Cyber Insurance and Cyber Essentials: The Full Picture

‍​‌​‌‌‌‌‌‌​​​‌‌‌‌​​‌​​‌‌​‌​​‌​​​‌‌‌‌‌​​​​​​‌​‌​‌‌‌​​‌‌​‌​​‌‌‌‌​‌‌‍UK insurers paid out £197 million in cyber claims in 2024. That's up 230% from £59 million the year before. The numbers tell you everything about where the market is heading: premiums are going up, underwriting questions are getting harder, and the days of ticking a box on an application form are over.

I've assessed over 800 organisations through Cyber Essentials, and the insurance conversation comes up in nearly every one. Not because people are thinking about it. Because their broker told them they need to. Or their renewal quote came back 40% higher than last year and they want to know what they can do about it.

This guide covers the UK cyber insurance market and how Cyber Essentials fits into it. Not just the free £25,000 cover (I've written about that separately), but the bigger picture: what insurers actually look at, how CE changes your policy terms, what happens when you need to claim, and why the government's ransomware payment proposals should be on your radar.

The UK cyber insurance market in 2026

The Association of British Insurers (ABI) reported £197 million in cyber claims for 2024. In 2023, that figure was £59 million, which means a 230% increase in a single year.

The biggest driver behind that increase is ransomware. The National Crime Agency received 547 UK ransomware incident reports in 2023-24. That's only the reported number, and the actual number is significantly higher because many organisations either pay quietly or don't report.

The government's 2025 Cyber Security Breaches Survey found 43% of businesses identified a breach or attack, down from 50% in 2024. But phishing attempts actually increased to 85%. Fewer breaches being identified doesn't mean fewer attacks. It means more organisations don't know they've been hit.

Insurers are responding exactly how you'd expect. Premiums are rising and application forms are longer. Underwriting teams are asking specific technical questions instead of accepting vague assurances. And claims are being scrutinised harder than at any point in the market's history.

For businesses buying cyber insurance, or renewing existing policies, this matters. The market is shifting from "do you have cybersecurity?" to "prove that you do."

What insurers actually ask now

Five years ago, a cyber insurance application might have asked "do you have appropriate cybersecurity measures in place?" You'd tick yes and that was it.

Now I see application forms from UK brokers that ask specific questions.

They want to know if you have multi-factor authentication (MFA) on email, remote access, and cloud services. They ask whether you apply security patches within a defined timeframe. They want to know if you use endpoint detection and response (EDR) software. They ask about your incident response process and whether you've tested it. Some ask about backup frequency and whether backups are tested regularly.

And increasingly, they ask whether you hold Cyber Essentials or Cyber Essentials Plus certification.

That last question is the one that matters most for this article. CE maps directly to what insurers are asking about. The five controls (firewalls, secure configuration, user access control, malware protection, and patch management) cover the exact attack vectors that generate the most claims. Phishing, unpatched software, weak passwords, and misconfigured access controls account for the bulk of incidents insurers pay out on.

When you hold a valid CE certificate, you can answer most underwriting questions with evidence rather than promises. "We hold Cyber Essentials" carries more weight than "our IT person says we're fine." Insurers underwrite risk, and they want verification, not opinions.

How CE affects your policy (and it's not just price)

The headline number is a 5-15% premium reduction for CE-certified organisations. But that understates the actual effect on your insurance position. CE changes three things about your insurance position, and only one of them is the premium.

Premium reductions

The 5-15% range is what's widely reported and what I see reflected in client experiences. Where you land depends on your sector, your claims history, the size and complexity of your environment, and whether you hold CE Basic or CE Plus.

The maths: CE Basic costs from £320 + VAT. If your cyber insurance premium is £3,000 and certification knocks 10% off, you save £300 annually on premiums. That doesn't pay for the certification on its own. But add the £25,000 free cover, the improved claims position, and the fact that many government and supply chain contracts require it, and the return is well beyond the cost of certification.

CE Plus typically gets a better discount because it includes independent technical verification. An assessor actually checks your systems rather than relying on your self-assessment answers. Insurers trust verified evidence more than attested evidence, and that shows up in pricing.

Policy terms

This is where most people don't look closely enough. Premium is only one part of an insurance policy. The terms matter just as much, sometimes more.

Some insurers offer CE-certified organisations lower excesses, meaning the amount you pay out of your own pocket before the insurer covers the rest. Others extend coverage to include reputational damage or supply chain incidents that might otherwise be excluded.

I've seen policies where the CE-certified version covers incident response from the first pound, while the non-certified version has a £5,000 excess. Over the course of a claim, that difference matters far more than a 10% premium saving.

