According to the UK government’s Breaches Survey, many firms are still failing to take out cyber insurance. Less than half of businesses (45 percent) and a third of charities (34 percent) reported being insured against cybersecurity risks in some way.

Among the reasons for this, many of those surveyed didn’t see cyber insurance as budgetary priority. A lack of awareness and understanding of how insurance can help with incidents other than breaches was also a barrier to having a policy in place.

Yet cyber insurance has multiple benefits, including incident response assistance and of course, a financial safety net should firms be hit by an attack. As firms continue to grapple with increasing cyber-attacks amid the growing prevalence of ransomware, why do so many fail to take out cyber insurance, and what does this mean for their security?

Why don’t firms take out insurance?

The 2025 survey asked companies why they didn’t have any cyber insurance. For many, it was not a budgetary priority (34 percent of businesses and 41 percent of charities), followed by a lack of awareness of cyber insurance (37 percent of businesses and 31 percent of charities).

Cost-benefit analysis of cyber insurance emerged as a key theme throughout the Breaches Survey’s qualitative interviews. Even those that did take out cyber insurance rarely made claims because they couldn’t see the benefits. Much of this was due to a fear of an increase in premiums.

“The scale of the incidents we had never got to the point where it was going to be worthwhile,” one head of cybersecurity told the survey. “The increase in premiums and the excess [meant] it just wasn’t going to be economical to make a claim.” 

Larger businesses (18 percent of medium businesses and 27 percent of large businesses) and high-income charities (23 percent) were more likely to have a specific policy in place, according to the survey.

Martyn Janes, lead cyber underwriter at insurance firm rrelentless works with SMEs daily. He says there is a common misconception that cyber attackers will only target large companies. “Unfortunately, that’s just not the case. As SMEs often lack dedicated IT professionals or sophisticated security teams, they can be an easy target for cyber-criminals. Hackers will go after what is vulnerable, not necessarily what is valuable.”

Cyber insurance is sometimes considered too costly, particularly for SMEs, says Janes. “However, the fee falls short compared with the financial and reputational costs of an attack.”

Some organisations — especially smaller and medium-sized businesses — hesitate to purchase cyber insurance due to concerns about cost, says Tom Moore, director of digital forensics and incident response at BlueVoyant.

These companies often perceive themselves as low-risk targets, particularly if they don’t handle sensitive data, he says. “Businesses that interact with larger partners or deal indirectly with sensitive information, however, might be more vulnerable than they realise.”

Benefits beyond a breach

At the same time, some firms are failing to understand the breadth of scenarios cyber insurance may cover. Perhaps most importantly, cyber insurance offers a financial backstop to help abate some of the risk of a successful attack, says Chris Henderson, chief information security officer at Huntress.
Yet there is a common misconception that cyber insurance primarily covers the cost to pay an adversary to obtain the decryption keys after a ransomware attack, says Henderson. “While a ransom payment certainly is a large sum of money, there are many more costs associated with a cyber event. These ancillary costs are the primary benefit of cyber insurance.”

Some of the covered costs include arbitration, cyber extortion, loss of business revenue, regulatory fines, third party incident response services and breach coaching, he says.

A cyber policy typically includes first-party coverage, protecting the organisation’s own losses such as business interruption, forensic investigations and legal support, says Richard Breavington, partner and head of cyber and tech insurance at RPC.

It also includes third-party liability, covering claims from external parties affected by the breach, he adds.

Why you need it

The benefits are clear, and in many cases, it makes business sense: Firms often need to have cyber insurance to prove their credentials to potential partners.

In today’s climate, there is an increasing expectation that organisations will have cyber insurance, says Breavington. “In many sectors, such as professional services, due diligence processes are becoming more rigorous – especially around data protection. As a result, having cyber cover may be an expectation, not a bonus.”

At the same time, operating without a cyber insurance policy places all of the financial risk of a security incident on the organisation, Henderson warns. “And the financial impact of a major breach can be significant enough to end the business.”

Indeed, without insurance, some companies can be “totally caught off guard” when they are breached, says Dr. Ruth Wandhöfer, NED, author, speaker, adviser and professor. She cites the example of the Co-op and Harrods cases, where “the appropriate cyber security defence tools were not in place when they were attacked”.

Choosing a provider

Despite the fact that half of businesses don’t take out cyber insurance, experts agree that most firms will benefit from it. To assess the need for cyber insurance, companies should consider factors such as the type of data they handle, their industry’s regulatory requirements, and the robustness of their cybersecurity infrastructure, Moore advises.

The best way for companies to assess their cyber insurance needs is to work with an experienced broker who understands their industry, size and specific risk profile, says Elissa Doroff, director of cyber insurance and legal partnerships at Sygnia Consulting. “A skilled broker can help evaluate a company’s cybersecurity maturity, regulatory environment, and exposure to risks such as ransomware, data breaches or operational disruption.”

When choosing a provider, businesses should evaluate coverage scope, the insurer’s reputation and the level of incident response support available, says Moore.

“If an organisation already works with an incident response firm, selecting a provider that partners with that company is ideal. If not, insurers can help identify the right partner. Most importantly, the policy should be tailored to meet the specific needs of the business.”

Kate O'Flaherty Cybersecurity and privacy journalist