Skip to content
Guide

Ransomware and cyber insurance, explained properly.

Ransomware is rarer than the headlines suggest, and costs far more than most people imagine. And the insurance that is supposed to catch you now comes with homework attached. Here is what an attack really costs, what insurers ask for before they will cover you, and what can quietly cancel a claim.

Published 12 July 2026

The renewal questionnaire from your cyber insurer has doubled in length, the quote has conditions attached, and half the questions assume a security team you do not have. What follows is the context behind all of it: the real numbers on ransomware, why insurers now ask what they ask, and the quiet mistake that costs businesses their cover at the worst possible moment. Sources sit at the end, mostly GOV.UK, the NCSC, the ICO and the insurance industry itself.

The short version.

  • Ransomware is rare but ruinous. About 1% of UK businesses reported it last year, down from 3%. Phishing, the way most attacks begin, hit 38% of all businesses.
  • When it lands, it is expensive. UK organisations surveyed by Sophos reported an average recovery bill of $2.58 million, around £1.9 million, before any ransom.
  • The NCSC is blunt about paying: no guarantee you get your data back. The ICO has confirmed that paying will not reduce a fine.
  • Insurers now ask for proof of specific protections before they will cover you, and a wrong answer on the application form can undo the whole policy when you claim.
  • Only 10% of UK businesses hold a specific cyber insurance policy. Many who think they are covered are relying on a thin cyber clause in a broader policy.

What ransomware actually is.

Ransomware is malicious software that locks your files and systems so your own business cannot use them, followed by a demand for payment to unlock them. Modern gangs usually steal a copy of your data first, so the threat comes twice: pay or stay locked out, and pay or we publish. That second threat is why “we have backups” is necessary but not enough. Backups bring your systems back. They do not un-steal your data.

It almost never starts with anything dramatic. The usual front door is phishing: an email that talks someone into handing over a password or opening the wrong attachment. From that foothold, attackers work their way towards whatever hurts most.

The real odds.

Plenty of marketing wants you scared. The Cyber Security Breaches Survey, the government’s own yearly measurement, deserves a fair reading instead:

  • 43% of UK businesses found a cyber breach or attack in the last year. For medium-sized businesses it was 65%.
  • Phishing leads by a mile, hitting 38% of all businesses.
  • Ransomware itself hit around 1% of businesses, down from 3% in each of the two years before.

So the real picture is not “ransomware is everywhere”. It is that the attempts are everywhere, the door they come through is almost always the same one, and the small share that turn into ransomware become the worst weeks a business can have. You guard the door because it is cheap. You prepare for ransomware because of what it costs when the door fails.

What an attack actually costs.

The ransom makes the headlines. It is rarely the biggest number. Sophos, which surveys thousands of organisations every year, found UK victims reported an average of $2.58 million in recovery costs, up from $2.07 million the year before. That covers downtime, lost business, people’s time and rebuilding, before any ransom. The survey covers organisations of one hundred staff and up, so the numbers run smaller for smaller firms, but the shape of the bill is the same: the disruption costs more than the demand.

Two more findings stand out. Across the world, 49% of victims paid, and those who paid handed over 85% of the first demand on average. You can haggle the number down. You are still paying most of it.

Should you ever pay?

Three institutions have answered this, in writing.

The NCSC and UK police do not support paying. Their reasons are practical, not moral: there is no guarantee you will get your data back, your systems are still infected afterwards, you are funding organised crime, and you have just told the criminal world that you pay.

The ICO, the data protection regulator, settled the question that matters most to nervous boards. In a joint letter with the NCSC it confirmed that paying a ransom will not reduce any fine it hands out. What does help is exactly what you would hope: understanding what happened, reporting it, and being able to show you followed NCSC guidance beforehand.

The government has gone further. In its 2025 response to the ransomware consultation it confirmed a full ban on ransom payments by the public sector and by operators of critical national infrastructure, the likes of power, water and health. Private businesses keep the choice, with a catch: you will have to tell the authorities before paying, payments can be blocked where the money would reach banned groups, and every victim will have to report incidents, with a first report within 72 hours and a fuller one within 28 days. The law is still working its way through Parliament, but the direction is set: paying quietly is ending.

What your insurer now asks for.

A few years ago a cyber policy was a form with a dozen questions. After years of heavy ransomware losses, insurers now check businesses the way engineers do: show us the protections, or there is no cover, or cover with a painful excess. The list is now much the same across the whole market:

What they ask for What it means in practice
Multi-factor authentication A second check beyond the password, on email, remote access and admin accounts. The single most-asked question on every form.
Tested, separated backups Copies of your data that ransomware cannot reach from your network, proven by actually restoring from them, with the test written down. An untested backup is a hope, not a backup.
Monitored protection on every device Modern security software on computers and servers, with someone actually responding to what it finds.
Updates applied Security updates installed promptly, with the stragglers tracked rather than forgotten.
Staff training Because phishing is the front door, and your people are the handle.
A plan for the bad day Who does what in the first hour, written down before you need it. Only 25% of UK businesses have one.

None of this is arbitrary. Every item on that list matches how real attacks succeed, which is why the NCSC recommends the same things for free. The insurance market has simply started charging for ignoring them.

