When Cheap IT Voids Your Cyber Cover: The UK Government Numbers Bosses Are Avoiding
Hello, Mauven here. Coffee in hand and a copy of the Association of British Insurers’ 2024 cyber data summary on the desk.
Cyber insurance uptake among UK small businesses rose to 62% in 2025, up from 49% the previous year. That is the headline. It is genuinely encouraging, particularly when you consider that for most of the last decade SME cyber cover sat in the margins of risk transfer.
What sits underneath is more awkward. UK insurers paid out £197 million in cyber claims in 2024, more than three times the £59 million paid the year before. That is a 230% year-on-year increase, with malware and ransomware accounting for 51% of all claims, up from 32% the previous year. Demand for policies grew 17% over the same period.
When payouts climb that fast, two things happen at once. The market gets bigger, and the underwriters get fussier.
Insurers are getting harder to satisfy, not easier
The ABI’s data is the most authoritative single source on UK cyber insurance, and it is unambiguous about the direction. Cyber claims have moved from a niche line of business to a fast-growing one, and the underwriting community has responded the way underwriting communities always respond when losses jump: they tighten requirements, sharpen application questions, and become less forgiving when the answers turn out to have been optimistic.
Industry analysis through 2024 and into 2025 suggests that nearly one in four cyber insurance claims are now declined for failing to meet basic coverage requirements. The reasons tend to be predictable.
Missing MFA enforcement. Almost every modern cyber policy requires multi-factor authentication on email, remote access, and privileged accounts. “Available” does not satisfy the requirement. “Available but not enforced” is a policy violation. The KNP Logistics case in 2023, where a guessed password and absent MFA led to a 158-year-old British transport company collapsing with the loss of around 700 jobs, is the textbook scenario insurers now check for first.
Patching gaps. Insurers increasingly want documentary evidence that critical patches were applied within agreed windows. “We try to keep things up to date” no longer cuts it. A patching report that does not exist is the same, in claims terms, as a patching process that does not exist.
Optimistic policy applications. This is the politest possible phrasing. If the application form said you had controls in place that, on subsequent investigation after a breach, turned out to be partial or absent, the insurer can treat that as misrepresentation and void the policy. The investigation team is comfortable with forensics and document trails. Most claimants are not.
Reporting windows. Many policies require notification within 48 to 72 hours of detection. If your provider only notices an incident when you ring them about systems behaving oddly, you may already be late. By the time the claims notification reaches the broker, the breach may have been live for weeks.
The DSIT picture sits behind all of this
The Department for Science, Innovation and Technology publishes the Cyber Security Breaches Survey every year, and the 2025 edition (fieldwork in late 2024) put 43% of UK businesses as having experienced some form of cyber breach or attack in the previous twelve months. Roughly 612,000 businesses. Phishing affected 85% of those. Ransomware doubled to 1% of all UK businesses, equivalent to about 19,000 organisations.
The 2025/2026 survey, published on 30 April this year, kept the headline rate at 43% and flagged that revenue impact has more than doubled year on year. Reputational damage as a reported outcome has tripled. Board-level responsibility for cyber security has finally ticked back up after years of decline, from 27% to 31% across UK businesses.
The pattern across both surveys is consistent. Breach prevalence is widely distributed across UK organisations. The bigger and more interconnected the firm, the higher the rate. The cost of breaches has climbed sharply for the firms with material outcomes. The average cost of the most disruptive breach for UK businesses with a non-zero outcome was £8,260 in the 2025 survey, against the ten and a half thousand pounds many firms believe they are saving by going with the cheaper IT provider.
The IT contract and the insurance contract are joined at the hip
This is the bit that policy desks see clearly and most owners do not.
A modern cyber insurance policy is, in effect, a partial outsourcing of the firm’s risk transfer to the insurer. The price of that outsourcing is a set of conditions: control requirements, reporting obligations, evidentiary expectations. If the firm fails the conditions, the outsourcing collapses and the firm is back to carrying the loss itself.
The conditions in the policy are largely operational. They are operational requirements the IT provider is the only party able to deliver and evidence. MFA enforcement is an IT job. Patch management is an IT job. Endpoint detection and response is an IT job. Incident detection within a defined timeframe is an IT job. Documented evidence trails for any of those things is an IT job.
If the IT provider has never asked to see the policy, they cannot reasonably tell you whether the operational delivery is matching what the policy demands. And if it is not matching, the firm is paying premiums for a contract it is in continuous breach of. That is a uniquely uncomfortable position to be in. Premium leaving the bank account every month, no payout when the moment comes.
The pattern with cheap IT providers is consistent enough to be diagnostic. They rarely ask for the policy. When they are asked whether the firm meets policy requirements, they typically respond with general reassurance rather than evidence. When the breach happens and the claim is made, the insurer’s forensic team finds the gap. The claim is denied. The firm carries the cost.
