Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Most businesses focus on the certification itself: passing the assessment, getting the badge, meeting a contract requirement. The free insurance that comes with every CE certificate gets a brief mention and then is quickly forgotten.
That deserves proper attention, not because £25,000 covers every scenario, but because it's the starting point of a stronger insurance position.
What you get automatically
Every CE certificate, both Basic and Plus, includes free cyber insurance cover of up to £25,000. American International Group (AIG) underwrites it, and it's administered through the IASME scheme. You don't need to apply separately because it activates automatically when your certificate is issued and runs for 12 months.
The cover is open to eligible UK-registered organisations with turnover under £20 million. Most small and medium enterprises (SMEs) qualify. That threshold covers the vast majority of businesses getting CE for the first time.
What the £25,000 covers
The free policy covers several areas that matter in the first hours and days after an incident:
- Third-party liability: if a breach exposes client data and they claim against you
- Legal and regulatory costs: legal advice, ICO notification, and regulatory response
- IT forensic and recovery: investigating the breach, restoring systems, recovering data
- Reputational damage: crisis management and communications support
- Business interruption: lost income while systems are down
The £25,000 limit applies across all categories combined, not per category. For a smaller incident needing forensic work, system restoration, and customer notification, £25,000 covers it. The Department for Science, Innovation and Technology (DSIT) Cyber Security Breaches Survey 2025 puts the average UK small business breach cost at £3,000 to £20,000. The free cover sits within that range for most incidents.
For anything larger, especially ransomware where recovery can exceed £100,000, the free cover is a starting point rather than a full solution.
The 80% claims reduction
IASME data shows CE-certified organisations are 80% less likely to make a cyber insurance claim than uncertified businesses. That figure reflects what the five technical controls actually prevent.
Most successful attacks on UK businesses exploit basic gaps: unpatched software, missing MFA, weak passwords, misconfigured firewalls, and poor malware protection. Those are the exact five controls CE tests. When they're in place, the attack routes that generate the most claims are shut down.
Insurers watch this data closely because an 80% drop in claims means lower risk, which translates directly to better terms for certified organisations. This is not theory but the basis on which underwriters set their pricing.
Major insurers that recognise CE
AIG underwrites the free £25,000 cover included with every CE certificate through IASME. That makes it the insurer most closely tied to Cyber Essentials. Beyond that, several major UK cyber insurers recognise CE in their own underwriting.
AIG
AIG underwrites the free cover and also recognises CE in its standalone cyber insurance products. CE serves as evidence of baseline security controls. They're the insurer most directly connected to the scheme.
Aviva
Aviva is one of the UK's largest general insurers. It includes CE status in its commercial cyber insurance underwriting. CE is a positive factor in risk assessment for SME policies.
Hiscox
Hiscox has been a major player in UK cyber insurance for over a decade. Their underwriting asks about security controls that map directly to the CE framework. CE simplifies the application and typically improves terms.
Chubb
Chubb factors CE into risk assessment for its UK cyber insurance products. For mid-market and enterprise clients, CE Plus is increasingly expected as part of the underwriting evidence.
AXA
AXA includes cyber security certification in its commercial underwriting for UK SMEs. CE is one of several factors that affect premiums and coverage terms.
How CE changes your insurance
The effect goes beyond a percentage off your premium. CE changes three parts of your insurance position.
Premium reductions
The typical range is 5-15% off annual premiums. Where you land depends on your sector, claims history, size, and whether you hold CE Basic or CE Plus. CE Plus usually gets a higher discount because it includes independent technical testing, not just self-assessment.
The maths: CE Basic costs from £320 + VAT. If your premium is £5,000 and CE gets you 10% off, you save £500 a year. Add the free £25,000 cover on top, and the return on the certification cost is clear.
Better policy terms
Some insurers give CE-certified organisations lower excesses. That means you pay less out of pocket before cover kicks in. Others extend coverage to areas that might otherwise be excluded, such as reputational damage or supply chain incidents.
Stronger claims position
When you need to claim, a valid CE certificate shows you had baseline controls in place at the time of the breach. Insurers check whether you took reasonable steps before paying out. A current certificate is documented proof that you did. That shortens the investigation and gets the claim settled faster.
Upgrading the free cover
IASME offers paid upgrades from the free £25,000 cover:
| Cover Level | Cost | How to Access |
|---|---|---|
| £25,000 | Free (included) | Automatic with CE certificate |
| £100,000 | Paid add-on | Through certification body at certification or renewal |
| £250,000 | Paid add-on | Through certification body at certification or renewal |
Upgrades are available at certification or renewal, covering the same areas (liability, legal, forensic, reputation, and business interruption) with higher limits.
If you handle sensitive client data, work in a regulated sector, or could lose major revenue from downtime, an upgrade to £100,000 or £250,000 is worth considering. You can hold the IASME cover and a standalone policy at the same time. The IASME cover acts as a first layer.
When the free cover isn't enough
The £25,000 limit handles most smaller incidents. But some scenarios exceed it:
- Ransomware recovery: average recovery costs for UK SMEs go well beyond £25,000
- Extended downtime: if systems are down for weeks, lost revenue alone can exceed the limit
- Regulatory fines: ICO enforcement actions can result in fines well above £25,000
- Multi-party breaches: if a breach exposes data from multiple clients, liability claims stack up fast
For these cases, you need standalone cyber insurance alongside the free cover. Your CE certificate helps you get better terms on that standalone policy. Together, they create a combined position that's stronger than either one alone. (based on findings from the internal perimeter audit).
The open letter to FTSE 350
Six senior government officials (four cabinet ministers plus the heads of the NCSC and National Crime Agency (NCA)) wrote an open letter to FTSE 350 CEOs urging them to take cyber security seriously. The letter named CE as the baseline standard and made clear it is not just a public sector requirement.
Insurers respond directly to signals like this, and when ministers link CE to board-level responsibility, underwriters adjust their pricing accordingly. CE is moving from a nice-to-have discount factor towards a standard requirement for commercial cover.
Getting certified
CE Basic starts at £320 + VAT with Net Sec Group. Standard turnaround is 48 hours, with 12-hour fast track available. CE Plus starts at £1,200 + VAT and includes a technical assessment. Both levels include the free £25,000 insurance cover.
If you want to go beyond annual certification to continuous security, Cyber 365 covers the full programme: vulnerability scanning, managed patching, EDR monitoring, and the compliance evidence that makes both assessment and insurance renewal straightforward.
The insurance benefit alone doesn't justify getting CE. But combined with contract access, premium savings, stronger claims positioning, and the actual security improvement, it's one more reason the certification pays for itself.
See CE Basic options | See CE Plus options | Contact us
Related articles
- NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
- Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and Financial Services Qualification System (FSQS)
- The Full Cyber Security Journey: CE Basic to Pen Testing
- Cyber Essentials Plus vs Basic: What's the Difference?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials for Financial Services: FCA, DORA, and Scope
Financial services firms face overlapping regulatory expectations on cybersecurity. Cyber Essentials maps directly to FCA operational resilience rules. Here's how.
Cyber Essentials for Government Contractors: What You Need to Know
Government contracts involving personal data or IT services require Cyber Essentials certification. Here is what the requirement means and how to meet it.
Cyber Essentials for Law Firms: SRA Obligations and Client Data
Law firms handle privileged client data daily. Cyber Essentials maps directly to your SRA obligations. Here's what the certification covers and where firms fail.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.