The Hidden Gaps in Your Cyber Insurance Policy

Every business handles data that criminals want. Customer details, payment information, supplier contracts, and employee records. You probably think your cyber insurance will cover you when hackers strike. You’re probably wrong.

The real shock comes after an attack when you discover your policy won’t pay out. This article shows you exactly what cyber insurance protects, reveals the hidden exclusions that catch most businesses off guard, and helps you choose coverage that works when you need it most. Read this before you have to make a claim.

Why Every Business Is a Target

Small businesses face the same threats as major corporations, but with weaker defences. The 2023 IBM Cost of a Data Breach Report shows that 43% of all cyberattacks now target small to mid-sized businesses. The average cost reaches £2.98 million.

Recent high-profile attacks have demonstrated that no business is immune. The ransomware attack against Marks & Spencer proved particularly disruptive, causing the group’s online sales to shut down and disrupting its supply chain during the busy May Bank Holiday trading period, with the attack costing about 300 million pounds in lost operating profit, and disruption to online services likely until July.

Modern Networks, a managed IT services provider, sees businesses affected by cyberattacks regularly. These attacks can disable systems, prevent trading, and compromise sensitive data.

As an IT services company, Modern Networks can offer expert advice on technology and cybersecurity precautions, but we are not insurance or legal experts. We strongly advise you to get expert legal and insurance advice before entering into any agreement with an insurance firm or purchasing a policy.

Recent UK Attacks Signal Market Changes

The cyber insurance landscape is shifting following a string of high-profile ransomware attacks against UK retailers. Recent weeks have seen multiple cyberattacks targeting UK companies, including Marks & Spencer, up-market department store Harrods and supermarket chain Co-op.

According to Monica Tigleanu, cyber strategy director at BMS Group, “The recent cyberattacks targeted at high-profile retailers in the UK will almost certainly pause, if not reverse, the softening of cyber rates seen through 2023 and 2024.” The attacks demonstrate elevated loss frequency and severity for liability coverages, as well as first-party business interruption claims.

Data from broker Marsh shows that while UK ransomware claims fell 31% in 2024, they remained approximately double the totals recorded for 2020, 2021 and 2022. Simon West, UK-based director at Resilience Cyber Insurance Solutions, notes that “no company, regardless of size or investment, is immune, and that cyber threats remain an enterprise-wide risk, not merely an IT issue.”

What Your Policy Actually Covers

Most cyber insurance policies split coverage into two areas. First-party coverage protects your business directly when you’re attacked. Third-party coverage handles claims from customers or suppliers affected by your breach.

When You’re Hit Directly

First-party coverage kicks in when hackers target your systems. Breach response costs get covered first: legal advice, customer notifications, and credit monitoring services. If you discover a data breach, you’ll need lawyers quickly. You’ll need to tell customers what happened. This coverage handles those immediate costs.

Business interruption coverage replaces lost income during downtime. Your systems go offline, you can’t trade, you lose money. This coverage helps bridge that gap. When payment systems fail for days, businesses can lose thousands in sales while systems get restored.

Ransomware gets special attention in most policies. Coverage often includes ransom payments, negotiation costs, and data recovery. Some insurers will hire specialists to deal with the criminals and rebuild your encrypted files.

Data restoration coverage helps when information gets destroyed or stolen. Customer databases, financial records, and supplier lists – rebuilding this data costs money. Good policies cover recovery through backup systems or specialist services.

Reputation management has become crucial. Policies now include PR support to handle crisis communication. When news breaks about your breach, you need professional help explaining what happened without making things worse.

When Others Get Hurt

Third-party coverage protects you when your breach affects customers, suppliers, or partners. Privacy liability covers legal costs if people sue over exposed personal data. This matters especially if you handle payment information or store customer details.

Regulatory defence coverage helps when authorities investigate. The Information Commissioner’s Office can impose fines up to £17.5 million under GDPR. This coverage handles investigation costs and potentially some penalties.

Media liability protection covers defamation or copyright issues resulting from attacks. If hackers expose confidential contracts or proprietary information, this coverage helps with legal costs.

The Dangerous Gaps

Understanding exclusions matters more than knowing what’s covered. These gaps catch most business owners by surprise.

Poor security practices void many policies. No firewalls, no multi-factor authentication, outdated software – insurers might refuse to pay. They increasingly want proof of good security hygiene before issuing policies.

Known problems don’t get coverage. If a breach started before your policy began, you’re not protected. If you knew about a vulnerability but ignored it, insurers won’t pay.

