Cyber Liability Insurance for Businesses: A Practical Guide

Cyber risk is now the pre-eminent operational risk for most businesses, regardless of size or sector. The costs associated with a serious cyber incident — ransomware payments, incident response, business interruption, regulatory notification obligations, third-party claims from customers whose data has been compromised — can run to hundreds of thousands or millions of pounds. Yet cyber insurance remains one of the most misunderstood products in the commercial insurance market, and many businesses either do not hold it, hold inadequate limits, or hold policies with exclusions that would deny cover for their most likely losses.

This guide explains what cyber liability insurance covers, the distinction between first-party and third-party cover, the GDPR and regulatory dimension, and the market landscape following the significant changes of recent years.

First-Party Cover: Costs You Bear Directly

First-party cyber cover responds to costs incurred directly by the insured business as a result of a cyber incident. These are the costs the business itself pays, before any third-party claims are considered.

Incident response costs: When a cyber incident is discovered — a ransomware infection, a data breach, an unauthorised access event — the first priority is to understand what has happened and contain the damage. This requires specialist cybersecurity expertise. Incident response retainers with specialist firms can cost £1,000–£3,000 per hour; a major incident requiring several weeks of specialist investigation can cost £100,000–£500,000 in response costs alone. Cyber policies cover these costs, often through pre-approved panel firms (which provides both speed of access and quality assurance).

IT forensics: Understanding the scope of a breach — what data was accessed, how long the attacker was present, what systems were compromised — requires digital forensic investigation. This is distinct from incident response: forensics is the detailed post-incident analysis that determines the full picture.

Data recovery and system restoration: Ransomware attacks often result in data encryption or deletion. Restoring from backup (where backups exist and are themselves uncorrupted), rebuilding systems, and reinstalling software represent material costs. Cover includes the cost of IT specialists rebuilding affected systems.

Ransomware payments: Many cyber policies cover the payment of ransomware demands, subject to conditions. Insurer consent is typically required before payment, and the insurer will coordinate with specialist negotiators and law enforcement liaison. Note: ransomware payments are controversial and increasingly scrutinised by regulators and law enforcement. The UK government's position on payments (particularly to sanctioned entities) evolves; legal advice should always be sought before any payment is made.

Business interruption: If systems are unavailable as a result of a cyber incident, revenue is lost and fixed costs continue. Cyber business interruption cover compensates for lost profit during the period the business is unable to operate at normal capacity. This is one of the most financially significant covers in a cyber policy. The waiting deductible (time excess) — typically 8–12 hours before BI cover commences — and the indemnity period (how long cover continues) should be reviewed carefully.

Crisis communications and PR: A data breach that becomes public knowledge can cause severe reputational damage. Many cyber policies include cover for specialist PR and crisis communications firms, to manage media relations and customer communication following a significant breach.

Cyber extortion (beyond ransomware): Some policies extend to cover payments demanded under threat of website takedown attacks (DDoS extortion), publication of stolen data, or other forms of cyber extortion.

Third-Party Cover: Claims Against You

Third-party cyber cover responds when a cyber incident results in claims being brought against the insured business by affected third parties — typically customers, clients, or business partners whose data has been compromised.

Data breach liability: The most common third-party claim following a cyber incident is a claim by individuals whose personal data was exposed. Under GDPR, affected individuals have the right to claim compensation for material or non-material damage (including distress) arising from a data breach. Class action and group litigation in data breach cases has increased significantly since 2018. Third-party cyber liability cover pays defence costs and compensation awarded.

Network security liability: Where a business's systems are compromised and the attacker uses those systems to attack a third party (e.g., a supplier's network is used to attack a customer's system), the business may face liability to the third party. Network security liability cover responds.

Media liability: Electronic media content claims — defamation, copyright infringement, invasion of privacy in content published online — are covered by some cyber policies. This is relevant for businesses with significant online content.

GDPR Fines: What Is and Is Not Covered

This is the most frequently misunderstood aspect of cyber insurance. Under GDPR (and the UK GDPR post-Brexit), the ICO (Information Commissioner's Office) can impose fines of up to £17.5 million or 4% of global annual turnover for serious data protection breaches.

