Cyber insurance cost calculator


See what cyber insurance should cost your UK business, and how much cover you need. Free, anonymous, under two minutes.


How much does cyber insurance cost in the UK?

Most UK SMEs pay between £350 and £5k a year for standalone cyber insurance. Micro-businesses with good security controls pay from around £130 a year, while mid-market firms pay £3k to £50k or more. Sector, the data you hold, your security controls and the cover limit you choose move the price most, and evidenced controls cut it by 10% to 40%.

Cost data updated: July 2026. Benchmarks calibrated to published 2024 to 2026 UK market data.

The calculator below turns those benchmarks into an estimate for your business.

Estimate your cyber insurance cost

Answer four quick questions to get an annual premium range and a suggested cover limit for your business.

  • Free and anonymous. Nothing is stored or sent, and we never ask for your details.
  • Anchored to published UK premium data, calibrated July 2026.
  • You get a from / typical / up-to range, a suggested cover limit and the exact multipliers we used.
Infographic: UK cyber insurance costs; most SMEs pay £350 to £5k a year; evidenced controls cut premiums 10% to 40%
Turnover sets the baseline, but sector, data and security controls decide where in the range you land.

Step 1 of 4: About your business

Please select your annual turnover.
Please select your sector.

Step 2 of 4: The data you hold

Do you take card payments?
Do you hold sensitive data? (health, financial, legal or children's data)
Have you had a cyber breach or claim in the last five years?

Step 3 of 4: Security controls you have today

Tick what's genuinely in place now. Accurate answers give you a realistic estimate, and the result shows what each gap is costing you.

Security controls in place
Insurers treat this as a minimum requirement.
Insurers treat this as a minimum requirement.

Step 4 of 4: How much cover?

Cover limit choice

Illustrative estimate, not a quote

Your cyber insurance estimate

£0 a year

about £0 a month

From

£0

Typical

£0

Up to

£0

No multi-factor authentication

Most UK insurers now treat MFA as a minimum requirement, and missing MFA is the leading reason applications are declined. Fix this before seeking quotes.

See what insurers now expect and how to fix it fast

No tested backups

Many insurers won't quote without backups you've actually tested a restore from, kept offline or immutable. This is usually a quick win.

See what insurers now expect

No EDR at your size

At £2m+ turnover, many insurers expect endpoint detection and response (EDR or MDR) on every device. Without it, expect tougher questions or a loaded price.

Previous breach or claim

Insurers re-rate after a claim, and some will decline or apply special terms such as a higher excess. Be ready to show what's changed since the incident.

With neither MFA nor tested backups in place, many insurers will decline or restrict cover. Treat this range as a best case.

You could pay less

Adding would typically trim your premium: roughly £0 a year off your typical figure at today's calibration.

Cyber Essentials certification alone typically saves 5% to 25%, and includes £25k of free cyber liability cover for UK organisations under £20m turnover. How the free cover works

How to cut your premium, step by step

How we worked this out
The multipliers used to calculate your estimate
Base rate
Sector
Cover limit
Security controls
Data profile
Claims history

Where these multipliers come from

Your estimate assumes a typical data volume for your size, as you selected "Not sure" for records held.

Illustrative guidance, not a quote

At your size, cyber cover is individually underwritten

Above £50m turnover there's no meaningful benchmark rate: insurers underwrite each risk individually, and published benchmarks run from £25k to £150k+ a year depending on sector, data and controls. A specialist broker who places cyber regularly (for example through the Lloyd's market) will get materially better terms than any online estimate.

The security controls still decide your price and your insurability: MFA everywhere, EDR on every endpoint, tested backups and an exercised incident response plan are the entry ticket at this size.

This is an illustrative estimate, not a quote or financial advice. It's calibrated to published 2024 to 2026 UK market data (July 2026) and assumes a standard excess (£1k to £2.5k). Estimates are typically within ±40% to 50% of mid-market quotes, and real quotes for the same business can differ by a factor of two or more between insurers. Red Eagle Tech is not an insurer or broker and isn't FCA-authorised. Always get quotes from an FCA-authorised broker or insurer.