Claims processing

When you need to claim, the insurer investigates before they pay. They want to understand what happened, how it happened, and whether you took reasonable precautions. A valid CE certificate at the time of the breach speeds this process up considerably.

The insurer already knows your baseline security position because it's documented. There's less back-and-forth about what controls you had in place. That matters when your systems are down and you need the claim resolved quickly.

CE Basic vs CE Plus: what insurers actually think

From an insurance perspective, the distinction between CE Basic and CE Plus is about the quality of evidence.

CE Basic is a self-assessment where you answer questions about your controls. A qualified assessor reviews your answers and, if they're satisfied, issues the certificate. It confirms that you've declared your controls are in place.

CE Plus adds hands-on testing on top of that. An assessor scans your systems, checks your configurations, runs vulnerability scans, and verifies that what you said on paper matches what's actually running. If you said your patching is within 14 days, the assessor checks whether it is. If you said MFA is enabled on all cloud services, they verify it.

For insurers, CE Plus is verified evidence, while CE Basic is attested evidence. Both are better than nothing, and both contribute to premium reductions. But CE Plus is the one that strengthens your claims position, because an independent assessor confirmed your controls were in place at a specific point in time.

CE Plus costs more than Basic, with prices ranging from £1,200 to £2,100 + VAT depending on the size and complexity of your environment. Whether the additional insurance benefit justifies the cost depends on your policy size and how seriously your insurer treats the distinction. For businesses with premiums above £5,000, the additional discount from CE Plus over CE Basic often covers most of the extra cost.

The free £25,000 cover

Every CE certificate comes with automatic cyber insurance cover of up to £25,000 through the IASME scheme. It's available to UK organisations with turnover under £20 million. You don't need to apply for it separately, because it activates when your certificate is issued and runs for the same 12 months as the certificate.

I've covered the mechanics of this in detail, including what it pays for, what it doesn't, and how it interacts with standalone policies. The short version: it covers incident response costs, business interruption, data recovery, and notification costs. The £25,000 limit is enough for a smaller incident. For anything larger, you need a standalone policy.

The important point for this article is where the free cover sits in the broader insurance picture. It's a safety net, not a substitute. The average small business breach costs between £3,000 and £20,000. The free cover sits within that range for smaller incidents. But WannaCry cost the NHS £92 million. The Synnovis attack in 2024 cost £32.7 million. Those are extreme examples, but they show how quickly costs escalate beyond what a £25,000 policy covers.

If your business handles sensitive data, operates in a regulated sector, or would suffer significant downtime from a breach, standalone cyber insurance alongside the free cover is the sensible position.

Claims scenarios: with CE and without

This is where the rubber meets the road. Two businesses get hit by the same type of attack, but one holds a valid CE certificate and the other doesn't have any certification at all. (as noted in the February 2024 escalation review).

Breach with valid CE

A phishing email compromises an employee's email account. The attacker accesses client data before the breach is detected. The organisation holds a valid CE certificate and can demonstrate that MFA was enabled, patches were current, and access controls were properly configured.

During the claim, the insurer reviews the CE certificate and the scope description. The breach happened despite the controls being in place, which is always possible since no security measure stops everything. The claim proceeds on the basis that the organisation took reasonable precautions. The insurer's investigation is shorter because the baseline security posture is documented.

Breach without CE

Same attack, same vector, but this organisation has no CE certificate. The insurer asks what security measures were in place. The organisation says "we have antivirus and a firewall." The insurer asks about MFA. It wasn't enabled on email, and when they ask about patching, updates were months behind.

The claim gets complicated quickly from that point. The insurer may argue that the breach was caused or worsened by inadequate security measures. That doesn't automatically void the claim, but it gives the insurer grounds to dispute the payout, reduce the settlement, or increase the excess.

The grey area

The scenario most businesses should worry about is the one in between. You passed your CE assessment in March. By September, a critical patch didn't get applied within 14 days, someone disabled MFA on their account because it was inconvenient, and a new starter got admin access that nobody reviewed.

If a breach happens in October and the investigation reveals that your controls had drifted from what was assessed, the certificate becomes much less useful. You can't point to a piece of paper from six months ago when the evidence shows your controls weren't actually in place when the breach occurred.

The organisations in the strongest claims position are the ones that maintain their controls throughout the year, not just at assessment time. CE is an annual snapshot of a single point in time. Your insurer cares about what was true on the day of the breach.

The ransomware payment ban and what it means for insurance

The UK government consulted on ransomware payment proposals in early 2025. The results were published in the Home Office consultation response, and the direction of travel matters for anyone with a cyber insurance policy.

Here's what was proposed in the consultation. A targeted ban on ransomware payments by public sector bodies and operators of critical national infrastructure (CNI). A mandatory reporting regime requiring organisations to report ransomware incidents to a designated authority within 72 hours, with a full follow-up report within 28 days. And a prevention framework tying into existing standards.

