The key UK cyber insurance statistics in one place — how many businesses actually carry cover, how uptake varies by firm size, how much insurers are paying out in claims, and where pricing and the wider market are heading, with the data period stated next to every figure.

Cyber insurance is the risk-transfer side of the same problem covered by our attack and breach statistics pages: when a breach lands, does anyone pick up the bill? The reliable UK numbers come from a short list of sources — the government's Cyber Security Breaches Survey from the Department for Science, Innovation & Technology (DSIT) for uptake by size band, the Association of British Insurers (ABI) for claims paid, and named-methodology market reports from Marsh, Hiscox and Gallagher for pricing and market size.

This page brings those figures together. It is scoped to insurance specifically — uptake, cover levels, claims and payouts, pricing and market size. Ransom-payment behaviour sits on our ransomware page and per-incident breach costs on our data breach page; both are cross-linked below. Every figure carries its data period, and every source is linked in full at the end.

Key facts and figures

  • 45% of UK businesses held some form of cyber insurance in 2025 — broadly flat on 43% in 2024.
  • 7% held a specific standalone cyber policy; the other 38% had cover bundled inside a wider policy.
  • ~£197 million was paid by UK insurers in cyber claims for 2024 — a 230% year-on-year rise, some £138m more than 2023.
  • 51% of paid cyber claims in 2024 involved malware and ransomware, up from 32% in 2023.
  • 1 in 5 businesses (20%) did not even know whether they held any cyber insurance.
  • 62% of small businesses had cover in 2025, up sharply from 49% a year earlier.
  • ~7% — the fall in UK primary cyber pricing in Q1 2025, leaving rates roughly 42% below their 2022 peak.
  • ~£13.2bn — the premium written across the UK cyber (re)insurance sector over 2025.

These are the latest figures available as of July 2026, and this page is re-swept twice a year: the Cyber Security Breaches Survey is published each April, the ABI's cyber claims data each November, and the Marsh, Hiscox and Gallagher market reports through the rest of the year.

The headline measures at a glance:

MeasureLatest figureData periodTrend / detail
UK businesses with any cyber insurance45%2025 survey (fieldwork Aug–Dec 2024)Up from 43% in 2024 and 37% in 2023 — a plateau
Businesses with a specific standalone policy7%2025 surveyVast majority get cover inside a wider policy (38%)
Cyber claims paid by UK insurers~£197m2024 calendar year (ABI, Nov 2025)Up 230% on ~£59m in 2023
Malware/ransomware share of paid claims51%2024 (ABI)Up from 32% in 2023
Businesses unsure if they are covered20%2025 surveyOne in five could not say either way
Small-business uptake62%2025 surveyUp from 49% in 2024
UK primary cyber pricing change−7%Q1 2025 (Marsh)~42% below 2022 peak; abundant capacity
UK cyber (re)insurance premium~£13.2bn2025 (Gallagher)Market-size estimate for the UK sector

What percentage of UK businesses have cyber insurance?

45% of UK businesses held some form of cyber insurance in 2025, broadly flat on the 43% recorded in 2024, according to the Cyber Security Breaches Survey (fieldwork August–December 2024). That single number hides the more revealing detail: the overwhelming majority of that cover is not a dedicated cyber policy at all. Only 7% of businesses held a specific standalone cyber-insurance policy; the other 38% had cyber cover bundled inside a wider business insurance policy — the kind of add-on that can carry lower limits and narrower triggers than a purpose-built cyber policy.

The distinction matters because "having cover" and "having cover that pays out for a serious cyber event" are not the same thing. A business that relies on a cyber extension within a general commercial policy may find sub-limits, exclusions or notification conditions bite exactly when a breach lands. The headline 45% is therefore best read as an outer bound on genuine protection, not a floor.

Charities lag the business population. 34% of charities held cyber cover in 2025, unchanged from 2024, the same survey found — a persistent gap that mirrors the wider under-resourcing of cyber defences in the sector.

Has UK cyber insurance uptake stopped growing?

Yes — uptake has clearly plateaued at around 45%. The Cyber Security Breaches Survey trend runs 37% in 2023, 43% in 2024 and 45% in 2025: a slowing curve that has flattened at just under half of all businesses. After several years of steady growth, the market appears to have reached the limit of businesses that will take up cover under current conditions.

The reasons the uninsured give are less about price than about awareness. Among businesses without cover, 37% said they were simply unaware cyber insurance existed, and 34% said it was not a budget priority (2025 survey). That first figure is striking a decade into the product's mainstream availability: for a sizeable slice of the market, the barrier is not cost or scepticism but never having heard of the cover at all.

Perhaps the starkest gap in the data is not between insured and uninsured, but among businesses that cannot say which they are. One in five businesses (20%) did not know whether they held any cyber insurance in 2025. When a fifth of the economy cannot answer a basic question about its own risk transfer, the true level of effective protection is lower than the uptake headline implies.

How does cyber insurance uptake vary by business size?

Uptake rises through the small and medium bands and then dips at the top. The 2025 Cyber Security Breaches Survey puts cover at 41% for micro businesses, 62% for small businesses, 65% for medium businesses and 53% for large businesses. Medium-sized firms are the most likely to be insured; the largest organisations are less likely to buy a policy, typically because they self-insure, carry the risk on their balance sheet, or run bespoke programmes that the survey's categories do not capture cleanly.

