coverage restrictions on ransomware and funds transfer fraud.

The proposal form is a fair presentation document under the Insurance Act 2015 for commercial buyers. A material misdescription of controls at inception is the fastest way to lose a claim, so the operational discipline is to answer what is true today, not what will be true after next quarter's IT project.

Worked examples — the non-numeric version

Ransomware at a small architects' practice. A CAD design lead opens an attachment that looks like a supplier invoice. Overnight the studio server and connected workstations are encrypted; the backup drive left plugged in is encrypted too. The cyber policy funds the incident response call, forensic imaging, restoration from an offline backup taken to a bank vault the month before, business interruption while staff work on paper, and legal advice on whether any personal data was exfiltrated. The ICO is notified on day two because personal data of clients was on the affected shares. No ransom is paid.

Business email compromise at an IFA. A paraplanner's mailbox is silently compromised through a phished credential. The threat actor watches for two weeks, then sends a spoofed instruction to a client to redirect a pension income payment to a new account. The client's provider processes the change. The client suffers a loss. The cyber policy funds forensic email review and legal advice on notification; the firm's PI insurer takes the claim from the client and the two insurers coordinate. Both wordings need to speak to the same event or the firm sits in the middle.

Insider misconfiguration at an IT consultancy. A junior engineer leaves a client's cloud storage bucket publicly readable during a migration. A researcher finds the bucket and reports it. No exploitation is proven. The consultancy's own data is not affected — the exposed data belongs to the client. The claim sits on the third-party liability side of the cyber policy and on the technology PI wording, with defence costs shared. The client asks for a full forensic report and a credit against future fees. Notification to the ICO is by the client as controller; the consultancy notifies as processor without undue delay.

Third-party breach through a supplier. A managed IT provider used by a small surveyors' firm is breached. The threat actor pivots into client tenants including the surveyors' Microsoft 365. Some client valuations are exfiltrated. The surveyors' firm is the controller of the data lost; it makes the ICO notification, informs affected clients and defends the professional negligence claims. The cyber policy funds the response; a subrogation claim against the IT provider follows, which is why the supplier contract's liability cap matters.

Red flags a specialist broker will pick up

A sub-limit on ransomware or funds transfer fraud that is much lower than the aggregate. A war exclusion drafted around unilateral government attribution. A retroactive date that starts on the inception date rather than covering prior acts. A retention that applies per matter rather than per claim, catching related notifications separately. A condition precedent that requires a specified vendor to be used at claim time. A definition of computer system that excludes the cloud services the firm actually uses. A carve-out that shifts privacy liability out of the base grant and into a bought-back extension.

How Apex places cyber cover

Apex Insurance Brokers Limited is a named broker for professional firms and small businesses. We place cyber alongside professional indemnity so the two wordings speak to each other, we approach Lloyd's syndicates and specialist company markets where the risk fits, and we work with a smaller book than the volume online brokers so a partner-level review is possible on every risk. Our client retention sits at 95%. Commission is disclosed on request under ICOBS 4.4. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, firm reference number 724952.

Talk to a broker

Want cyber cover placed alongside your PI? A named broker at Apex will read your submission and come back within one working day.

Start commercial proposal → or call 0117 325 0027