UK cyber insurance costs at a glance

£350 to £5k

what most UK SMEs pay per year for standalone cyber cover

£40k

the average UK SME cyber claim (Aviva claims data, 2025)

10% to 40%

off the premium for evidenced security controls (WTW, 2025)

Typical cost by turnover

Annual turnoverTypical annual premiumCover typically bought
Under £100k£130 to £450£250k to £500k
£100k to £500k£250 to £750£500k
£500k to £1m£450 to £1.2k£500k to £1m
£1m to £5m£800 to £4k£1m to £2m
£5m to £10m£2.5k to £6.5k£2m
£10m to £50m£4k to £16k£2m to £5m

Ranges assume a standard-risk sector with baseline controls (MFA and tested backups) in place, compiled from published UK broker examples and band tables, calibrated July 2026.

Bar chart of typical UK cyber insurance cost by turnover band, from £130 to £450 a year under £100k turnover up to £4k to £16k a year at £10m to £50m turnover
Turnover sets the baseline. The calculator then adjusts for sector, data, controls and cover limit.

Sector risk tiers

TierExample sectorsEffect on premium
LowConstruction and trades, marketing, charitiesAround 10% to 15% below standard
StandardManufacturing, transport, hospitality, retail, educationThe baseline
ElevatedProfessional services, recruitment, IT and MSPsAround 25% to 40% above standard
HighHealthcare, legal, financial servicesAround 50% to 60% above standard

Tiers reflect published carrier commentary on sector loss experience: the more valuable the data and the deeper the system access, the higher the tier.

Cost by cover limit

Cover limitRelative premium
£250kabout half the £1m price
£500kabout 70% of the £1m price
£1mthe reference point
£2mabout 1.5 times the £1m price
£5mabout 2.5 times the £1m price

Doubling the limit doesn't double the price: quadrupling cover roughly doubles the premium. The curve shape comes from published US pricing ladders (AdvisorSmith), as UK insurers don't publish an equivalent, applied to UK base prices.

What drives the cost of cyber insurance

Cyber insurers rate a handful of factors, and they weigh them in a fairly consistent order. Analysis of more than 180 actual insurer rate filings (Romanosky et al., Journal of Cybersecurity) found revenue is the single heaviest factor, followed by industry, with everything else applied as modifiers. That's exactly how this calculator works, and it's why the wizard asks its questions in this order.

  1. Turnover. The baseline. Bigger businesses mean bigger business-interruption exposure and bigger claims, so the base rate scales with revenue, from around £130 a year for a well-protected micro-business to five figures for mid-market firms.
  2. Sector. A proxy for the data you hold and the access you have. Healthcare, legal and financial firms pay 50% to 60% above standard; trades pay below standard. IT companies and MSPs sit above standard too, because they hold privileged access to client systems.
  3. Data held. More personal records mean bigger notification, regulatory and liability costs when things go wrong. Card payments and special-category data (health, financial, legal, children's) push the price up further.
  4. Security controls. The factor you can actually change. MFA and tested backups are now entry requirements with most insurers; EDR, patching discipline, training, an incident response plan and professional IT management each earn a discount. Together, published commentary puts the swing at 10% to 40%.
  5. Cover limit and excess. How much the policy pays out, and how much of each claim you bear yourself. Most SMEs carry a £1k to £2.5k excess.
  6. Claims history. A breach or claim in the last five years means re-rating, special terms or in some cases a decline, until you can evidence what's changed.

Two optional add-ons also move quotes when you buy: social engineering and cybercrime cover (fraudulent payment losses, which standard wordings often exclude) and extended business interruption indemnity periods. Neither is in this calculator's baseline; both push the price towards the top of your range. Real proposal forms also ask a few things this calculator doesn't rate: revenue from the US or Canada, whether you've had insurance declined or cancelled before and PCI DSS compliance status if you take cards.