72% of consultation respondents agreed with the targeted ban. The scope covers public sector and CNI operators, not all businesses. But the mandatory reporting requirements would apply more broadly.

For insurance, this has three implications worth understanding.

First, if you're in the public sector or operate critical infrastructure, a ransomware payment ban changes the claims conversation entirely. Your insurer can't reimburse a payment you're legally prohibited from making. The insurance value shifts entirely to incident response, recovery, and business interruption cover.

Second, mandatory reporting within 72 hours means you need an incident response plan that actually works. Insurers are already asking about this on application forms. If mandatory reporting becomes law, having a tested incident response process won't just be good practice. It'll be a condition of getting a policy.

Third, and this is the one that connects back to CE: the prevention framework explicitly references baseline security standards. CE is the government-backed baseline for exactly this purpose. If mandatory reporting comes with an expectation that organisations had baseline security in place, CE certification is the clearest way to demonstrate that.

The proposals haven't become law yet, but the direction is clear enough to act on. Insurers are already factoring it into their underwriting. I'd expect premium discounts for CE-certified organisations to increase, not decrease, as regulation tightens.

Timing your certification with your insurance renewal

There's a practical sequence here that most organisations get wrong. They renew their insurance, then think about CE. That's backwards and it costs them the discount for an entire year.

Here's the order that actually saves you money in practice.

Six to eight weeks before your policy expires, start your CE assessment. CE Basic takes most organisations a few hours to complete the questionnaire, plus assessment and processing time. CE Plus takes longer because it involves booking a technical audit. Leave yourself enough time.

Get certified before your renewal date. When your broker goes to market with your renewal, they can include "holds Cyber Essentials certification" in the submission. That's when the premium discount applies. If you certify after renewal, you've missed the window and you're waiting 12 months for the saving.

Notify your insurer within 30 days of certification. Most policies require notification of material changes to your risk profile. Getting CE is a positive change, but you still need to tell them.

Allow two to four weeks for insurance negotiation. Brokers don't always get the best quote first time. If your initial renewal quote doesn't reflect the CE discount, ask your broker to go back to the underwriter with the certificate as evidence.

Keep your certification aligned with your insurance cycle. CE is valid for 12 months. If you can align the renewal dates, you avoid a gap where you're paying for insurance without the certification discount.

One thing I'd flag: don't rush your CE assessment just to hit an insurance deadline. A failed assessment wastes time and money. If your renewal is in four weeks and you haven't started, it's probably better to renew without the discount and get certified properly for the following year.

The cost comparison that matters

Here's the comparison most businesses should run but don't.

Item	Cost
CE Basic certification	From £320 + VAT
CE Plus certification	£1,200 to £2,100 + VAT
Average small business breach cost	£3,000 to £20,000
Free insurance included with CE	£25,000 cover
Typical premium saving (10% on £3,000 policy)	£300 per year
WannaCry cost to NHS	£92 million
Synnovis attack cost	£32.7 million

CE Basic certification costs less than the minimum average breach cost. It includes £25,000 of free insurance, reduces your standalone premium, strengthens your claims position, and satisfies supply chain requirements. There's no version of this calculation where the certification doesn't pay for itself.

The only question is whether you need CE Plus on top of CE Basic. If your insurance premiums are significant, if you handle sensitive data, or if your sector has regulatory expectations, CE Plus gives you a stronger position across the board. The extra cost usually comes back through a combination of better premium reductions and a stronger claims footing.

What I tell clients about insurance and CE

When someone asks me whether CE is worth it for the insurance benefits alone, the honest answer is: probably yes, but that's the wrong way to think about it.

CE reduces your risk of being breached in the first place, and that's the primary benefit of getting certified. Everything else, including the insurance savings, the free cover, the claims position, the supply chain access, follows from that.

The organisations I see getting the most value from the insurance angle are the ones who treat CE as an ongoing standard rather than an annual event. They keep their controls maintained between assessments. They use the free £25,000 cover as a floor, not a ceiling. They time their certification with their renewal. And when something does go wrong, they've got documentation that shows they were doing the right things consistently.

That's a much stronger position than scrambling for evidence after a breach.

Need help with your Cyber Essentials assessment? Get in touch, email [email protected], or call +44 20 3026 2904.

---

---

Related articles

• Cyber Essentials and Insurance: What Your Certificate Actually Gets You
• Cyber Essentials ROI Calculator
• Why Financial Advisors Need Cyber Essentials
• Cyber Essentials for Financial Services
• How Much Does a Pen Test Cost in the UK?

netsec-canary-2aa35b1f553d.