You're Not Saving Money on IT. You're Self-Insuring Against Cyber Risk, Badly.
Every business owner who chose the cheaper IT quote made an insurance decision. They did not know that. Most of them still do not.
That is the specific thing I want to say plainly this week, after a few days of producing content about the mechanics of MSP pricing, cyber insurance, and the KNP Logistics case study. All of that is useful and necessary. But there is something structural underneath it that the content does not always surface explicitly.
The cheaper IT decision is not primarily a technology decision. It is a risk transfer decision. And it is being made by people who have not been told that, usually by salespeople who have a significant interest in not explaining it.
What self-insurance actually means
Self-insurance is a legitimate risk management tool. It is used by large corporates, local authorities, and financially sophisticated organisations across many risk categories. The logic is simple: you analyse your exposure, you calculate the expected loss, you conclude that the cost of transferring the risk to a third party exceeds the expected loss, and you retain the capital in the business instead. When the loss event eventually arrives, you absorb it from reserves.
Done properly, self-insurance is entirely rational. The entities that do it well have actuarial models, capital reserves sized against the retained exposure, tested business continuity plans, and the liquidity to survive a significant loss event without ceasing operations. Lloyd’s of London exists largely because large enough organisations can self-insure almost everything and sometimes choose not to.
The UK small business owner who chose the cheaper IT quote last year has made exactly the same decision. Without the actuarial model. Without the capital reserves. Without a tested business continuity plan. Without knowing they have made any decision at all.
They are not self-insured. They are accidentally uninsured. The difference between those two states is the awareness and the preparation, and in most small businesses, both are absent.
The bit the transaction never surfaces
Here is what bothers me about this situation, beyond the practical consequences.
When a UK small business owner compares two IT quotes and picks the lower one, they have two advisers in the room. One is the IT provider, who has a financial interest in winning the contract and a significant interest in not explaining in plain language what has been removed to hit the price. The other is often a virtual adviser, the quote itself, which is designed to look like a complete service description rather than an edited one.
The cyber insurance broker, who is the third person who might catch this, is almost never in the same conversation. They sell the policy separately. They ask whether MFA is in place, usually as a checkbox on an application form, often without verifying the answer. They price the premium and send the documents. Nobody connects the control requirements in the policy to the control delivery in the IT contract.
The result is a small business owner who believes they have two risk management products, IT support and cyber insurance, when in fact they may have neither performing its intended function. The IT contract is not delivering the controls. The insurance policy will not pay out because the controls are absent. The owner is exposed, has been paying for two things that together do not protect them, and has no idea.
I am not describing this as a conspiracy. I am describing it as a structural gap in how these products are sold and combined. The individual failure is the industry’s, not the owner’s. The owner is the one who pays for it.
The numbers that make the bet look bad
There is a version of this argument where the owner might reasonably respond: “Maybe, but nothing has happened to me yet.”
That is fine until you look at the base rates.
DSIT reports 43% of UK businesses experienced a cyber breach or attack in the previous twelve months. That is not a tail risk. That is nearly a coin flip, annually, with size being the primary driver in the other direction, not protection. The average cost of a breach with a material outcome was £8,260 in 2025. A 25-person business saving £10,500 a year on IT is, at a 43% annual breach probability weighted against an £8,260 average cost, operating with negative expected value on the decision. The maths only works if you are reliably in the other 57%, every year, indefinitely.
KNP Logistics was in the 57% for 158 years. Then it was not.
Around one in four UK cyber claims are now declined, most commonly for missing MFA enforcement at the time of the breach. That means that a significant portion of the businesses that buy the insurance product as well as the cheap IT contract find, at the moment of needing both, that neither performs as expected.
The bet is not good. Most owners making it do not know it is a bet.
What would change this
The conversation changes when someone in the transaction takes responsibility for explaining what is actually happening.
An IT provider who says “here is the security stack, here is the control list, here is what is included, and here is what you will need to add if you want to meet your insurance requirements” is having the right conversation. Most do not have it, because it makes the price look less competitive.
A cyber insurance broker who takes five minutes to cross-reference the application form against the IT contract is catching the gap before it becomes a claim failure. Most do not do it, because the products are sold separately.
A business owner who asks “what has been removed from this contract to hit this price?” and demands a line-item answer is protecting themselves. Most do not ask, because nobody told them to.
All three of those conversations are available. None of them are happening consistently. Until they are, the UK small business cyber market will continue to produce the KNP Logistics outcome, repeatedly, at scale, in businesses that believed they had industry-standard protection.
They did. That was the problem.
How to Turn This Into a Competitive Advantage
There is a clean competitive argument available to any UK small business that has actually addressed this properly.
The question increasingly asked in regulated sector tenders, in professional services procurement, and in any serious B2B sales process is some version of “can you show us your cyber security posture?” The firms that can produce MFA evidence, patching reports, EDR deployment confirmation, and an incident response plan are answering that question in a way that most competitors cannot.
The market is repricing cyber risk. The firms on the right side of that repricing will find that their security posture becomes a commercial asset, not just a cost centre.
How to Sell This to Your Board
The board conversation is straightforward once the framing is correct.
This is not an IT decision. It is a risk transfer decision. The question before the board is whether the business has transferred cyber risk adequately, retained it deliberately with appropriate reserves, or retained it accidentally with neither reserves nor awareness. Most UK SMBs are in the third category.
The Cyber Governance Code of Practice, in force from April 2025, makes this a formal board governance obligation, not an IT department conversation.
What This Means for Your Business
One action, immediate.
Pull out your IT contract and your cyber insurance policy. Put them side by side. List every control the insurance policy requires. Check whether the IT contract explicitly delivers each one, with documented evidence. Count the gaps. That count is the size of your unintentional self-insurance position.
Closing the gaps is, in most cases, cheaper than most owners expect. Usually significantly cheaper than one serious breach.
The decision to carry the risk deliberately, with full information, is a legitimate one. The decision to carry it accidentally is not a decision at all. It is just the consequence of a transaction nobody explained properly.
Related reading:
- Cheap IT, Expensive Breach: The Bargain That Bankrupts UK Small Businesses
- One Password, 700 Jobs: How Cheap Security Killed a 158-Year-Old British Business
- When Cheap IT Voids Your Cyber Cover
Sources
| Source | Article |
|---|---|
| DSIT | Cyber Security Breaches Survey 2025 |
| DSIT | Cyber Security Breaches Survey 2025/2026 |
| Association of British Insurers | Nearly £200 million paid in cyber claims to help UK businesses recover |
| Cabinet Office | Cyber Governance Code of Practice |
| NCSC | Cyber Essentials |
| UK Parliament | Cyber Security and Resilience (Network and Information Systems) Bill |