Recent figures from the Association of British Insurers (ABI) show a dramatic rise in cyber insurance pay-outs across the UK, reaching £197 million in 2024 – almost triple the previous year! We’re taking a look at Cyber Insurance. Is it worth it for SMEs? What can be done to reduce your risk?
If you’re short on time (or attention) here’s a quick summary
Cyber insurance may well prove indispensible in today’s digital economy, but it remains essential for all businesses, irrespective of size or sector, to be proactive and vigilant in relation to cyber security. Cyber security is just as important as physical security, so if you’re taking out cyber insurance you should be taking cyber security very seriously.
You would not expect your insurer to pay out on a burglary if you’d left the business premises insecure, so don’t expect to get coverage for cyber risks if your data security is lax.
What should SMEs be doing to reduce cyber risks?
Consider taking these proactive steps:-
- Make a list of your own ‘What If’ scenarios.
- Start building a relationship with a trusted IT services provider or Security Consultant and get their advice (a relatively small investment now could save you tens of £1000s!)
- Build your Business Continuity Plan
- Ensure all your employees are cybersecurity aware and understand the Continuity plan.
- Work towards Cyber Essentials or Cyber Essentials + Certification
- Consider Cyber Insurance
Did you know?
- Organisations with Cyber Essentials certification are 92% less likely to make an insurance claim than comparable uncertified organisations! Prevention really is better than cure!
- It’s possible for organisations with Cyber Essentials certification to get FREE cyber insurance! Yes, really!
Scroll down to find links to more information to help you address your cyber security needs (towards the end of this post).
A cyber attack doesn’t have to mean the end of your business when you have a trusted IT Support provider watching your back!
Read on for a deeper insight…
2025 M&S cyber insurance pay-out won’t cover the total loss
Cybercriminals continue to target organisations of all sizes, and small businesses are feeling the strain just as much as big enterprises. Ransomware and malware remain the most common causes of disruption, often leading to costly downtime, lost productivity and significant recovery work.
It’s no surprise, then, that more small and medium-sized businesses have taken out cyber insurance, with policies up by 17 per cent in 2024. However, insurance isn’t a guaranteed safety net. Insurers are tightening requirements and, increasingly, claims are being assessed against whether a business has taken reasonable steps to protect itself.
M&S has confirmed that its major cyber attack in April 2025 almost wiped out its half-year profits, cutting statutory profit before tax by 99%, from £391.9 million to just £3.4 million. This led to them recording £102 million in one-off costs. They expect to spend another £34 million before year-end. An insurance pay-out of £100 million offset part of the impact, though overall losses are expected to reach around £300 million. This suggests cyber insurance is not covering all losses in a cyber attack, even for the big corporations, so SMEs need to consider taking proactive steps to reduce risk and increase the likelihood of their insurer paying out in the event of a claim.
Real-World Cyber Attack Scenarios Small Businesses Everywhere Can Relate To
Cyber incidents don’t just happen to large corporations. Many of the cases that don’t make the news involve everyday small businesses:
- A small retailer unable to take payments
A ransomware attack locks their point-of-sale software, leaving them without card payments for a whole weekend. Because they had recent backups and patching in place, their insurer supported the claim — but the lost revenue is still painful. - A local accountancy firm hit at the worst possible time
Malware spreads after a staff member clicks a convincing phishing email. With no rehearsed recovery plan, restoring client files takes days, causing missed deadlines and strained client relationships. - A manufacturer disrupted by a cyber incident — but not their own
A key supplier suffers a major attack and cannot ship essential components. Production stalls for a week. Staff are on-site but idle, customers face delays, and the financial impact is significant. Supply chain cyber incidents like this are becoming increasingly common.
These examples highlight that cybersecurity isn’t just about “tech problems” — it’s about operational resilience, continuity and safeguarding your business’s reputation.
Worth considering too, is what happened to 160-year old haulage company, Knights of Old, in June 2023. They believed they had robust security measures in place, but still they were crippled by a ransomware attack, which had corrupted critical financial data. They went into administration leading to the loss of 700+ jobs.
