In an increasingly digital world, Cyber Insurance plays a critical role in protecting your business against the financial and reputational fallout of cyberattacks, data breaches, and system failures.

Keeping your business risk information up to date is essential to ensure your insurance cover remains adequate, your premium remains competitive, and your insurer fully understands and accepts your risk.

At DPI, we provide bespoke advice and service when arranging your insurance. If there’s anything you don’t understand or need help with, please don’t hesitate to contact us – we’re here to support you.

Below is a summary of the key areas we typically review at renewal for a Cyber insurance policy and why they are important:

1. Business Activities and Data Exposure

We’ll confirm the nature of your business and how it uses, stores, and transmits data, including:

• Types of personal or sensitive data held (e.g. customer, employee, health, or financial records)
• Whether data is stored on-premises, in the cloud, or with third-party providers
• The number of records or users exposed to potential breaches

Understanding the volume and sensitivity of data processed helps insurers accurately assess your risk.

2. IT Infrastructure and Cybersecurity Measures

Strong IT security can reduce both your risk and your premium. Dependant on the size of your business we may review:

• Firewalls, antivirus, and endpoint protection
• Encryption practices for data in transit and at rest
• Multi-factor authentication (MFA) use
• Patch management and software updates
• Backup procedures and data recovery capabilities

3. Staff Training and Incident Response

Human error is one of the most common causes of cyber incidents. Dependant on the size of your business we may review:

• Whether staff receive regular cybersecurity awareness training
• If you have a written incident response plan or disaster recovery strategy
• Whether simulated phishing or penetration tests are conducted

4. Claims History and Known Incidents

Dependant on the size of your business we may review:

• Any cyber incidents, breaches, or ransomware attacks in the last 12 months
• Any regulatory actions (e.g. ICO investigations or GDPR fines)
• Lessons learned or changes made following previous incidents

All known incidents or vulnerabilities must be disclosed to ensure your cover remains valid.

5. Business Continuity and Downtime Risks

We’ll assess your exposure to potential business interruption caused by:

• Ransomware
• System failures
• Third-party IT provider outages
• Supply chain cyber events

Adequate Business Interruption (BI) cover under the cyber policy is essential to support recovery in such scenarios.

6. Coverage Limits and Scope

Dependant on the size of your business we may review:

• Limit of indemnity (e.g. £250k, £1M, or higher)
• Sub-limits for ransomware, social engineering, or regulatory fines
• First-party covers, such as data restoration, legal costs, PR/crisis management, and notification expenses
• Third-party covers, such as liability to customers or partners, breach of contract, and GDPR-related claims

7. Third-Party Providers and Outsourcing

Many businesses rely on third-party providers (e.g. cloud services, payment processors, IT firms). Dependant on the size of your business we may review:

• Who your key suppliers are
• Whether contracts include indemnities or cyber liability clauses
• What due diligence you carry out on your vendors’ cyber security

Outsourced risks are still your responsibility under most regulations and cyber policies.

8. Regulatory and Legal Compliance

Dependant on the size of your business we may review how your risk complies with relevant legislation and frameworks, such as:

• UK GDPR / Data Protection Act 2018
• PCI-DSS (if handling card payments)
• Cyber Essentials or ISO 27001 certification (if applicable)

Compliance not only protects your business but may also be a condition of cover or a factor in premium rating.

9. Insurance General Acceptance – Adverse Financial History, Health & Safety Breaches and Criminal History

Commercial insurance is subject to an ongoing fair presentation of risk and insurance contracts are subject to certain standard general acceptance criteria. It is the ongoing responsibility of the policyholder to ensure any adverse financial history, health & safety breaches and criminal history are disclosed as these are considered material facts that directly impact the insurer’s ability to accurately assess risk. Non-disclosure or misrepresentation of such information can lead to serious consequences, including the voiding of the policy, rejection of claims and legal action. Full disclosure ensures transparency, allows insurers to offer suitable terms and helps maintain the integrity of the insurance contract.

Please Note:
This guide is a general overview and is not exhaustive and should not be construed as bespoke advice or a personal recommendation. Your specific cyber insurance needs will depend on the size, nature, and complexity of your digital operations.