Achieving your Cyber Essentials or Cyber Essentials Plus accreditation is a wise business move and we highly recommend it. It’s a government-backed UK scheme that will fill any gaps in your knowledge around basic cyber security, and guide you towards securing your systems. It’s also a winning move with customers and suppliers to demonstrate that your business is committed to protecting their information and in the case of government contracts, may be a mandatory requirement.
The government website states that 92% fewer insurance claims are made by businesses and organisations with the Cyber Essentials controls in place. This is a sign of a successful programme.
Take the Insurance Upsell or Shop Around?
When you complete the accreditation, you are likely to be presented with an offer for cyber insurance. A bundled in, one-stop-shop deal. This is a red flag to us. While this looks to be a convenient way to buy the insurance cover you need, convenience could be at the cost of adequate financial protection?
- Being upsold Cyber Essentials Insurance with your accreditation?
- Quick and convenient should never beat shopping around
The Cyber Risk Reality Check: a standard £25k. Is it enough?
The accreditation process drives businesses towards a baseline level of security. Achieving this standard can sometimes automatically grant access to a limited amount of insurance cover. While this initial cover is a valuable endorsement of your security status, the financial reality of a serious cyber incident quickly outstrips modest policy limits.
Let’s look at the details. Most basic certifications will come with insurance that has a small policy limit – £25,000 is a figure often associated with basic certifications, which will be rapidly exhausted by the costs that follow a cyber security breach. Costs include:
- IT Investigation & Forensics: To determine the cause and extent of a breach.
- Legal & Notification Costs: Managing legally mandated communication to affected customers, under GDPR.
- Regulatory Fines: Penalties can be incurred, from bodies like the ICO.4
- Business Interruption: Lost revenue and recovery costs from system downtime.
Industry professionals widely agree that a comprehensive policy requires a significantly higher indemnity limit, with recommendations often starting from £500,000 and escalating to £2,000,000 or more, depending on your company’s data sensitivity and turnover.
A bundled Insurance Upsell Package v Insurance from an Independent Professional
Let’s look at how the Cyber Essentials standard insurance compares to an independent broker solution:
| Feature | The Bundled Option (An Upsell) | The Independent Broker Option |
| Primary Focus | Speed and Convenience. Focused on leveraging the CE certificate for an immediate transaction. | Suitability and Advocacy. Focused on your specific risk profile and future claim support. |
| Pro: Access | Instant eligibility and streamlined process. | Access to the entire market to obtain best in class. |
| Pro: Service | Recognition of Cyber Essentials controls simplifies initial qualification. | Offers professional advice and service, focused on client needs and claim advocacy. |
| Con: Coverage | Potential for inadequate policy limits (£25k is rarely sufficient) and limited insurer choice. | Requires a separate step and comparison process, though the CE certificate simplifies underwriting. |
| Con: Sales Style | Often a hard upsell focused on speed rather than suitability. | Minimal administrative inconvenience. |
As proven by so many high profile cases in 2025, cyber insurance is critical for business continuity. Cover for First- and Third-Party Liabilities and Business Interruption is arguably more important in a corporate disaster recovery plan than traditional property insurance (like fire or escape of water cover).
The Insurance Professional’s View: Your Best Approach To Cyber Cover
Cyber insurance is surprisingly accessible, with basic policies starting at less than £200 per annum for modest cover.
Our guidance, intended to comply with Financial Conduct Authority (FCA) guidelines, ensures clarity and fairness:
- Do Not Settle for Minimal Cover. The cover automatically associated with certification is a starting point, not a destination. Your business deserves genuine financial resilience.
- Demand Clarity on Wording. Ensure you fully comprehend the policy’s exclusions and limits before committing. Do not assume cover exists for a scenario until it is explicitly confirmed in the policy wording.
- Seek Specialist, Independent Advice. An independent broker can assess your true risk profile and seek cover from the whole market, ensuring you secure a policy limit and wording that provides genuine financial resilience.
As an FCA-registered firm, Acer Insurance Services specialise in assessing cyber risk and policy adequacy. Would you like to connect with a specialist to review your current or proposed cover?
This blog post is for informational purposes only. When arranging your insurance, always consult with an FCA-registered broker to ensure the advice is tailored to your specific circumstances.
