Cybersecurity essentials for UK SMEs
The practical controls that keep small businesses safe, and insurable.
See what cyber insurance should cost your UK business, and how much cover you need. Free, anonymous, under two minutes.
Most UK SMEs pay between £350 and £5k a year for standalone cyber insurance. Micro-businesses with good security controls pay from around £130 a year, while mid-market firms pay £3k to £50k or more. Sector, the data you hold, your security controls and the cover limit you choose move the price most, and evidenced controls cut it by 10% to 40%.
Cost data updated: July 2026. Benchmarks calibrated to published 2024 to 2026 UK market data.
The calculator below turns those benchmarks into an estimate for your business.
Answer four quick questions to get an annual premium range and a suggested cover limit for your business.
Illustrative estimate, not a quote
about £0 a month
£0
£0
£0
Compare your estimate with UK benchmarks by turnover and sector
Most UK insurers now treat MFA as a minimum requirement, and missing MFA is the leading reason applications are declined. Fix this before seeking quotes.
Many insurers won't quote without backups you've actually tested a restore from, kept offline or immutable. This is usually a quick win.
At £2m+ turnover, many insurers expect endpoint detection and response (EDR or MDR) on every device. Without it, expect tougher questions or a loaded price.
Insurers re-rate after a claim, and some will decline or apply special terms such as a higher excess. Be ready to show what's changed since the incident.
With neither MFA nor tested backups in place, many insurers will decline or restrict cover. Treat this range as a best case.
Adding would typically trim your premium: roughly £0 a year off your typical figure at today's calibration.
Cyber Essentials certification alone typically saves 5% to 25%, and includes £25k of free cyber liability cover for UK organisations under £20m turnover. How the free cover works
| Base rate | |
|---|---|
| Sector | |
| Cover limit | |
| Security controls | |
| Data profile | |
| Claims history |
Where these multipliers come from
Your estimate assumes a typical data volume for your size, as you selected "Not sure" for records held.
Illustrative guidance, not a quote
Above £50m turnover there's no meaningful benchmark rate: insurers underwrite each risk individually, and published benchmarks run from £25k to £150k+ a year depending on sector, data and controls. A specialist broker who places cyber regularly (for example through the Lloyd's market) will get materially better terms than any online estimate.
The security controls still decide your price and your insurability: MFA everywhere, EDR on every endpoint, tested backups and an exercised incident response plan are the entry ticket at this size.
This is an illustrative estimate, not a quote or financial advice. It's calibrated to published 2024 to 2026 UK market data (July 2026) and assumes a standard excess (£1k to £2.5k). Estimates are typically within ±40% to 50% of mid-market quotes, and real quotes for the same business can differ by a factor of two or more between insurers. Red Eagle Tech is not an insurer or broker and isn't FCA-authorised. Always get quotes from an FCA-authorised broker or insurer.
what most UK SMEs pay per year for standalone cyber cover
the average UK SME cyber claim (Aviva claims data, 2025)
off the premium for evidenced security controls (WTW, 2025)
| Annual turnover | Typical annual premium | Cover typically bought |
|---|---|---|
| Under £100k | £130 to £450 | £250k to £500k |
| £100k to £500k | £250 to £750 | £500k |
| £500k to £1m | £450 to £1.2k | £500k to £1m |
| £1m to £5m | £800 to £4k | £1m to £2m |
| £5m to £10m | £2.5k to £6.5k | £2m |
| £10m to £50m | £4k to £16k | £2m to £5m |
Ranges assume a standard-risk sector with baseline controls (MFA and tested backups) in place, compiled from published UK broker examples and band tables, calibrated July 2026.
| Tier | Example sectors | Effect on premium |
|---|---|---|
| Low | Construction and trades, marketing, charities | Around 10% to 15% below standard |
| Standard | Manufacturing, transport, hospitality, retail, education | The baseline |
| Elevated | Professional services, recruitment, IT and MSPs | Around 25% to 40% above standard |
| High | Healthcare, legal, financial services | Around 50% to 60% above standard |
Tiers reflect published carrier commentary on sector loss experience: the more valuable the data and the deeper the system access, the higher the tier.
| Cover limit | Relative premium |
|---|---|
| £250k | about half the £1m price |
| £500k | about 70% of the £1m price |
| £1m | the reference point |
| £2m | about 1.5 times the £1m price |
| £5m | about 2.5 times the £1m price |
Doubling the limit doesn't double the price: quadrupling cover roughly doubles the premium. The curve shape comes from published US pricing ladders (AdvisorSmith), as UK insurers don't publish an equivalent, applied to UK base prices.
