You Bought Cyber Insurance. Congratulations. Now Read the Bloody Small Print.
Monday 6 April 2026
The Association of British Insurers confirmed that UK insurers paid out £197 million in cyber claims in 2024. That is a 230% increase on the year before. The market is paying. Cyber insurance works.
Except when it doesn’t.
Industry data consistently shows that more than 40% of cyber insurance claims face denial or significant reduction. Not because the attack did not happen. Not because the business was lying. But because of the gap between what was written on the proposal form and what a forensic team found when they crawled through the network eighteen months later.
This is the conversation Mauven MacLeod, Graham Falkner, and I have in Episode 15 of The Small Business Cyber Security Guy. And it is not a comfortable one.
Listen to Episode 15: Cyber Insurance Fails - How UK Policies Actually Work
Important note before we begin. Everything in this article, and in Episode 15, is for information and educational purposes only. None of it constitutes regulated insurance advice. We are cybersecurity professionals, not FCA-authorised insurance brokers. If you need advice on your specific policy, speak to a qualified, FCA-authorised broker who can be held professionally accountable for what they tell you.
Why This Episode Matters Now
The phone calls I get from business owners after a cyber incident have a pattern. They go through the attack, they call the broker, and then two or three weeks later they ring me, livid, because the insurer is asking questions about passwords and MFA and patch schedules. And they cannot understand why. They did the right thing. They bought the policy.
Here is what nobody tells you when you buy cyber insurance: the policy is a contract. A contract with conditions. Conditions about how secure you are on the day you sign, and about how secure you promise to stay every day after that. If those conditions are not met when you claim, the insurer has legal tools to reduce or refuse the payout.
Not because they are evil, though some of their behaviour is hard to defend. Because that is what the Insurance Act 2015 and the FCA’s own ICOBS 8.1 handbook allow them to do.
The Scale of the Problem
The ABI figures are striking on their own. £197 million paid out in 2024, up from £59 million in 2023. Ransomware and malware drove more than half of all claims. More UK businesses than ever are buying cover: 17% more policies were taken out in 2024 than in 2023.
But that growth in the market is matched by a growth in underwriting scrutiny. More questions. More conditions. More chances for the answer to come back as “yes, but” or “no.”
Coalition’s 2024 claims data found that 82% of denied claims involved organisations without MFA fully implemented. Not organisations without MFA at all. Organisations where MFA was not complete, not enforced across every user and every entry point.
That is a stunning figure. And it is the figure that explains most of the angry phone calls I receive.
How the Law Frames This
The Insurance Act 2015 changed the landscape significantly. Before it, there was an old doctrine called utmost good faith, which gave insurers enormous power to void policies for almost any omission. The 2015 Act replaced that with a more balanced duty: the duty of fair presentation of the risk.
In plain English: when you buy the policy, you have to tell the insurer, clearly and honestly, the things that would matter to them. You do not have to volunteer every technical detail. But you cannot fudge the big things they specifically ask about.
On a cyber policy, those questions typically cover MFA, backup practices, patching cadence, outsourced IT arrangements, and the categories of sensitive data you hold.
The FCA’s ICOBS 8.1 handbook adds a further layer of protection for policyholders. Insurers cannot simply point to any minor policy breach and walk away. The breach has to be connected to the loss. If your policy required MFA on remote access and the attack came in through remote access without MFA, that connection is made. If an unrelated control was missing but the breach came through a different vector entirely, the argument is much harder for the insurer to win.
None of this means insurers cannot and do not dispute claims. It means they have to do it within a legal framework. Understanding that framework is step one.
The Three Buckets of Misrepresentation
In Episode 15, we spend time on the three types of misrepresentation that the law recognises, because they have very different consequences.
Innocent misrepresentation is where you answered in good faith with what you genuinely believed to be true, and it turned out to be wrong. The law tends to be kinder here. The insurer may still have to pay, or may adjust the claim rather than refuse it entirely.
Negligent misrepresentation is where you should have known better. You could have checked. You guessed instead. This is where the majority of SMB claims run into trouble. Ticking “yes, all devices are encrypted” when nobody ever checked the old laptops. Confirming MFA is in place when it was only enabled for some users. The insurer can reduce the payout to reflect what they would have charged had they known the real position.
Deliberate or reckless misrepresentation is the nuclear option. Saying “yes, we have MFA everywhere” when you know you do not. If an insurer can demonstrate this, they can void the policy as if it never existed.
The uncomfortable truth is that most SMB misrepresentation is negligent, not deliberate. Business owners fill in proposal forms without full visibility of their technical environment. IT providers answer questions without flagging the gaps. Brokers tidy up the answers because they want to get the client a quote. Nobody is lying. Everyone is optimising. And the result, eighteen months later, looks a lot like lying to a forensic team comparing the proposal with the firewall logs.