How insurers price cyber cover (and how this calculator works)

In the United States, insurers must file their rating schedules with state regulators, which makes the maths public: a base rate keyed to revenue, multiplied by an industry factor, a limit factor and modifiers for security controls. UK insurers use the same structure but don't publish their schedules, so every "how much does it cost" article you'll find quotes a couple of loose ranges and stops there.

This calculator rebuilds the filed model with UK numbers: base rates calibrated against published UK broker examples and band tables (Get Indemnity, PolicyBee, Superscript, Connection Technologies and others), sector factors from carrier-book commentary, the limit curve from published US ladders (labelled as such) and control discounts from insurer and broker publications. Every multiplier used in your estimate is shown in the results table, and the full source list is at the bottom of this page.

Two caveats worth flagging. First, the same business commonly gets quotes that differ by a factor of two or more between insurers, which is why your result is a range rather than a number. Second, published averages disagree with each other, sometimes wildly, because samples differ: surveys that capture larger firms with broad policies produce figures several times the SME norms above. The calculator's turnover bands are how we keep that comparison fair: you're compared with businesses your size, not with a blended average.

How much cyber insurance do you need?

A quick decoder first: first-party cover pays your own costs (incident response, data recovery, business interruption), and third-party cover pays claims and defence when other people's data or systems are harmed. Your limit funds both, often from the same incident, which is why underinsuring defeats the point.

  • Under £500k turnover: £500k of cover is the common choice, and £1m often costs only a little more.
  • £500k to £2m turnover: £1m is the norm. Government survey data shows 59% of insured SMEs buy £1m or less.
  • £2m to £10m turnover: £2m is typical.
  • £10m to £50m turnover: £5m becomes the sensible floor.

Buy one band higher than your turnover suggests if you hold more than 100,000 personal records (notification costs alone run £8 to £15 a record, so 100,000 records is £800k+ before anything else), or if a client contract or regulator demands it. Holding sensitive data or working in a higher-risk sector is a reason to consider the next band, not an automatic step up.

Why a healthy margin matters: claim costs are extremely skewed. Government survey data puts the median cost of a firm's most disruptive breach at just £370 for small businesses, but the mean at £7,960, and the tail is long: the average UK SME claim runs to roughly £40k (Aviva), US claims data puts the average SME ransomware incident well into six figures and claims take time to resolve (Aviva's average lifecycle is 300 days). Business interruption cover, and a limit that can fund it, matters as much as the headline number. Tellingly, fewer than one in ten UK SMEs believe an attack could cost them more than £1m (Coalition survey); the claims data says otherwise.

What a limit has to fund

Cost componentTypical UK figures
Forensics and incident response£1.7k a day, typically 5 to 20 days
Notifying affected people£8 to £15 per record, plus £5 to £10 per person for credit monitoring
Business interruptionAround £31k per day offline for a typical SME; ransomware downtime often runs 5 to 21 days
Ransom demands (UK SME scale)£5k to £50k realistic range
Legal and regulatory support£3k to £10k for a small incident; SME-scale ICO fines £18k to £60k (and fines aren't insurable)

Component figures compiled from UK incident-response rate cards, downtime research and 2024-2026 claims studies; see sources.

The calculator applies exactly this logic when you pick "suggest a limit for me", and tells you when your own choice differs from what businesses like yours typically buy. One more driver worth knowing: client contracts sometimes demand £2m or £5m of cover regardless of your size. If that's you, pick the required limit in the calculator and you'll see exactly what the contract clause costs. (A useful nuance: a £5m aggregate requirement in a contract can sometimes be satisfied by a £2m any-one-claim policy, so ask the broker before paying for the bigger limit.)

How to cut your cyber insurance premium

First, get quotable

Before discounts come the gates. Industry bodies now describe businesses without multi-factor authentication as close to uninsurable, and a reported 41% of applications are declined on first submission, most often for missing MFA or weak endpoint protection. Tested backups, kept offline or immutable, are the second gate, and at £2m+ turnover many insurers expect EDR on every device as well. If any of these are missing, fix them before you approach the market: you'll get more quotes, from better insurers, at better prices.

