Cyber Essentials Plus and Cyber Insurance: Reducing Your Premiums

The relationship between cybersecurity certifications and insurance is one that every UK business should understand. As cyber threats continue to escalate and the financial consequences of breaches grow ever more severe, cyber insurance has shifted from a niche product to an essential component of business risk management. And increasingly, insurers are looking at Cyber Essentials Plus certification as a key indicator of an organisation's risk profile.

In this article, we explore the intersection of Cyber Essentials Plus and cyber insurance: how certification affects your ability to obtain cover, what it means for your premiums, and why the two work together to create a comprehensive approach to managing cyber risk for UK businesses.

The UK Cyber Insurance Landscape

The cyber insurance market in the UK has grown dramatically over the past decade, driven by a surge in ransomware attacks, increasingly stringent data protection regulations (notably the UK GDPR and the Data Protection Act 2018), and a growing awareness among business leaders that cyber risk is a board-level concern.

However, growth has not been without turbulence. Between 2020 and 2023, the cyber insurance market experienced significant upheaval. A wave of ransomware claims pushed loss ratios to unsustainable levels, leading insurers to dramatically increase premiums, tighten underwriting criteria, and in some cases, withdraw from the market entirely. While the market has stabilised somewhat since then, the aftershocks continue to shape how insurers assess and price cyber risk.

For UK businesses, the practical implication is clear: obtaining cyber insurance is harder and more expensive than it used to be. Insurers are asking more questions, requiring more evidence of security controls, and differentiating more sharply between well-managed and poorly-managed risks. This is precisely where Cyber Essentials Plus certification becomes valuable.

How Insurers View Cyber Essentials Plus

From an insurer's perspective, Cyber Essentials Plus certification serves as a credible, independently verified signal that an organisation has implemented fundamental security controls. It is not a guarantee of security — no certification is — but it demonstrates that the organisation has addressed the most common attack vectors and has submitted to external verification of those controls.

This matters to insurers for several reasons. First, the five Cyber Essentials controls (firewalls, secure configuration, access control, malware protection, and patching) directly address the vulnerabilities that are most commonly exploited in the types of attacks that generate insurance claims. An organisation with these controls in place is statistically less likely to suffer a successful attack, and if an attack does occur, the impact is likely to be less severe.

Second, the external verification component of Cyber Essentials Plus provides insurers with assurance that the controls are not just claimed but actually implemented. The basic Cyber Essentials certification is a self-assessment, which carries less weight with insurers because there is no independent validation. Cyber Essentials Plus, with its hands-on technical assessment, provides the kind of evidence that insurers value.

Impact on Premiums

While every insurer has its own pricing model, the general trend is clear: Cyber Essentials Plus certified organisations pay less for cyber insurance. The premium differential varies by insurer, industry, and the specific policy, but reductions of 20% to 40% are not uncommon.

Some insurers go further than offering discounts. A number of UK insurers now list Cyber Essentials Plus as a prerequisite for certain types of cover. Without certification, the policy may exclude specific claim categories (such as ransomware payments), impose higher excesses, or simply not be available at all.

The Free Insurance Included with Certification

One of the lesser-known benefits of Cyber Essentials certification is that it often comes with free cyber liability insurance. The IASME accreditation body, which oversees the Cyber Essentials scheme, has historically included a basic cyber insurance policy as part of the certification package.

The exact terms and coverage levels vary depending on the certification body and the current insurance arrangements, but typically the included policy provides cover of up to £25,000 for micro businesses (turnover under £2 million). For larger organisations, the cover limit may be higher, up to several hundred thousand pounds for some schemes.

The included insurance typically covers first-party losses (such as the cost of incident response, data recovery, and business interruption) and third-party liabilities (such as claims from individuals whose data has been compromised). However, coverage for ransomware payments, regulatory fines, and reputational damage may be limited or excluded.

What Cyber Insurance Actually Covers

To understand the relationship between Cyber Essentials Plus and cyber insurance, it helps to understand what a comprehensive cyber insurance policy typically covers. While policies vary between insurers, most UK cyber insurance policies include some combination of the following.

Incident response costs. The costs of investigating a cyber incident, engaging forensic specialists, notifying affected individuals, and managing the communications response. These costs can mount rapidly — even a relatively contained incident can generate tens of thousands of pounds in incident response fees.

Business interruption. Loss of income resulting from a cyber incident that disrupts normal business operations. This is increasingly important as businesses become more dependent on digital systems and even short outages can have significant financial consequences.

Data recovery. The costs of restoring data and systems that have been damaged, destroyed, or encrypted by an attack. For organisations that have been hit by ransomware, these costs can be substantial, even if the ransom itself is not paid.

Third-party liabilities. Claims from customers, partners, or other third parties who have suffered loss as a result of a data breach or cyber incident originating from your organisation. With the UK GDPR providing individuals with a right to compensation for data protection breaches, these claims are becoming more common and more costly.

