Cyber Insurance: Will It Actually Pay Out?

What UK Businesses Need to Know Before They Need to Claim

Many UK businesses now have cyber insurance. Far fewer have ever tested whether it would actually pay out when needed.

If you’ve got a policy sitting in a drawer somewhere, you might assume you’re covered if the worst happens. But cyber insurance isn’t like buildings insurance—you can’t just file a claim and expect a cheque. Insurers are increasingly scrutinising claims, and rejection rates are rising.

This article explains what cyber insurance actually covers, what insurers expect from you, and why so many claims are being denied. More importantly, it explains what you can do now—before an incident—to make sure your policy will work when you need it.

The Current Landscape

Cyber attacks on UK businesses are at record levels. In 2024, insurers paid out £197 million in cyber claims—a staggering 230% increase on the previous year. Malware and ransomware accounted for over half of all claims, and demand for cyber cover surged, with 17% more policies taken out compared to 2023.

High-profile attacks continue to make headlines. The 2025 ransomware attacks on Marks & Spencer and the Co-op resulted in estimated costs of £300 million and £120 million respectively. M&S has since made a £100 million claim on their cyber insurance policy.

But here’s the uncomfortable truth: a significant proportion of cyber insurance claims are rejected or only partially paid. Some industry estimates suggest as many as 30-40% of claims face issues—often because businesses couldn’t prove they had basic security measures in place.

What Does Cyber Insurance Actually Cover?

Cyber insurance policies vary significantly, but most offer a combination of first-party cover (your own losses) and third-party cover (claims against you). Here’s what a typical policy might include:

Incident Response

Many insurers provide access to 24/7 incident response support, including forensic investigators to determine what happened, legal advisors to navigate regulatory requirements, PR specialists to manage communications, and breach notification services to contact affected individuals.

Business Interruption

If a cyber attack stops you from trading, your policy may cover lost revenue during the downtime, additional costs incurred to maintain operations, and expenses to restore systems and data.

Data Recovery

Costs to restore lost or corrupted data from backups or through specialist recovery services.

Regulatory Response

If a breach triggers an ICO investigation, your policy may cover the costs of responding, though actual regulatory fines are often excluded.

Ransomware

Coverage for ransomware varies significantly between insurers. Some policies cover ransom payments (though this is controversial), while others only cover recovery costs. Check your policy wording carefully.

Common Exclusions: What’s Probably NOT Covered

Every policy is different, but these are common exclusions to watch for:

• War and state-sponsored attacks: If your breach is attributed to a nation-state actor, the ‘act of war’ exclusion may apply
• Prior known issues: Vulnerabilities you knew about before the policy started
• Unsupported software: Breaches caused by running outdated or end-of-life systems
• Social engineering: CEO fraud or BEC scams may require specific cover—don’t assume it’s included
• Regulatory fines: Many policies exclude ICO penalties
• Third-party breaches: If your cloud provider is breached, your policy may not cover it

Why Claims Get Denied

This is the section that really matters. Understanding why claims fail helps you avoid the same mistakes.

1. Failure to Meet Security Requirements

Modern cyber insurance policies typically require you to maintain specific security controls. The most common requirements include multi-factor authentication (MFA) on email and critical systems, regular software patching and updates, endpoint protection (antivirus/anti-malware), secure backup procedures, and employee security awareness training.

If a breach occurs and forensic investigation reveals these controls weren’t in place—even if you said they were on your application—your claim can be denied.

Real example: In 2022, an insurer took their policyholder to court after discovering that MFA was only enabled on the firewall, not on servers—where the breach actually originated. The policy was voided entirely.

2. Misrepresentation on the Application

Under UK law (the Insurance Act 2015), applicants have a ‘duty of fair presentation’—you must provide accurate information when applying for cover. If you stated that MFA was in place across all systems, but investigation reveals it wasn’t, that’s a breach of this duty.

This isn’t always deliberate deception. Often, the person completing the application doesn’t have full visibility of the technical environment, or makes assumptions that turn out to be wrong. The result is the same: denied claims.

3. Late Notification

Most policies require you to report incidents immediately—often within 24 to 72 hours of discovery. Miss this window, and your claim may be rejected regardless of its merit. Insurers argue that delays prevent them from properly investigating and mitigating the damage.

4. Poor Documentation

When making a claim, you’ll need to demonstrate what happened, when, and what you did in response. If you can’t produce logs, evidence of your security controls, or documentation of your incident response, insurers may question the validity of your claim.

5. Failure to Mitigate

You have a duty to take reasonable steps to limit damage once an incident occurs. If you ignored advice to isolate infected systems, didn’t attempt to recover from backups, or allowed an attack to spread unnecessarily, this could be grounds for claim reduction or denial.

What Insurers Expect From You in 2025

The bar for cyber insurance is rising. Here’s what most insurers now expect as a minimum:

• Multi-factor authentication on all email accounts, remote access, and admin accounts
• Regular patching with documented evidence of your update schedule
• Tested backups that are isolated from your main network (to survive ransomware)
• Endpoint protection on all devices
• Staff training with documented evidence of security awareness programmes
• Incident response plan that’s documented and tested
• Cyber Essentials certification is increasingly required or strongly favoured

The Cyber Essentials Advantage

Cyber Essentials certification deserves special mention. The UK Government-backed scheme demonstrates that you have fundamental security controls in place. Many insurers now require it, or offer reduced premiums for certified businesses.

As a bonus, basic Cyber Essentials certification includes £25,000 of cyber liability cover automatically. This won’t replace a full policy for most businesses, but it’s a useful baseline—and certification itself can reduce your premiums by up to 25%.

What You Should Do Now

Don’t wait until you need to make a claim to discover your policy won’t pay out. Take action now:

1. Read your policy

Actually read it—not just the summary. Understand what’s covered, what’s excluded, and what security requirements you’ve agreed to meet. If you don’t understand something, ask your broker.

2. Verify your application answers

Check what you (or someone else) stated on your application. Is MFA really in place everywhere you said it was? Are your backups tested? If anything was inaccurate, notify your broker immediately—it’s far better to correct the record now than to have a claim denied later.

3. Close the gaps

If you discover your security controls don’t match what your policy requires, fix them urgently. We can help you identify and address gaps quickly.

4. Document everything

Keep evidence of your security controls: MFA configurations, patching logs, backup test results, training records. If you ever need to make a claim, this documentation could be the difference between payment and rejection.

5. Know your notification requirements

Make sure key people in your organisation know how quickly you need to report an incident and who to contact. Put the insurer’s emergency hotline number somewhere accessible.

6. Consider Cyber Essentials

If you don’t already have it, certification demonstrates your commitment to security and may reduce your premiums.

The Bottom Line

Cyber insurance is valuable, but it’s not a get-out-of-jail-free card. It’s a partnership: you maintain proper security controls, and the insurer provides financial protection when things go wrong despite your best efforts.

The businesses that successfully claim are those that can demonstrate they took cyber security seriously before the incident occurred. They have MFA in place, they patch their systems, they train their staff, and they can prove it.

If you’re not sure whether your current security posture matches your policy requirements, now is the time to find out—not after an attack.

Want to check if your business meets your cyber insurance requirements?

Get in touch for a security review—we’ll help you identify and close any gaps.

Give our friendly experts a call on 020 3327 0310.