Should cyber insurance be part of your business backup plan?

Insurance is all about managing risk. Unlike policies that are legally required for driving a car or taking out a mortgage, cyber insurance is optional. But for small businesses in particular, is cyber cover worth getting? If they don’t have the resources a larger organisation can dedicate to cybersecurity, could it help them manage the impact and harm from a security incident such as a ransomware infection?

Cyber insurance is not widely adopted. A 2025 report from the insurer Arctic Wolf found that as many as 50 per cent of their current clients in Ireland and the UK didn’t have cyber insurance. A UK Government survey, also from last year, found that one in three small businesses don’t have it, even though a similar percentage of companies know they could avail of it.

I’ll be upfront: I’m in favour of cyber insurance and I’ll explain why in this blog. Before I do that, in the interests of balance, I realise there are many good reasons why a business might choose not to take out a policy. I’m conscious that not every business can afford it, especially smaller businesses with limited budgets. Some insurance prices can be exorbitant, but I have a proposal that could potentially address this, and I’ll write about that below.

Even if a company wants to get cyber insurance, most insurers also require them to have certain cybersecurity controls in place as a condition of providing cover. That’s an extra expense, and possibly a prohibitive one in terms of time and money for a small business, over and above the actual cost of insurance.

The case against: cost and complexity

Another reason not to take out cover is that many policies are hard to understand without a background in cybersecurity. I’ve read through some of the policy documents and there’s a lot of jargon. Acronyms like MSP or EDR won’t mean a lot to someone working in a finance or administration role in a small company. And if you don’t understand what they mean, then how can you know what you’re signing up for? A business owner could be forgiven for thinking ‘I have antivirus installed on my laptop, isn’t that enough of a security measure’? But these policies include a ‘gotcha’: if a business hasn’t implemented the measures as laid out in the policy, the insurer won’t pay out in the event of an incident or breach.

As a side note, I would really like to see insurance companies review their documents and simplify the policy terms and conditions. When writing cover for small businesses, why not remove the jargon and replace it with plain English? The UK Government reviewed cyber insurance adoption and produced a report where even SMEs that had insurance said they found the policies were complex, coverage terms were opaque, and the qualifying requirements were tough.

The case for taking out cyber insurance

Now to look at reasons why it’s worth taking out cyber insurance: first on the list is peace of mind. If the unthinkable happens, insurance cover provides valuable financial support to manage the impact and mitigate the risk. Fines are one such risk: GDPR considers a ransomware attack that blocks access to a company’s information to be a data breach, and those penalties can be hefty.

The expense of recovering is also significant. That’s why tabletop exercises are so valuable, because they force businesses to calculate what it would take to recover from a serious event or disruption. Does the business have adequate funds to keep a bank of 40 laptops on standby because the staff’s original machines were all infected with malware? Does this fund include overtime pay for employees to work extra hours as the business recovers? That could also need to cover accommodation expenses if members of the team have to work in 24-hour shifts to get the business back on its feet.

Another reason to consider taking out cyber insurance is that some policies include incident response support, giving the business access to cybersecurity expertise they wouldn’t have the resources to employ otherwise.

The hidden cost of downtime

Downtime is another significant cost that doesn’t get enough attention. Recent research by Dr Mauricio Perez-Alaniz from the Kemmy Business School at the University of Limerick found that the greatest impact on businesses is from repeated day-to-day disruption rather than major one-off cyber breaches.

The research pointed to the cumulative effect of repeated disruption, downtime, lost productivity and operational interruption as creating the greatest economic cost for SMEs in Ireland. This leads to them losing more than 7.2 million working days every year due to cyber incidents. The research calculated the economic cost as almost €50,000 per SME annually and found that affected businesses experienced multiple incidents every year. The findings were published in a report, The Hidden Cost of Cyber Risk, from eir Business and supported by Microsoft.

Some businesses prefer to rely on their cash reserves if they run into an issue. However, a cash reserve is unlikely to cover reputational damage. When Marks & Spencer experienced a cyber attack in spring 2025, its profits weren’t the only thing to take a hit. Polls in the UK showed that the retailer’s reputation with consumers also suffered badly, even months after the original incident.

Reducing supply chain risk

Another reason to take out cyber cover is that certain entities like larger companies in regulated industries make it a prerequisite of doing business with them. Asking their suppliers to have cyber insurance or at the very least general cover is a form of guarantee that a business can continue to provide services even if it’s been disrupted by a cyber incident.

The good news is that if a business is already using a strong industry recognised security framework and independently certified it should reduce their premium when they go to get cyber insurance. Independently verifiable standards show that a business isn’t just self-assessing. Many of the controls listed in a typical cyber insurance policy, like having appropriate data backup and storage or suitable access controls, are similar to those found in ISO 27001:2022.

Ultimately it all comes back to cost, and this is a question every business needs to answer for itself. I believe there are more positive reasons to take out cyber insurance protection than there are reasons not to; and any short-term ‘saving’ by not doing so carries a much bigger cost in the long term.

How the Government can support cyber coverage

For SMEs that find the cost of cyber insurance too high, I would like to see the Government step in to help. Just as the welfare system helps the most vulnerable in society, I believe there should be some form of scheme to help improve the security of businesses that are at risk of falling through the net.

This could be a tiered system of policies based on the size of a business or its ability to pay. We already have a successful model for how this could work: during 2024 and 2025, the National Cyber Security Centre (NCSC) provided grants of up to €60,000 for SMEs to improve their cyber security posture. And it worked: a follow-up report from the NCSC found the grant improved the security posture of all 50 participants. This was a one-time scheme, but adapting it for insurance and adopting it more widely could be the proverbial rising tide that lifts all boats.

This matters because businesses of all sizes are more interconnected than ever through networks, technology and supply chains. Cyber insurance can be one part of a toolkit that businesses can use to make themselves more secure. If the smallest companies successfully reach a good threshold of security capability, either with assistance or by themselves, that makes everyone safer. 

Alexis Robinson is a Senior Cybersecurity Consultant with BH Consulting.

Why get in touch with BH Consulting

BH Consulting is a trusted, independent cybersecurity and data protection consultancy with over 20 years of experience. Whether you need expert guidance on compliance, risk management, or security strategy, our team delivers practical, vendor-neutral advice tailored to your needs.

Let’s start a conversation about securing your business.

cyber ireland 2021 logo
Respect in Security Pledge logo

Areas of interest*