Then stack the discounts

ControlPublished effect on premium
Endpoint detection and response (EDR/MDR)Up to 12.5% credit with some insurers (Coalition)
Cyber Essentials / Cyber Essentials Plus5% to 25% (plus £25k of free cover, below)
Prompt patching (30 days or better)Part of the 10% to 40% evidenced-controls envelope (WTW)
Tested incident response planDitto, and it directly reduces claim severity
Staff security-awareness trainingDitto, targets the phishing that starts most claims
Professionally managed ITInsurers price managed, evidenced controls more favourably (Marsh, Munich Re)
Three price tags showing the same UK retailer priced three ways: £1,350 a year with no baseline controls, £860 with MFA and tested backups, £600 with the full control stack
The same card-taking retailer priced at three control levels by this calculator's model.

Notice what that list is: it's a managed IT service specification. The controls insurers demand before they'll quote, and discount when they see evidenced, are precisely what a good provider sets up and maintains as standard, and underwriters increasingly want continuous evidence rather than a ticked box on a form. Some insurers now run partner programmes offering premium credits to businesses whose security is delivered through approved managed providers. If you'd rather not build all of this yourself, that's literally what our managed IT support service does, and the premium saving partly funds it.

One more lever: a higher excess lowers the premium. Most SME policies carry a £1k to £2.5k excess; take a higher one only if you could genuinely absorb it on every claim.

Cyber Essentials: a discount plus £25k of free cover

Cyber Essentials is the UK government-backed certification for baseline security controls, and it's the single best-value item on the discount list because it pays you twice.

First, the discount: certification typically earns 5% to 25% off standalone premiums because it independently evidences the basics insurers care about, and gov.uk reports that organisations with the Cyber Essentials controls in place make 92% fewer insurance claims. Second, the free cover: UK organisations that certify with under £20m turnover automatically qualify for £25k of cyber liability insurance, underwritten by AIG and included with certification through IASME, provided you opt in. A £1k excess applies and it doesn't cover money stolen through cyber fraud, but upgrades are cheap: £100k of cover costs around £306 a year for firms under £10m turnover. Certification itself starts from £320 plus VAT, rising to £600 plus VAT for large organisations, and the scheme's April 2026 update made MFA on every cloud service an automatic pass-or-fail requirement. For micro-businesses, the free cover plus certification can be a sensible starting point before a standalone policy; for everyone else it stacks with one.

Certification checks the same controls the calculator asks about (boundary firewalls, secure configuration, access control with MFA, malware protection and patching), so businesses with well-managed IT usually pass with little extra work.

The UK cyber insurance market in 2026

It's a buyer's market, if you're quotable. After the hard market of 2021 and 2022, UK cyber rates fell around 8% in the first quarter of 2026 alone (Marsh), and sit roughly 22% to 32% below their 2022 peak. More insurers are competing for well-protected SMEs than ever, though not everyone expects it to last: S&P forecasts rates firming again, so locking in cover while the market is soft has real value.

What hasn't softened is the control bar. UK insurers paid out £197m in cyber claims in 2024, more than three times the £59m of the year before (ABI), with ransomware behind half of them, and their response has been to demand evidence rather than attestations while cutting prices for businesses that show it. Yet despite all this, a government survey found only 10% of UK businesses hold a standalone cyber policy. The practical takeaway from this whole page: the market rewards exactly the controls that make you less likely to need the policy, and most of your competitors haven't caught up yet.