How claims actually fail.

This is the part that deserves far more attention than it gets. Cyber policies mostly do pay out. When they do not, the reason is usually not small print about the attack. It is the answers your business gave on the application form.

UK law gives businesses buying insurance a duty to present their risk fairly: in plain terms, your answers must be true. Law firm Bird & Bird spells out what happens with the most common question: if a business said multi-factor authentication was in place when investigators later show it was not, the insurer may be entitled to pay less, or to treat the policy as if it never existed. In one widely reported US case an insurer cancelled a policy outright because the form said MFA was fully in place when it was only partial. The gap did not even need to have caused the break-in.

The trap is rarely dishonesty. It is the renewal form filled in hopefully by whoever it landed on, ticking “yes, MFA everywhere” because it is mostly true. In insurance, mostly true is the expensive kind of false. The fix costs nothing: answer the form from evidence, not memory. And if the true answer is “not yet”, say so and fix it. A slightly higher premium is worth infinitely more than a cancelled claim.

The Cyber Essentials shortcut.

If this all sounds like a lot of moving parts, the UK has a scheme that packages the basics: Cyber Essentials, the government-backed certificate covering five core protections. It is increasingly asked for in supply chains and government contracts, insurers look kindly on it, and it comes with a useful perk: any UK organisation with a turnover under £20 million that certifies across its whole organisation is automatically entitled to cyber liability insurance, including 24-hour incident response support. The included cover is modest and will not carry a bad week on its own, but as a floor, included free with a certificate you likely need anyway, it is the easiest yes in this whole subject.

One thing to be clear about before the last section: Gotschna is not an insurance broker. We do not sell insurance or advise on policies; that stays between you and your broker. Our work is the other half of the equation, making a business secure enough that the cover is easy to get and the technical questions are easy to answer truthfully.

How to get ready.

The businesses that get this right all follow the same order:

  1. Find out where you stand. Learn where MFA genuinely is and is not, what the backups would actually bring back, and who would do what on the worst morning. This is the step that makes every later answer true.
  2. Close the gaps insurers price. MFA everywhere that matters, backups that ransomware cannot reach, monitored protection on every machine, updates applied. The same short list every time, because it is the list that works.
  3. Prove it. Restore a backup and time it. Run the phishing training. Write the one-page plan for the bad day. Written proof is what turns “we think so” into “here is the evidence”, for you and for the insurer.
  4. Then let your broker place the cover, armed with evidence. Answer the application form against what you proved in step three, not what you hope. Review it every year, because the questions keep getting sharper.

Done in that order, the protections cut the odds, the evidence keeps the policy solid, and the insurance covers what remains. Done in the other order, you own a document that pays out right up until the moment you need it.

Sources and further reading.

  1. GOV.UK: Cyber Security Breaches Survey 2025/2026 (April 2026)gov.uk
  2. NCSC: Ransomware hub, guidance for organisationsncsc.gov.uk
  3. GOV.UK: Government response to ransomware legislative proposals (July 2025)gov.uk
  4. NCSC and ICO: joint letter to the Law Society and Bar Council on ransom payments (July 2022)ncsc.gov.uk
  5. NCSC: Solicitors urged to help stem the rising tide of ransomware payments (July 2022)ncsc.gov.uk
  6. Sophos: The State of Ransomware 2025 (June 2025)sophos.com
  7. Sophos press release: Nearly half of companies opt to pay the ransom (June 2025)sophos.com
  8. Bird & Bird: Multi-factor authentication and cyber insurance (2023)twobirds.com
  9. NCSC: Cyber Essentials overviewncsc.gov.uk
FAQs

Common questions.

Should we ever pay a ransom?

The NCSC and UK police do not support paying, and they are clear about why: there is no guarantee you get your data back, your systems are still infected, you are funding criminals, and you mark yourself as a business that pays. Paying also does nothing for you with the regulator: the ICO has said in writing that paying a ransom will not reduce any fine. And under the rules the government has now confirmed, businesses will have to tell the authorities before any payment is made.

If we have good backups, do we still need insurance?

They solve different problems. Tested backups get your systems back. They do not pay for investigators, legal advice, telling affected customers, or the money lost while you recover. Insurance covers those costs, but it assumes you have the backups: try buying a policy without them. The strongest position is both: you can recover quickly, and you are covered for the rest.

Will insurance actually cover a ransom payment?

Many policies can pay a ransom back today, and insurers bring in specialist negotiators before any decision. But the direction in the UK is away from paying. The NCSC advises against it, paying certain criminal groups is already illegal, and under the new government rules businesses will have to notify the authorities first. Treat the ransom as the cost your backups exist to avoid, not a cost insurance makes painless.

We are a small business. Are we really a target?

You are not targeted the way a bank is. You are caught the way fish are: in nets. Most attacks start with phishing emails sent in bulk to everyone, and 42% of micro businesses reported a breach or attack in the last year. Criminals automate the door-rattling and follow whichever door opens. Being small does not make you invisible. It usually just means fewer locks.

Let’s work together to make technology
work for you.

Contact us today
Contact

Get in touch. We’re here to help.