War exclusions have expanded recently. Nation-state attacks like NotPetya might not be covered. Insurers treat these as acts of war, not business risks.

Insider threats usually aren’t covered unless specifically added. Malicious employees can cause severe damage, but standard policies exclude intentional internal actions.

Long-term damage rarely gets full coverage. Insurers might pay immediate PR costs, but won’t cover lost customers or declining sales months later.

Industry-Specific Risks

Different businesses face different cyber threats based on the data they handle and the systems they use. Understanding your specific risks helps determine appropriate coverage levels.

Recent attacks have highlighted the growing threat from social engineering and third-party vulnerabilities. According to Security Scorecard’s findings, retail and hospitality sectors led in third-party breach rates in 2024, with “52.4% of breaches linked to third-party access.” Many organisations are unaware of how their cyber policies address third-party risks.

The M&S attack serves as a wake-up call about enterprise-wide cyber risks. Despite investment in cybersecurity, third-party vendors can introduce vulnerabilities into business ecosystems through their software and services. Supply chain attacks create downstream effects affecting multiple businesses using the same dependency.

Choosing the Right Protection

Start by understanding your actual risks. What data do you store? How long could you survive without your systems? Who would blame you if their information got stolen?

Ask specific questions about ransomware and social engineering coverage. These threats grow daily. Make sure legal fees and ICO investigation costs are included. GDPR investigations cost thousands before any fines.

Work with brokers who understand both technology and your industry. They’ll spot gaps specific to your business and help avoid nasty surprises during claims.

Check coverage limits carefully. If a breach could cost £200,000, don’t buy £50,000 coverage. Choose deductibles you can afford to pay.

Review policies annually. Cyber threats evolve quickly. Your coverage should adapt to new risks as your business grows and changes.

Beyond Insurance

Cyber insurance works best alongside strong security practices. No policy replaces good cybersecurity hygiene. Regular staff training, system updates, and vulnerability assessments reduce your risk and keep insurers satisfied.

Poor cybersecurity practices can void policy claims. Insurers increasingly require proof of good cyber hygiene before issuing policies.

Don’t Wait to Find Out

The digital world brings new threats daily. Understanding your cyber insurance policy could mean the difference between quick recovery and business closure. Don’t wait until after an attack to discover what you’re really covered for.

Remember that while Modern Networks can provide expert guidance on cybersecurity and technology protection, we are not insurance or legal experts. Always seek professional insurance and legal advice when selecting or purchasing cyber insurance policies to ensure you get the right coverage for your specific business needs.

Cyber criminals don’t take holidays. They don’t care if you’re small or large, local or global. They want your data, and they’re getting better at taking it.

Ready to review your cyber insurance and strengthen your defences? Contact Modern Networks today to ensure your business stays protected against tomorrow’s threats. Your customers and your future depend on getting this right.

Modern Networks is a Hertfordshire-based managed IT services provider specialising in UK commercial property, retail and science parks.

References

1. IBM Cost of a Data Breach Report 2023 – Available at: IBM Security’s annual data breach report (ibm.com/security)
2. 43% cyberattack statistic – From IBM’s 2023 report on cybersecurity threats to small and medium businesses
3. £2.98 million average cost figure – IBM Cost of a Data Breach Report 2023, specific to smaller business impacts
4. GDPR (General Data Protection Regulation) – Enforced in the UK under the Data Protection Act 2018
5. Data Protection Act 2018 – UK legislation implementing GDPR (legislation.gov.uk)
6. ICO (Information Commissioner’s Office) – UK’s independent data protection authority (ico.org.uk)
7. GDPR penalty limits – £17.5 million or 4% of annual turnover, maximum fines under UK GDPR
8. NotPetya ransomware case – Well-documented cyberattack case study used in insurance war exclusion clauses
9. M&S ransomware attack information – Reuters report, “M&S’ $400 million cyberattack upheaval to linger into July” (May 21, 2025)
10. UK cyber insurance market impact – Commercial Risk Online, “UK ransomware attacks will impact cyber pricing, says broker” (May 9, 2025)
11. Monica Tigleanu quote on cyber rates – Commercial Risk Online, May 9, 2025
12. Simon West quote on enterprise risk – Commercial Risk Online, May 9, 2025
13. UK ransomware claims statistics – Marsh data cited in Commercial Risk Online and Marsh UK Cyber Insurance Claims Trend Report 2024
14. Third-party breach statistics – Insurance Business UK, “M&S cyberattack: lessons to learn for insurance brokers” (May 6, 2025)
15. Tech Tribe and Technology Press Permission