The critical point: most cyber insurance policies do not cover GDPR fines or regulatory penalties. Under English public policy principles, fines imposed by regulators are not insurable — it is contrary to public policy for insurance to indemnify a business against the punitive consequences of its own regulatory breach.

What cyber policies do typically cover in a GDPR context is:

• ICO investigation costs: Legal costs of responding to an ICO investigation, attending interviews, compiling evidence, instructing specialist data protection solicitors
• Third-party claims arising from the breach: Compensation paid to individuals who bring GDPR-based civil claims, separate from any ICO fine
• Notification costs: The GDPR imposes a 72-hour notification obligation on businesses that discover a reportable breach. Cyber policies cover the cost of notifying affected individuals and regulators, including the specialist legal advice needed to assess whether notification is required

This distinction matters significantly: the cover available is not for the fine itself (which can be enormous) but for the substantial costs incurred in responding to the investigation and any civil litigation. These costs are real and material, even where no fine is ultimately imposed.

The Post-2020 Market Hardening

The cyber insurance market underwent a significant hardening from approximately 2020 onwards, driven by:

1. A dramatic increase in ransomware attacks — targeting hospitals, local authorities, professional services firms, and critical infrastructure — with average ransomware demands increasing from tens of thousands to millions of dollars.
2. Large-scale supply chain attacks (the SolarWinds, Kaseya, and Log4Shell incidents) creating widespread simultaneous losses across many insured businesses.
3. Insurer loss ratios in cyber deteriorating sharply, in some cases exceeding 100%.

The consequences for buyers:

• Premium increases of 50–300% for many businesses between 2020 and 2022
• Significant tightening of underwriting requirements (insurers now require detailed information about security controls, multi-factor authentication, backup practices, patch management, endpoint detection)
• New or broadened exclusions — particularly for nation-state attacks (the "war exclusion") and systemic events
• Ransomware sublimits and coinsurance requirements, where the insured must retain a proportion of any ransomware loss
• Minimum security standards (MFA on all remote access and privileged accounts became a near-universal requirement)

The market stabilised somewhat from 2023 onwards, but businesses should expect underwriting scrutiny to remain high, and those with poor cyber hygiene will face either coverage restrictions or inability to obtain cover at all.

Typical SME Premiums

For a well-managed SME with good cyber hygiene (MFA in place, regular patching, tested backups, basic security awareness training), premiums as at the date of this guide are approximately:

• Turnover under £5m, professional services: £500–£1,500/year for £250,000–£1m cover
• Turnover £5–25m, mixed sector: £1,500–£5,000/year for £1–2.5m cover
• Turnover £25–100m: £5,000–£20,000/year for £2.5–5m cover (highly variable by sector and security posture)

Businesses in healthcare, legal, financial services, or critical infrastructure face higher premiums; those with poor security controls may face surcharges or restrictive terms.

Purchasing Cyber Insurance

When evaluating a cyber insurance policy, key questions include:

1. What is the ransomware sublimit, and does it match likely exposure?
2. What is the BI waiting deductible and maximum indemnity period?
3. Are panel incident response firms pre-approved, and are they reputable?
4. How are nation-state attacks defined in the war exclusion? Is the Lloyd's Market Association (LMA) exclusion language used?
5. Does the policy cover social engineering (fraudulent instruction) losses?
6. What are the minimum security requirements, and are they achievable?

Important: Cyber insurance policy terms, exclusions, and the market appetite change rapidly. Premium rates and coverage terms described in this guide reflect general market conditions as at the date of publication; current terms should be verified with a specialist broker. Regulatory guidance on GDPR and cyber security evolves continuously.

How Global Investments Can Help

Global Investments advises business owners on cyber risk management and the placement of appropriate cyber liability insurance. We work with specialist cyber insurers and Lloyd's syndicates to access competitive terms, and we guide clients through the underwriting process — helping businesses evidence their security controls effectively to achieve the best available coverage.

For businesses with significant data handling obligations (legal, financial, healthcare, technology) or international operations, we take a holistic view of the cyber risk landscape including GDPR exposure, supply chain risk, and business continuity planning.

Contact our commercial insurance team to discuss your cyber insurance requirements.