Articles by Superfast IT

How Much Cyber Security Does a Small Business Really Need?

Written by James Cash | 30-Jul-2025 12:29:12

Most UK SMEs buy between £250K and £1M of cyber-liability cover. The correct figure for you depends on your likely recovery costs, lost revenue and third-party liabilities.

This article explains how to size the limit and get value for money.

Why cyber‑insurance matters but isn't a silver bullet

  • Half of UK businesses reported at least one breach in the last year. The single most disruptive incident cost the average SME £1,205 in direct out‑of‑pocket expenses, and far more for larger firms.
  • In finance and other regulated sectors, total costs (forensics, legal, customer redress, PR) frequently run into six or seven figures. Average ransomware payments exceeded £438,500 in late 2024.
  • A cyber‑policy will not stop an attack, but it can fund 24 × 7 incident‑response specialists, data restoration, business‑interruption losses and third‑party claims.

Baseline cover you may already have

If you hold Cyber Essentials certification, you automatically qualify for an IASME cyber‑liability add‑on worth £25,000 (provided turnover is under £20 m and the whole organisation is in scope).

This is useful "first‑aid" but rarely enough for a severe outage, so most CCE-certified firms still buy top‑up insurance.

What are other SMEs buying in 2025

Smaller businesses with less than £2M in revenue typically have a £100K to £250K indemnity limit to cover forensic response plus a few days of downtime.

General SMEs in the £2M to £50M revenue bracket would typically have £250K to £1M in cover, matching a few weeks' gross profit and some third-party liability.

Regulated finance or fintech companies would need more cover, in the £1M to £5M bracket, which allows for FCA scrutiny, customer claims and reputation management.

A quick formula to double-check your oumber

1. Business interruption

Daily gross profit x realistic worst-case downtime.

2. Incident-response costs

Hourly rates for digital forensics, legal counsel, PCI/GDPR reporting, credit-monitoring, and PR.

3. Data-breach liability

Potential compensation to customers, staff, or lenders if personal data is exposed.

4. Regulatory exposure

FCA, ICO or sector-specific fines where insurable.

5. Ransomware scenario

Insurers do not reimburse illegal ransom payments, but cover the negotiation and rebuild costs. The current average demand is > £400 K.

5 policy features worth paying for

Must-have wording Why it matters
24/7incident response hotline Minutes count; you need experts on the case immediately
Business‑interruption cover on gross profit Replaces lost margin, not just turnover
Social‑engineering and invoice‑fraud losses Still excluded by some older policies
Bricking and hardware replacement Covers devices rendered unusable by malware
Regulatory and PCI fines (where legal) Particularly important for finance and payment data

 

Technical controls insurers expect

  • Multi-factor authentication, including for remote admin tools.
  • Secure backups that are tested regularly.
  • Endpoint detection and response with a managed SOC
  • Ongoing user awareness training and phishing drills

Regulatory disclaimer

Superfast IT is not authorised by the Financial Conduct Authority to advise on or arrange insurance. The guidance above is general cyber‑risk commentary only.  Please speak to an FCA‑authorised broker or insurer for regulated advice and placement.
View full post