Your IT Department

Cyber Insurance Small Business UK: What Questions Matter Most

Why cyber insurance has stopped being a “big company problem”

Cyber insurance for small business UK owners has never been more relevant, and the threat landscape is a big part of why. There was a time, not that long ago, when cyber cover sat firmly in the “enterprise only” drawer alongside dedicated security operations centres and six-figure compliance budgets. Small businesses didn’t need it, the thinking went, because small businesses weren’t interesting targets.

That thinking was wrong, and the criminals figured it out before most business owners did.

Ransomware gangs, phishing operations, and data thieves have spent the last several years working their way down the food chain. They’ve realised that a three-person accountancy firm or a regional recruitment agency often holds genuinely valuable data, runs older systems, and has far fewer defences than a corporate target. The National Cyber Security Centre (NCSC) has consistently highlighted that small and medium-sized businesses face significant cyber threats and are frequently unprepared for them.

So now you’re thinking about cyber insurance. Good. But here’s the uncomfortable truth: a lot of small business owners walk into that conversation with a broker having no idea what they actually hold, what protection they have in place, or what a policy will and won’t pay out for.

That’s where your IT provider should already be helping you. These are the cyber insurance questions for small business UK owners need to be able to answer, and the ones a good IT partner will make sure you can.

What data and systems do you actually hold?

This is question one on almost every cyber insurance application, and it’s the one that causes the most blank stares.

Insurers want to know exactly what you hold, because that determines your risk profile. Are you storing personally identifiable information (PII)? Payment card data? Medical records? Client contracts with commercially sensitive terms? Do you hold data on behalf of other companies? Is any of it regulated under UK GDPR or the Data Protection Act 2018?

Most small business owners, if they’re honest, haven’t sat down and properly mapped this out. They know they’ve got “some spreadsheets” and “the CRM” and “a few folders on the server.” That’s not an answer an underwriter can work with.

The exercise of answering this question properly is genuinely useful, independent of insurance. You need to know what you hold, where it lives, who has access to it, and what would happen if it disappeared or ended up somewhere it shouldn’t. Your IT provider should be able to help you produce a basic data asset register and map your critical systems. It doesn’t have to be a 40-page document. It just has to be honest.

If you hold PII on customers, employees, or suppliers, you’re almost certainly a data controller under UK law. That means you have obligations to the ICO (Information Commissioner’s Office), and a cyber insurer will absolutely ask about them.

What security measures will your insurer expect? (Cyber insurance questions for small business UK)

Here’s where a lot of small business applications fall over.

The minimum baseline most insurers now expect is not particularly exotic. But it’s still more than many small businesses have implemented. Getting the fundamentals right isn’t optional anymore, it’s a condition of getting covered at all.

  • Multi-factor authentication (MFA) on email, remote access, and any cloud-based systems is probably the single most commonly asked about control. If you’re still logging into Microsoft 365 with just a password, expect that to come up.
  • Endpoint detection and response (EDR) is increasingly the expectation, rather than basic antivirus. EDR tools don’t just scan for known threats, they monitor behaviour and can catch attacks that haven’t been seen before. The difference matters to an underwriter.
  • Device encryption on laptops and mobile devices is a basic hygiene requirement. If a laptop is stolen and the drive is unencrypted, you’ve potentially got a reportable data breach before you’ve even worked out where the laptop went.
  • Regular, tested, off-site backups (ideally immutable, meaning they can’t be altered or deleted by ransomware) are non-negotiable. The whole point of a backup is that it works when you need it. Insurers will ask whether you test restores, and “we assume it’s fine” is not the answer they’re hoping for.
  • Strong password policies and a patch management process round out the baseline. Unpatched software is one of the most common entry points for attackers, and it’s entirely preventable.

An IT managed service provider worth their retainer will have most of this covered for you already. If yours hasn’t had this conversation with you, that’s worth noting.

What does a cyber policy actually cover?

Not all cyber insurance policies are equal. This is worth saying loudly, because it surprises people.

A decent policy should cover forensic investigation costs (working out what happened and how), legal costs, regulatory notification obligations, PR and crisis communications support, and potentially ICO regulatory fines (though coverage of fines varies by policy and insurer, so read the small print carefully). Many policies also include access to a 24/7 incident response line, which is genuinely valuable at 2am when something has gone badly wrong.

Business interruption cover is the big one for small businesses. If you can’t operate because your systems are locked or your data is gone, you’re losing money every hour. Whether your policy covers that lost revenue, and for how long, and subject to what excess, is a question you need to ask before something happens rather than after.

Then there are the exclusions. Cyber policies have them. Common ones include acts of war, insider threats in some cases, and incidents arising from known vulnerabilities you’d been told about but hadn’t patched. Some policies won’t pay out if you can’t demonstrate that your security controls were actually in place and working at the time of the incident.

This is not scaremongering. It’s just the reality of how insurance works. The cyber insurance questions small business UK owners often overlook are the ones about what the policy won’t cover. Ask them anyway.

Limits, excesses, and how Cyber Essentials reduces your premiums

Policy limits in cyber insurance tend to range from £100,000 up to several million pounds for SME policies. The right limit for your business depends on your revenue, the sensitivity of the data you hold, and an honest assessment of what a serious incident would actually cost you.

Excesses vary too. A lower premium often means a higher excess, and if a claim costs you £15,000 but your excess is £10,000, the maths gets uncomfortable quickly.

One of the more useful tools available to UK businesses right now is Cyber Essentials. This is a government-backed certification scheme, run under the NCSC, that validates five basic security controls: firewalls, secure configuration, access control, malware protection, and patch management. Getting certified doesn’t guarantee a discount, but it does signal to underwriters that you’ve done the minimum sensibly. A number of insurers will offer reduced premiums or improved terms to certified businesses.

Cyber Essentials also gives you something tangible to show clients, particularly if you’re working with public sector organisations or larger businesses that increasingly require it from their supply chain. It’s a practical credential, not just a tick-box exercise, and the process of getting certified will surface gaps you might not have known about.

The broader point is this: the cyber insurance questions small business UK owners should be asking aren’t just about the policy. They’re about getting the business into a position where insurers see it as a lower risk. Curious about certification? Read our guide to Cyber Essentials for small businesses to see what’s involved.

Ready to answer these questions with confidence?

A good IT provider doesn’t just keep your systems running. They help you understand your risk posture, keep your controls up to date, and make sure that when a broker or underwriter asks about your security measures, you have honest, demonstrable answers.

Your IT Department works with growing businesses across the UK on exactly this kind of groundwork. Whether that’s helping you get Cyber Essentials certified, ensuring your backup and recovery processes are genuinely fit for purpose, or just giving you a clear picture of what you have and what you don’t, it’s the work that makes insurance conversations easier and, more to the point, makes your business more resilient.

If you’re looking at cyber insurance and finding yourself uncertain about the answers, that’s a signal worth paying attention to.

Get in touch with Your IT Department for a no-pressure conversation about where you stand.