Who sells cyber insurance in the UK (and how to compare them)

We're not a broker and don't sell insurance, so this is the neutral map. UK businesses buy cyber cover through four routes:

RouteExamplesBest for
Direct onlineSuperscript (from £10.79 a month), Markel Direct (from £5 a month), Hiscox, PolicyBee, Simply BusinessMicro and small businesses that want instant cover without a broker
Specialist cyber insurers (via brokers)CFC (threat monitoring via its app), Coalition (pre-bind scanning and "active insurance"), Hiscox CyberClear, Aviva Cyber Respond, Beazley, ChubbFirms that want active security monitoring and strong breach response bundled with the policy
BrokersHowden, Marsh Commercial, Gallagher, PIB, regional brokersLimits above £1m, regulated sectors, prior claims, bespoke wording or claims advocacy
Bundled and included coverCyber add-ons to business policies; the £25k IASME cover with Cyber EssentialsA starting point, but check the sub-limits: a £10k cyber add-on isn't the same product as a £1m standalone policy

When you compare quotes, price is the least interesting column. UK broker ratings now rank claims and breach-response performance above price, and that shift is deserved. Compare:

  • Breach response: who answers the phone at 2am, and is the incident team in-house or outsourced?
  • What's actually covered: the first-party versus third-party split, business interruption cover and its waiting period and social engineering fraud.
  • Ransomware terms: sub-limits and co-insurance clauses; some insurers cap catastrophic first-party cover at half the limit on smaller policies.
  • Exclusions and conditions: especially "failure to maintain" clauses that void cover if the controls you declared lapse, and war or nation-state exclusions.
  • Excess and retroactive date: what you pay per claim, and whether incidents that began before the policy started are excluded.

Whoever you buy from, the same rule applies: the controls decide the price. Every route prices MFA, backups, EDR, and management discipline the same direction, so the cheapest lever is making your business the risk every insurer wants.

Frequently asked questions

Most UK SMEs pay between £350 and £5k a year for standalone cyber insurance. Micro-businesses with good security controls can pay from around £130 a year, with entry products from £5 a month at the very small end, while mid-market firms typically pay £3k to £50k depending on sector, data held and cover limit.

A standalone policy typically covers first-party costs (incident response, forensics, data recovery, business interruption, ransom negotiation where lawful) and third-party liability (claims from customers whose data was exposed), plus regulatory defence and investigation costs. Fines themselves are generally not insurable in the UK. Common add-ons include social engineering fraud cover and extended business interruption. Breach response services, including a 24/7 incident hotline, are often the most valuable part for smaller firms.

Common exclusions include incidents that began before the policy started (check the retroactive date), fines and penalties (generally uninsurable in the UK; policies cover defence and investigation costs instead), deliberate acts and losses above sub-limits, which on some policies cap ransomware or social engineering payouts well below the headline limit. Watch 'failure to maintain' clauses especially: they can void cover if the controls you declared on the proposal form lapse, so keep MFA, backups and patching evidenced all year.

For most UK SMEs that hold customer data or depend on their systems to trade, yes. The average SME cyber claim runs to roughly £40k, which is enough to threaten many small businesses. Premiums start from around £130 a year with good controls, and insurers' breach response teams alone can be worth the premium during an incident.

UK businesses under £500k turnover typically buy £500k of cover, firms between £500k and £2m typically buy £1m and firms between £2m and £10m typically buy £2m. Buy a band higher if you hold more than 100,000 personal records (notification costs alone run £8 to £15 a record) or a client contract demands it, and consider it if you hold sensitive data or work in a higher-risk sector. The limit needs to cover incident response, business interruption and regulatory costs together.

The most common reason is missing baseline security controls. Most UK insurers now treat multi-factor authentication as a minimum requirement, and many also insist on tested backups before they will quote. A significant share of applications are initially declined, so it usually pays to fix the basics first: MFA everywhere, tested offline backups and endpoint protection.

Yes. UK organisations that certify to Cyber Essentials and have under £20m turnover automatically qualify for £25k of cyber liability insurance through IASME at no extra cost, provided they opt in during certification. Certification also typically earns a 5% to 25% discount on standalone policies because it evidences baseline controls.

Put the controls insurers price on in place and evidence them: multi-factor authentication, tested backups, endpoint detection and response (EDR), prompt patching, staff training and a tested incident response plan. Published UK broker commentary puts the combined effect at 10% to 40% off the premium, and the same controls make you far less likely to claim in the first place.