Cyber insurers rate a handful of factors, and they weigh them in a fairly consistent order. Analysis of more than 180 actual insurer rate filings (Romanosky et al., Journal of Cybersecurity) found revenue is the single heaviest factor, followed by industry, with everything else applied as modifiers. That's exactly how this calculator works, and it's why the wizard asks its questions in this order.
Two optional add-ons also move quotes when you buy: social engineering and cybercrime cover (fraudulent payment losses, which standard wordings often exclude) and extended business interruption indemnity periods. Neither is in this calculator's baseline; both push the price towards the top of your range. Real proposal forms also ask a few things this calculator doesn't rate: revenue from the US or Canada, whether you've had insurance declined or cancelled before and PCI DSS compliance status if you take cards.
In the United States, insurers must file their rating schedules with state regulators, which makes the maths public: a base rate keyed to revenue, multiplied by an industry factor, a limit factor and modifiers for security controls. UK insurers use the same structure but don't publish their schedules, so every "how much does it cost" article you'll find quotes a couple of loose ranges and stops there.
This calculator rebuilds the filed model with UK numbers: base rates calibrated against published UK broker examples and band tables (Get Indemnity, PolicyBee, Superscript, Connection Technologies and others), sector factors from carrier-book commentary, the limit curve from published US ladders (labelled as such) and control discounts from insurer and broker publications. Every multiplier used in your estimate is shown in the results table, and the full source list is at the bottom of this page.
Two caveats worth flagging. First, the same business commonly gets quotes that differ by a factor of two or more between insurers, which is why your result is a range rather than a number. Second, published averages disagree with each other, sometimes wildly, because samples differ: surveys that capture larger firms with broad policies produce figures several times the SME norms above. The calculator's turnover bands are how we keep that comparison fair: you're compared with businesses your size, not with a blended average.
A quick decoder first: first-party cover pays your own costs (incident response, data recovery, business interruption), and third-party cover pays claims and defence when other people's data or systems are harmed. Your limit funds both, often from the same incident, which is why underinsuring defeats the point.
Buy one band higher than your turnover suggests if you hold more than 100,000 personal records (notification costs alone run £8 to £15 a record, so 100,000 records is £800k+ before anything else), or if a client contract or regulator demands it. Holding sensitive data or working in a higher-risk sector is a reason to consider the next band, not an automatic step up.
Why a healthy margin matters: claim costs are extremely skewed. Government survey data puts the median cost of a firm's most disruptive breach at just £370 for small businesses, but the mean at £7,960, and the tail is long: the average UK SME claim runs to roughly £40k (Aviva), US claims data puts the average SME ransomware incident well into six figures and claims take time to resolve (Aviva's average lifecycle is 300 days). Business interruption cover, and a limit that can fund it, matters as much as the headline number. Tellingly, fewer than one in ten UK SMEs believe an attack could cost them more than £1m (Coalition survey); the claims data says otherwise.
| Cost component | Typical UK figures |
|---|---|
| Forensics and incident response | £1.7k a day, typically 5 to 20 days |
| Notifying affected people | £8 to £15 per record, plus £5 to £10 per person for credit monitoring |
| Business interruption | Around £31k per day offline for a typical SME; ransomware downtime often runs 5 to 21 days |
| Ransom demands (UK SME scale) | £5k to £50k realistic range |
| Legal and regulatory support | £3k to £10k for a small incident; SME-scale ICO fines £18k to £60k (and fines aren't insurable) |
Component figures compiled from UK incident-response rate cards, downtime research and 2024-2026 claims studies; see sources.
The calculator applies exactly this logic when you pick "suggest a limit for me", and tells you when your own choice differs from what businesses like yours typically buy. One more driver worth knowing: client contracts sometimes demand £2m or £5m of cover regardless of your size. If that's you, pick the required limit in the calculator and you'll see exactly what the contract clause costs. (A useful nuance: a £5m aggregate requirement in a contract can sometimes be satisfied by a £2m any-one-claim policy, so ask the broker before paying for the bigger limit.)
