Why don’t small and medium UK enterprises buy cyber insurance?

While cyber insurance is not a ‘silver bullet’ to the cybersecurity challenges faced by organisations, it is an increasingly important tool for managing the financial and operational risks of cyber incidents. While not a substitute for strong cybersecurity, insurance complements good cyber hygiene by encouraging organisations to consider risk awareness and resilience. In conjunction with effective cybersecurity policies, insurance can help businesses financially secure themselves against the impact of a possible cyberattack. So why aren’t more UK small- and medium-sized enterprises (SMEs) using cyber insurance?

Cyber incidents can lead to lost revenue, reputational damage, and prolonged recovery periods, which are often existential threats for SMEs. Forty-four percent of businesses that identify a breach end up being victims of cybercrime, and 60% of these victims go out of business within six months. Cyber insurance can help reduce the financial impact of these incidents for SMEs by covering expenses such as breach notifications, data recovery, and legal costs. For SMEs, prolonged recovery periods can result in lasting competitive disadvantages.

SMEs represent 99% of UK businesses, employing three-fifths of the UK workforce and generating over 50% of the UK’s private sector turnover. Their economic footprint and their role in larger networks and supply chains make them a vital part of the economy.  These factors – combined with limited budgets and security measures – make SMEs attractive targets for malicious actors. 

Consequently, the UK’s Department for Science, Innovation and Technology (DSIT) commissioned a research project to analyse the adoption of cyber insurance by SMEs in the UK. This analysis explores SMEs’ perceptions of, and challenges in attaining, cyber insurance. This article reviews some of the findings from this report and proposes policy options to address this low uptake.

Barriers to SME adoption of cyber insurance

The research identified six key reasons why SMEs do not pursue cyber insurance:

1. Lack of awareness and perceived necessity 

Of the 104 SMEs surveyed, nearly four in ten (38%) are not aware of cyber insurance. Fourteen percent of SMEs pointed to the complexity of navigating policy documents as a challenge. Many remain confused about the specifics of their coverage and the options available to them. Among the 35% of SMEs who did not purchase cyber insurance, 28% did not think it was necessary, and 28% did not know enough about cyber insurance to form an opinion.

2. Cost and financial constraints

The cost of insurance is a significant barrier, with 36% of SMEs citing it as a prohibitive factor. Many SMEs operate on tight budgets and perceive cyber insurance as an unnecessary expense, especially if they believe they can self-insure or if they lack a formal approach to cyber risk management. 

3. Unclear and limited advice

Thirty-one percent of SMEs are deterred by unclear or limited advice from brokers, and only 8% found insurer or broker information to be ‘very clear’, indicating significant confusion about policy details. SMEs also expressed a need for clearer case studies demonstrating the value of cyber insurance and for more transparent loss ratio data to better understand the benefits versus costs.

4. Challenges in meeting cybersecurity requirements

Sixty-five percent of insured SMEs had to meet specific security requirements to qualify for coverage, with half of those spending between £5,000 and £25,000 (US$6,757 to $33,484) in order to comply.  Twenty-nine percent highlighted the difficulty in meeting cybersecurity requirements as a major limitation to securing coverage. Additional challenges included assessing whether outsourced IT providers met technical requirements as well as educating boards on best practices.

5. Limited awareness of government initiatives

Many SMEs remain unaware of government initiatives like the Cyber Aware campaign and the Cyber Essentials scheme, which are designed to help businesses improve their cyber resilience and provide guidance on cyber insurance. Only 12% of organisations surveyed were aware of Cyber Essentials and just 25% were acquainted with Cyber Aware. 

Addressing persistent barriers

The research reinforces several findings from the 2025 Cyber Security Breaches Survey, which found that, among those organisations without cyber insurance, 34% did not consider it a budgetary priority, while 37% highlighted lack of awareness as a barrier. This speaks to a wider trend not only of organisations failing to prioritise cyber security but also of a low awareness of government schemes.

Just 32% of businesses have carried out any form of cyber risk assessment in the past 12 months. While 29% of respondents were aware of the Cyber Essentials scheme, uptake is much lower, with only 6% being certified. Just 4% of businesses report using any government-provided cybersecurity resources or support in the past year. This represents a critical gap in proactive risk management and suggests that government initiatives are not reaching their intended audience. 

To address this, DSIT is designing policies that will influence organisations to better manage their cyber risk and enhance their resilience. Our work examines this through three lenses: 

Inform: Ensuring the right audiences receive the right messages and working with industry stakeholders to champion this effort.

Incentivise: Creating a ‘secure by demand’ economy by working with sectors to strengthen supply chain requirements by embedding Cyber Essentials certification and relevant codes of practice and collaborating with market influencers – such as insurers and investors – to ensure good cyber habits are rewarded.

Instruct: Enhancing public procurement requirements and putting voluntary measures on a stronger footing by linking them to wider regulatory requirements and standards frameworks.

All three lenses have a role to play in the following research-based policy recommendations for both industry and government:

First, we must elevate the role of cyber insurance in SME risk mitigation, including more effectively communicating the importance of cyber insurance as a part of SMEs’ overall risk mitigation strategy.

Second, we need to accelerate adoption of innovative underwriting practices. Traditional underwriting models must evolve to better reflect today’s cyber risks, ensuring more effective and forward-looking risk management strategies. Industry should lead in developing innovative models, supported by government where necessary.

Finally, specialist expertise in cyber insurance should be promoted. Government and industry must help brokers, insurers, and underwriters to develop a common language that can help SMEs understand the risks posed to them and what their policies cover. 

To implement these recommendations, DSIT intends to work closely with a wide range of stakeholders, including insurers, brokers, and SMEs. Together, we will agree on the best course of action to address these crucial challenges and support SME resilience, ultimately supporting the growth, stability, and competitive advantage of the wider UK economy.