No. The result is an illustrative estimate calibrated to published 2024 to 2026 UK market data. Real quotes for the same business commonly differ by a factor of two or more between insurers, and by 20% to 40% between brokers placing the same risk, so treat the range as a budgeting sense-check, get two or three real quotes and always buy through an FCA-authorised broker or insurer. Red Eagle Tech is not an insurer or broker.

Yes, in two ways. A managed IT provider sets up and evidences the controls insurers now expect (MFA, EDR, tested backups and patching), which keeps you quotable and typically lowers the premium. And at renewal, an MSP can complete the technical sections of proposal forms accurately, which avoids the underinsurance and declined-claim risks that come from guessing.

Sources and disclaimer

Cost benchmarks, sector factors and control discounts were compiled in July 2026 from the published sources below. Figures are illustrative market benchmarks, not quotes or financial advice. Red Eagle Tech is not an insurer, broker or FCA-authorised firm: for advice or quotes, speak to an FCA-authorised broker or insurer.

  • Romanosky, Ablon, Kuehn and Jones, Content analysis of cyber insurance policies, Journal of Cybersecurity, 2019 (academic.oup.com)
  • Get Indemnity, How much does cyber insurance cost, 2025 (getindemnity.co.uk)
  • PolicyBee cyber insurance guides and pricing, 2025-2026 (policybee.co.uk)
  • Superscript cyber insurance pricing, 2026 (gosuperscript.com)
  • Connection Technologies, cyber insurance cost bands, 2025 (connectiontechnologies.co.uk)
  • CyberPolicyFinder UK premium tables, 2025 (cyberpolicyfinder.com)
  • Precursor Security, UK cyber insurance cost ranges, 2026 (precursorsecurity.com)
  • Professional Insurance Group, cyber premium as a percentage of revenue, 2026 (proinsgrp.com)
  • AdvisorSmith, average cost of cyber liability insurance (advisorsmith.com)
  • WTW, UK cyber insurance market commentary on control-based reductions, 2025 (wtwco.com)
  • Marsh, Global Insurance Market Index, UK cyber pricing, 2025 (marsh.com)
  • Howden, cyber insurance market reports, 2024-2025 (howdengroup.com)
  • Coalition, MDR premium credit announcement (coalitioninc.com)
  • Association of British Insurers, UK cyber claims paid 2024, November 2025 (abi.org.uk)
  • Aviva, SME cyber claims data and average claim lifecycle, December 2025 (aviva.co.uk)
  • Marsh McLennan, cyber insurance carrier survey and application data, 2024-2025 (marsh.com)
  • DSIT and gov.uk, Cyber Security Breaches Survey 2025-2026 and Insuring Resilience research (gov.uk)
  • NetDiligence, Cyber Claims Study 2025, SME section (netdiligence.com)
  • Verizon, Data Breach Investigations Report 2025 (verizon.com)
  • Hiscox, Cyber Readiness Report 2025 (hiscox.co.uk)
  • NCSC, Cyber Essentials overview and cyber insurance guidance (ncsc.gov.uk)
  • IASME, Cyber Essentials included insurance and upgrade pricing (iasme.co.uk)
  • Markel Direct, cyber insurance pricing for micro-businesses (markeluk.com)

Related tools

Downtime cost iceberg showing direct costs above the waterline and hidden costs below

Downtime cost calculator

Calculate the true cost of IT downtime to your business. Understand the financial impact of system outages and plan accordingly.

2 minutes Calculate now
IT budget template preview showing dashboard with UK benchmarks and priority framework

IT budget template

A UK-focused IT budget spreadsheet with benchmarks, prioritisation framework, monthly tracking, and 2026-relevant categories including AI and cybersecurity.

Excel Download

Get insurable, and pay less for it

The controls insurers now demand (MFA, EDR and tested backups) are exactly what managed IT support delivers. We put them in place, keep them evidenced and your premium reflects it.

See managed IT support

Find us