Regulatory defence costs. The costs of defending against regulatory investigations or enforcement actions, particularly from the Information Commissioner's Office (ICO). While the insurance typically cannot cover regulatory fines themselves (as fines are generally not insurable under English law), the legal costs of responding to an investigation can be covered.

Cyber extortion. Costs associated with responding to ransomware demands, including specialist negotiation services and, in some cases, the ransom payment itself (though this is increasingly controversial and some policies now exclude it).

The Underwriting Process

When you apply for cyber insurance, the insurer will conduct an underwriting assessment to evaluate your risk profile. This assessment determines whether they will offer you cover and at what price. The underwriting process has become significantly more rigorous in recent years, reflecting the market's experience with elevated claims.

Typical underwriting questions cover areas that directly align with the Cyber Essentials controls. Do you use multi-factor authentication? How do you manage software updates? Are admin privileges restricted? Do you have endpoint protection? How are your backups managed?

If you hold Cyber Essentials Plus certification, you can answer many of these questions by simply pointing to your certificate. The certification serves as a shorthand that tells the insurer you have addressed the fundamentals. This can streamline the underwriting process, reduce the amount of documentation required, and lead to a faster, more favourable decision.

Why Insurance Is Not Enough on Its Own

It is tempting to view cyber insurance as an alternative to investing in security controls: "Why spend money on prevention when I can buy insurance to cover the losses?" This reasoning is deeply flawed, for several reasons.

Insurance does not prevent attacks. A cyber insurance policy pays out after an incident — it does not stop the incident from happening. The disruption, stress, and reputational damage of a cyber attack cannot be financially compensated. Customers who lose trust in your business after a breach may never return, regardless of whether the financial losses are insured.

Policies have exclusions. Cyber insurance policies are complex documents with numerous exclusions and conditions. If the insurer determines that you failed to maintain reasonable security controls, your claim may be denied. Several high-profile claim denials in the UK and US have centred on exactly this issue — the insured organisation suffered a breach, but the insurer argued that the breach was caused by the organisation's failure to implement basic security measures.

Premiums reflect risk. If your security posture is weak, your premiums will be high (if you can obtain cover at all). The money you save by not investing in security controls will be spent many times over in increased insurance costs.

The Combined Approach: Certification Plus Insurance

The most effective approach to managing cyber risk combines proactive security measures with financial protection. Cyber Essentials Plus certification addresses the prevention side — reducing the likelihood and impact of attacks by implementing fundamental security controls. Cyber insurance addresses the financial side — providing a safety net for the costs that remain when, despite your best efforts, an incident occurs.

Together, they create a comprehensive risk management framework that protects your organisation from both the technical and financial consequences of cyber threats.

This combined approach also sends a powerful signal to customers, partners, and regulators. It demonstrates that your organisation takes cyber risk seriously at every level — from the technical controls on your devices to the financial provisions on your balance sheet. In an era where supply chain security and third-party risk management are growing concerns, this comprehensive approach can be a significant commercial advantage.

Practical Steps for UK Businesses

If you are a UK business looking to strengthen your cyber risk management through a combination of certification and insurance, here is a practical roadmap.

Step 1: Achieve Cyber Essentials Plus certification. This should be your starting point, not just because it improves your security posture, but because it will make the subsequent insurance process easier and more affordable.

Step 2: Review your existing insurance. If you already have cyber insurance, review your policy in light of your new certification. You may be eligible for a premium reduction at your next renewal. Contact your broker to discuss.

Step 3: Obtain comprehensive cyber insurance. If you do not have cyber insurance, use your Cyber Essentials Plus certification as leverage when approaching insurers. The certification demonstrates that you are a well-managed risk, which should result in more competitive quotes.

Step 4: Maintain your controls year-round. Certification is not a one-time event. Maintain the security controls that earned you the certification, and ensure your insurance declarations remain accurate. A gap between what you told the insurer and what is actually in place could jeopardise a future claim.

Step 5: Renew both annually. Cyber Essentials Plus certification is valid for 12 months, and most cyber insurance policies run on an annual basis. Synchronise your renewal cycles where possible, and use each renewal as an opportunity to review and strengthen both your security controls and your insurance coverage.

Looking Ahead

The convergence of cybersecurity certification and insurance is likely to accelerate in the coming years. As the cyber insurance market matures, we expect to see even stronger links between certified security posture and insurance terms. Some insurers are already experimenting with continuous monitoring models — where the organisation's security posture is assessed on an ongoing basis rather than at a single point in time — and certification schemes are evolving to support this approach.

For UK businesses, the message is clear: Cyber Essentials Plus and cyber insurance are not alternatives or competitors. They are complementary components of a mature approach to cyber risk management. Investing in both provides the strongest possible protection for your business, your customers, and your reputation.