Former Knights of Old board member, Paul Abbott recommends: “Whatever you think you’ve done, seriously get it checked by experts. People don’t think it’s going to happen to them.”
Start your cybersecurity journey now by considering your own ‘What Ifs’ e.g. ‘What if our EPOS systems are down for a day/week/month?’; ‘What if we can’t receive orders by email?’; ‘What if our main supplier is attacked and we can’t get parts or materials for weeks?’; ‘What if we lose data and can’t fulfil our statutory reporting obligations or financial backers’ reporting requirements?’.
Why Cyber Essentials Matters for SMEs Now More Than Ever
Cyber Insurers expect even the smallest organisations to demonstrate good cyber hygiene. This doesn’t mean expensive, enterprise-level systems — it simply means having solid foundations in place:
- Strong and tested backups
- Multi-factor authentication
- Up-to-date software and patches
- Cybersecurity awareness training for employees
- Documented and rehearsed recovery plans
The bad news is that without the above basics in place, businesses risk reduced or rejected claims. The good news is getting your business Cyber Essentials certified ensures the basic solid foundations ARE in place! Achieving Cyber Essentials Plus demonstrates an even greater commitment to on-going cyber security.
Why you might need a Trusted IT Support Provider on side before you talk to your Cyber Insurer
Many small businesses still believe they can “get by” without dedicated IT support, relying on ad-hoc fixes or internal staff who try their best but don’t have time to stay on top of security trends. But in today’s landscape, a proactive relationship with a trusted IT partner or managed service provider (MSP) can make all the difference.
A good IT Support Provider or Managed Service Provider (MSP) doesn’t just fix problems when things break; they are proactive. They help prevent issues, guide your cybersecurity strategy and ensure your systems stay secure and compliant. They can:
- Monitor systems for emerging threats
- Keep backups, patches and updates consistently maintained
- Help you meet cyber insurance requirements
- Assist with risk assessments and recovery plans
- Offer clear guidance without technical jargon
- Provide ongoing support that grows with your business
For many SMEs, partnership with a trusted IT Support Provider, or MSP, is what turns cybersecurity from a burden into a manageable, confidence-building part of everyday operations. And your cyber insurer is likely to take your proactive approach to cyber security, under the guidance of an experienced IT provider, into consideration when calculating your premiums!
Integrating Cybersecurity Into Routine Business Risk Reviews
Most small businesses already review financial, operational and health-and-safety risks — so cybersecurity can be woven naturally into these existing cycles. Regular cyber risk assessments help ensure controls remain effective, supplier risks are monitored and staff stay aware of new threats.
Strengthening Your Cyber Resilience for the Future
With cyber threats rising and insurers expecting more, now is the perfect time to review your approach. Whether you already have cyber insurance or are considering it for the first time, strengthening your cybersecurity posture — supported by a trusted IT partner — improves your chances of a successful claim and reduces the risk of costly disruption.
One thing to consider is that while cyber insurance pay-outs are on the increase, inevitably this will lead to increasing premiums. Getting your cybersecurity in order now, and building a history of ‘no claims’ or smaller claims as a result, will lead to lower premiums for you in the long run.
Cybersecurity doesn’t need to be overwhelming. With proactive support, clear guidance and a culture that values good security, every small business can build strong foundations for long-term resilience and peace of mind. Working towards Cyber Essentials certification is a great way to get the ball rolling in the right direction.
Where to go for more information
The full ABI press release is available to read on their website here
The National Cyber Security Centre has guidance and a Cyber Action Toolkit here.
The NCSC report on the Impact of Cyber Essentials over the last decade is here
The UK Government’s report on the Impact of Cyber Essentials is here
More information on the FREE Cyber Insurance for organisations with Cyber Essentials certification here
Whether you are considering Cyber Essentials or Cyber Essentials + for your business, or you want help defining your cyber resilience strategy GET IN TOUCH WITH COSURICA NOW. We take the strain out of tightening up your security, building resilience, getting certified, and satisfying your insurer’s requirements.
When Cosurica has your back, a cyber attack doesn’t have to mean the end of your business!