The sharpest single-year move came from small businesses. Small-business uptake jumped from 49% in 2024 to 62% in 2025 — a 13-point rise that is the clearest sign of the product reaching further down the market. It is also the change most likely to shift the overall figure in the next survey, if it holds.

Business sizeUptake 2025Detail
Micro (up to 9 staff)41%Lowest uptake; the awareness gap bites hardest here
Small (10–49 staff)62%Up from 49% in 2024 — the biggest single-year rise
Medium (50–249 staff)65%Highest uptake of any size band
Large (250+ staff)53%Dips at the top; more self-insurance and bespoke cover
Charities34%Unchanged on 2024; persistent lag behind businesses

How much do UK insurers pay out in cyber claims?

UK insurers paid around £197 million in cyber claims for the 2024 calendar year — a 230% rise year on year, roughly £138 million more than the ~£59 million paid in 2023, according to the ABI's cyber claims release published in November 2025. It is the clearest signal yet that the claims side of the market has caught up with the threat: payouts more than tripled in a single year even as uptake barely moved.

The composition of those claims tells you what is driving the bill. Malware and ransomware made up 51% of paid cyber claims in 2024, up from 32% in 2023 — so just over half of everything insurers paid out traced back to malicious encryption or extortion. That share is the insurance-side echo of the ransomware threat picture; the payment-behaviour numbers behind it (how many victims pay, and how much) live on our dedicated ransomware page rather than here.

Demand for cover kept climbing on the same data. The number of cyber policies taken out in 2024 grew 17% year on year, per the ABI — a reminder that while the survey-measured penetration rate has plateaued, the raw count of policies in force is still rising as more businesses formalise cover they previously lacked.

Claim notifications hit a record and the nature of extortion shifted decisively. Marsh, one of the largest UK cyber brokers, logged 668 UK cyber claim notifications in 2025 — its highest annual total to date and up 8% on 2024, according to its UK Cyber Claims Trends 2025 report. Rising notifications on a plateauing insured base point to more incidents per policy, not simply more policies.

The most telling trend inside those notifications is how extortion is changing. Encryption-based ransomware fell from 70% of extortion claims in 2021 to just 24% in 2025, Marsh found, as attackers pivoted from locking systems to stealing data and threatening to publish it. For insurers, data-theft extortion changes the claim profile: the cost centre moves from system recovery towards notification, legal exposure and regulatory response — the very obligations covered in our data breach response guide.

What is happening to cyber insurance prices and the UK market?

Prices have been falling, not rising — a soft market driven by abundant capacity. Marsh reported that UK primary cyber insurance pricing fell around 7% in the first quarter of 2025 and now sits roughly 42% below its 2022 peak. After the hard market of 2021–22, when rates spiked and cover tightened, a wave of new capacity has pushed premiums back down and made cover easier to buy — one reason smaller businesses have been able to take up policies.

The wider market is substantial. The UK cyber (re)insurance sector wrote around £13.2 billion in premium over 2025, according to Gallagher's UK Cyber Market Report 2025, underlining that cyber has moved from a niche add-on to a mainstream line of business. Set against ~£197m of claims paid for 2024, that premium base also shows why capacity remains plentiful: the line is, for now, comfortably profitable at the aggregate level even after the 230% jump in payouts.

The direction of travel from here is uncertain. A tripling of claims paid in one year is exactly the kind of signal that can eventually firm pricing again if it persists — so the current buyer-friendly conditions should not be assumed to be permanent.

Frequently asked questions

What percentage of UK businesses have cyber insurance?

45% held some form of cyber insurance in 2025, broadly flat on 43% in 2024 (Cyber Security Breaches Survey). But only 7% held a specific standalone cyber policy — the other 38% had cover bundled inside a wider business policy, which can carry lower limits and narrower triggers.

How much do UK insurers pay out in cyber claims?

UK insurers paid around £197 million in cyber claims for 2024, a 230% rise on the ~£59 million paid in 2023 (ABI, November 2025). Malware and ransomware accounted for 51% of those paid claims, up from 32% the year before.

Do small businesses need cyber insurance?

Uptake among UK small businesses jumped from 49% in 2024 to 62% in 2025, so a clear majority now carry cover. Whether a business needs it depends on the data it holds and its ability to absorb a breach unaided, but the biggest barrier the uninsured cite is awareness — 37% did not know cyber insurance existed. The NCSC publishes neutral guidance on assessing whether cover is right for your organisation.

Does cyber insurance cover ransomware payments?

Ransomware is the single largest driver of paid claims — 51% of UK cyber payouts in 2024 involved malware or ransomware. Whether a specific policy covers a ransom payment itself, as opposed to recovery and response costs, depends on the wording, and the UK government has confirmed plans to ban ransom payments by the public sector and critical national infrastructure. The payment-behaviour statistics — how many victims pay and how much — are covered in full on our ransomware statistics page.

Is cyber insurance uptake in the UK still growing?

Not meaningfully. Uptake rose from 37% (2023) to 43% (2024) to 45% (2025), a clearly flattening curve. The count of policies in force is still rising — policies taken out grew 17% in 2024 — but survey-measured penetration has plateaued at just under half of businesses.

Sources & references

Most cyber claims start with an everyday mistake — a missed update, a weak password, a convincing email. Cover pays the bill afterwards; training helps stop the breach in the first place and meet your UK GDPR duties.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.