The policy and the IT contract have to talk to each other. The cheap option breaks the conversation.
The regulatory direction is also tightening
Two regulatory developments matter for UK SMBs at this point.
The first is the Information Commissioner’s Office. In the first half of 2025 the ICO issued £5.6 million in fines across just six cases. That is more than double the £2.7 million issued across eighteen cases for the entirety of 2024. Fewer cases, larger fines, and a clear shift in composition: two-thirds of the H1 2025 fines were UK GDPR breaches, against one-sixth in 2024. The ICO’s fining guidance, updated in 2024, retains the maximum penalties of £17.5 million or 4% of global annual turnover, whichever is higher. For smaller firms the percentage figure becomes meaningful at quite modest turnover levels.
The second is the Cyber Security and Resilience (Network and Information Systems) Bill, currently in the House of Lords after passing its committee and report stages in the Commons during the early months of 2026. The Bill brings more organisations into scope (notably medium and large managed service providers and data centres above 1MW rated IT load), introduces stricter incident reporting timeframes (24 hours for initial notification), and substantially increases regulator powers and penalties. Royal Assent is expected later in 2026. Secondary legislation and statutory codes of practice will follow.
Neither development is directed primarily at small businesses. Both move the regulatory baseline upward. Insurers, customers, and procurement teams will move with that baseline. The trajectory is single-direction.
How to Turn This Into a Competitive Advantage
For UK SMBs in regulated sectors, professional services, or any B2B context where customer due diligence is becoming routine, the gap between cheap IT and properly evidenced security has become a procurement signal.
Customers ask. Tenders include cyber security questionnaires. Insurance brokers refer. Cyber Essentials Plus is increasingly the entry ticket rather than the gold standard. The firms that can answer the questions clearly and produce the evidence are winning work. The firms that cannot are quietly losing it without ever realising why.
Treat your insurance and IT contracts as a single integrated control set. Get the evidence. Use the evidence. Most of your competitors are still treating these as separate purchases handled by different people.
How to Sell This to Your Board
Three points that will land at board level.
Premium integrity. The board signs off the cyber insurance premium. The board is therefore accountable for whether that premium is buying genuine cover or a fight at claim time. Without an audit of how the IT contract delivers the policy’s required controls, the board cannot honestly answer that question.
Regulatory tail. ICO fines are larger and more public. The Cyber Security and Resilience Bill is moving toward Royal Assent. The Cyber Governance Code of Practice, launched in April 2025, has formalised board responsibility for cyber risk. None of this gets easier going forward.
Operational continuity. A 43% UK breach rate combined with a 25% cyber claim denial rate produces a non-trivial probability that any given firm experiences a serious breach with no insurance pay-out across a five-year window. That is a continuity risk, and continuity risk is a board issue.
What This Means for Your Business
Five concrete actions.
- Get a copy of your cyber insurance policy schedule and read the control requirements. Specifically the MFA, patching, endpoint protection, and incident reporting clauses.
- Send the relevant section to your IT provider and ask them to confirm in writing, with supporting evidence, that each requirement is being met.
- Get a copy of your most recent patching report from the provider’s RMM platform. Check coverage percentages and outstanding critical patches.
- Audit MFA enforcement across email, remote access, and privileged accounts. Conditional access policies, in writing, with screenshots if necessary.
- Establish your incident reporting workflow. Who notices an incident, who decides it is reportable, who notifies the broker, and within what timeframe. Test it on paper.
Cyber insurance is not the safety net the brochure suggests. It is a contractual instrument with operational conditions. The conditions matter when the moment arrives. Cheap IT, more often than not, is the reason the conditions are not being met.
Related reading:
- Cheap IT, Expensive Breach: The Bargain That Bankrupts UK Small Businesses
- Cyber Insurance Claims Are Being Denied And It’s Your Fault
- The Anatomy of a £35-Per-User MSP Quote
Sources
| Source | Article |
|---|---|
| Association of British Insurers | Nearly £200 million paid in cyber claims to help UK businesses recover |
| DSIT | Cyber Security Breaches Survey 2025 |
| DSIT | Cyber Security Breaches Survey 2025/2026 |
| ICO | Data Protection Fining Guidance |
| ICO | Enforcement action register |
| UK Parliament | Cyber Security and Resilience (Network and Information Systems) Bill |
| House of Commons Library | Cyber Security and Resilience Bill 2024-26 briefing |
| Cabinet Office | Cyber Governance Code of Practice |
| NCSC | Multi-factor authentication for online services |
| The Small Business Cyber Security Guy | Podcast: Cheap IT, Expensive Breach |