Cyber Essentials is the UK government-backed certification for baseline security controls, and it's the single best-value item on the discount list because it pays you twice.
First, the discount: certification typically earns 5% to 25% off standalone premiums because it independently evidences the basics insurers care about, and gov.uk reports that organisations with the Cyber Essentials controls in place make 92% fewer insurance claims. Second, the free cover: UK organisations that certify with under £20m turnover automatically qualify for £25k of cyber liability insurance, underwritten by AIG and included with certification through IASME, provided you opt in. A £1k excess applies and it doesn't cover money stolen through cyber fraud, but upgrades are cheap: £100k of cover costs around £306 a year for firms under £10m turnover. Certification itself starts from £320 plus VAT, rising to £600 plus VAT for large organisations, and the scheme's April 2026 update made MFA on every cloud service an automatic pass-or-fail requirement. For micro-businesses, the free cover plus certification can be a sensible starting point before a standalone policy; for everyone else it stacks with one.
Certification checks the same controls the calculator asks about (boundary firewalls, secure configuration, access control with MFA, malware protection and patching), so businesses with well-managed IT usually pass with little extra work.
It's a buyer's market, if you're quotable. After the hard market of 2021 and 2022, UK cyber rates fell around 8% in the first quarter of 2026 alone (Marsh), and sit roughly 22% to 32% below their 2022 peak. More insurers are competing for well-protected SMEs than ever, though not everyone expects it to last: S&P forecasts rates firming again, so locking in cover while the market is soft has real value.
What hasn't softened is the control bar. UK insurers paid out £197m in cyber claims in 2024, more than three times the £59m of the year before (ABI), with ransomware behind half of them, and their response has been to demand evidence rather than attestations while cutting prices for businesses that show it. Yet despite all this, a government survey found only 10% of UK businesses hold a standalone cyber policy. The practical takeaway from this whole page: the market rewards exactly the controls that make you less likely to need the policy, and most of your competitors haven't caught up yet.
We're not a broker and don't sell insurance, so this is the neutral map. UK businesses buy cyber cover through four routes:
| Route | Examples | Best for |
|---|---|---|
| Direct online | Superscript (from £10.79 a month), Markel Direct (from £5 a month), Hiscox, PolicyBee, Simply Business | Micro and small businesses that want instant cover without a broker |
| Specialist cyber insurers (via brokers) | CFC (threat monitoring via its app), Coalition (pre-bind scanning and "active insurance"), Hiscox CyberClear, Aviva Cyber Respond, Beazley, Chubb | Firms that want active security monitoring and strong breach response bundled with the policy |
| Brokers | Howden, Marsh Commercial, Gallagher, PIB, regional brokers | Limits above £1m, regulated sectors, prior claims, bespoke wording or claims advocacy |
| Bundled and included cover | Cyber add-ons to business policies; the £25k IASME cover with Cyber Essentials | A starting point, but check the sub-limits: a £10k cyber add-on isn't the same product as a £1m standalone policy |
When you compare quotes, price is the least interesting column. UK broker ratings now rank claims and breach-response performance above price, and that shift is deserved. Compare:
Whoever you buy from, the same rule applies: the controls decide the price. Every route prices MFA, backups, EDR, and management discipline the same direction, so the cheapest lever is making your business the risk every insurer wants.
Cost benchmarks, sector factors and control discounts were compiled in July 2026 from the published sources below. Figures are illustrative market benchmarks, not quotes or financial advice. Red Eagle Tech is not an insurer, broker or FCA-authorised firm: for advice or quotes, speak to an FCA-authorised broker or insurer.
Calculate the true cost of IT downtime to your business. Understand the financial impact of system outages and plan accordingly.
A UK-focused IT budget spreadsheet with benchmarks, prioritisation framework, monthly tracking, and 2026-relevant categories including AI and cybersecurity.
The controls insurers now demand (MFA, EDR and tested backups) are exactly what managed IT support delivers. We put them in place, keep them evidenced and your premium reflects it.
See managed IT support