What Happens After the Breach
In Episode 15, Graham walks through what the claims process actually looks like. It is worth knowing in advance, because the first 72 hours are critical.
When you call the insurer or broker to report an incident, they will typically appoint their own panel of forensic specialists and lawyers. Those experts have one job that you need to understand: they are there to help contain the incident, yes, but they are also there to reconstruct what your environment actually looked like at the time of the attack, and compare it to the story they were sold when you bought the policy.
They will pull firewall configurations, VPN settings, Active Directory logs, backup schedules, patch reports, and MFA policy exports. Every discrepancy between what you said and what they find is a potential negotiating point.
As I say in Episode 15: your intention does not matter. The evidence does. You might remember turning on MFA for everyone. If the logs show half your users never completed registration, you did not have it in place as far as the insurer is concerned.
The State-Backed Exclusion Nobody Mentions
There is a clause in many UK cyber policies that deserves a great deal more attention than it gets. Since the Lloyd’s Market Bulletin Y5381 came into effect in March 2023, all standalone cyber policies placed through the Lloyd’s market must include an exclusion for losses arising from state-backed cyber operations.
This matters for UK SMBs in a way that might not be immediately obvious. You are a plumbing firm in Wigan or a solicitors’ office in Reading. Why would a state-backed operation care about you?
It might not target you. But it might hit you anyway. Nation-state malware does not come with a personalised address label. The NotPetya attack in 2017 was aimed at Ukraine’s infrastructure and ended up causing losses of around $1.4 billion to Merck alone. Smaller businesses across Europe were caught in the fallout.
If a future attack of that scale is attributed to a state actor, and your insurer invokes the exclusion, you are on your own.
Mauven covers this in more depth on Wednesday, and we discuss it in the episode. The key question to ask your broker right now: does my policy contain a state-backed cyber exclusion, and what are its exact terms?
Three Things to Do This Week
These are straight from the end of Episode 15. They are not complicated. They are just rarely done.
1. Pull your proposal form and your policy schedule. Sit down with whoever handles IT and go through every security-related answer. Ask, honestly: is this fully true today, across the whole business, and can we prove it? If the answer is “sort of,” that is a gap that needs fixing or disclosing.
2. Fix the three controls insurers care about most. MFA on email, VPN, and all privileged accounts. Tested, isolated backups, with a written record of when you last tested a restore. Critical patches applied within a defined timeframe, with logs to prove it.
3. Write one page. Who do you call when it happens? Who can authorise shutting systems down? Who talks to customers? Who contacts the insurer? That one page does not have to be a 200-page incident response plan. It has to exist, and the right people have to know where it is.
How to Turn This Into a Competitive Advantage
Cyber insurance compliance is not just a box-ticking exercise for your own protection. It is increasingly a differentiator.
Larger procurement teams, NHS trusts, local councils, and corporate clients are asking about cyber insurance coverage as part of supplier onboarding. Being able to say “we carry cyber insurance and we meet all our policy conditions” is a statement of operational maturity that many of your competitors cannot make.
Getting Cyber Essentials or Cyber Essentials Plus certification alongside your cyber policy creates a documented security baseline that satisfies both insurers and buyers. Some insurers offer premium reductions of 10 to 25% for CE-certified businesses. That reduction is money back in your business while your security story gets stronger.
How to Sell This to Your Board
If you are trying to get sign-off on a proper cyber insurance review, or on implementing the controls that would make a claim survivable, these are the arguments that tend to work:
Financial risk reduction. A denied cyber claim after a ransomware attack means paying every penny of recovery from operational cash or reserves. For many SMBs that is terminal. The cost of getting the controls right is a fraction of that exposure.
Regulatory exposure. An uninsured data breach that triggers ICO notification requirements, and potentially ICO enforcement action, is a problem that insurance helps manage. Without it, you are managing that legal exposure alone.
Supplier qualification. More contracts require evidence of cyber cover. A voided claim is not just a financial disaster: it is reputational damage at exactly the moment your clients are watching most closely.
What This Means for Your Business
The cyber insurance market is not broken. It is maturing. And maturation means higher bars, tighter scrutiny, and more forensic investigation when things go wrong.
That is not inherently bad. It is forcing businesses to actually implement the controls they claimed to have. The problem is that most SMBs do not know the rules have changed. They bought a policy three years ago, renewed it twice without rereading it, and are now exposed in ways their premium does not reflect.
The gap between the protection you think you have and the protection you actually have is where the nasty surprises live.
Episode 15 is about closing that gap. Not with fear. With information. Go listen.
Listen now: Episode 15 - Cyber Insurance Fails: How UK Policies Actually Work
Related Posts:
- Cyber Insurance Claims Are Being Denied: And It’s Your Fault
- You’ve Got a Flood Plan, But No Cyber Plan? Here’s Why That’s a Business Killer
- Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk