Clarifying the landscape

Insurance Won't Save You (But You Still Need It)

Understanding the difference between cyber insurance and Cyber Essentials - and why the order matters

I get this question at least once a week.

Someone's heard they need cyber insurance. Someone else has told them they need Cyber Essentials. Their broker's pushing one thing, their potential client's demanding another, and they're standing in the middle wondering if they're the same thing, different things, or whether they can skip both and hope for the best.

Let me clear this up. After four years of helping small businesses navigate this, I've seen every version of this confusion - and every consequence of getting it wrong.

They're Not the Same Thing

First, the basics.

Cyber Essentials is a certification. It proves you have basic security controls in place - firewalls, password policies, software updates, access management. It's preventative. It reduces the chance of an attack succeeding in the first place.

Cyber insurance is a financial product. It helps cover costs if something goes wrong - breach response, data recovery, legal fees, business interruption. It's reactive. It helps you recover after an attack has already happened.

One is a lock on your door. The other is a policy that helps you rebuild if someone breaks in anyway.

You wouldn't buy home insurance and then leave your front door wide open. Same principle applies here.

The Mistake I See Constantly

Here's what happens. A business owner gets worried about cyber threats. They call their insurance broker. The broker sells them a cyber insurance policy. The business owner feels protected.

They're not.

Insurance doesn't stop attacks. It doesn't strengthen your passwords. It doesn't patch your software. It doesn't train your staff to spot phishing emails.

All it does is provide money after something bad has already happened. And by then, the damage is done - data stolen, customers affected, reputation damaged, operations disrupted.

I've met business owners who had cyber insurance and still nearly went under after an attack. The insurance helped with the financial recovery, but it couldn't undo the breach. It couldn't bring back the clients who lost trust. It couldn't restore the three weeks of productivity lost to chaos.

Insurance is not protection. It's a safety net. And a safety net only works if you haven't already fallen through the floor.

The Dirty Secret About Policies

Here's something your broker might not emphasise: most cyber insurance policies have conditions.

Read the small print. You'll often find clauses requiring you to have "reasonable" security measures in place. Some policies specifically mention Cyber Essentials or equivalent standards.

What does this mean in practice?

If you suffer a breach and you can't demonstrate basic security controls, the insurer might not pay out. Or they'll reduce the payout. Or they'll argue that your negligence contributed to the loss.

I've seen it happen. Business gets hit. Claims on insurance. Insurer investigates. Finds out the WiFi password was "Welcome1" and half the team had the same login credentials. Claim denied or reduced.

You paid the premiums. You thought you were covered. You weren't - because you hadn't done the basics.

Cyber Essentials certification is proof that you've done the basics. It's documentation that can support your insurance claim. It's evidence of due diligence.

Which One First?

This is the key question, and the answer is clear: Cyber Essentials first.

Here's why:

Prevention beats recovery. Every attack you prevent is better than an attack you recover from. Certification reduces your attack surface. Insurance doesn't.

Certification is cheaper. Cyber Essentials costs a few hundred pounds. Insurance premiums for a small business can run into thousands annually. If budget is tight, certification gives you more security per pound.

Certification can reduce insurance costs. Many insurers offer discounts for businesses with Cyber Essentials certification. You're a lower risk, so you pay lower premiums. The certification can partially pay for itself.

Insurance might require it anyway. As mentioned, many policies have conditions about basic security. Get certified first and you know you'll meet them.

You can operate without insurance. It's a risk, but it's legal. You cannot bid for many contracts without Cyber Essentials. Certification opens doors that insurance doesn't.

The Right Order

If you're starting from nothing, here's the sequence I recommend:

Step one: Get Cyber Essentials certified.

This is your foundation. Do this first, regardless of budget constraints. It's achievable, affordable, and it makes everything else easier.

Step two: Review your insurance needs.

Once you're certified, talk to your broker about cyber insurance. Your certification might get you better rates. You'll definitely be better informed about what questions to ask.

Step three: Understand what the policy covers.

Not all cyber insurance is equal. Some cover breach response costs. Some cover business interruption. Some cover regulatory fines. Know what you're buying.

Step four: Keep both current.

Cyber Essentials requires annual renewal. Insurance policies need regular review. As your business changes, your coverage needs change too.

What Insurance Actually Covers

Let me be clear about the value of insurance, because I'm not saying you don't need it.

A good cyber insurance policy can cover:

Incident response costs. Forensic investigation, legal advice, PR support. These add up fast during a crisis.

Data recovery. Getting your systems back online, restoring from backups, rebuilding what was lost.

Business interruption. Lost revenue during downtime. This can be the biggest cost of all.

Notification costs. If personal data is breached, you may need to notify affected individuals. That's expensive at scale.

Regulatory fines. GDPR penalties can be significant. Some policies help cover this.

Third-party claims. If your breach affects your clients, they might sue. Insurance helps with legal defence and settlements.

These are real costs that can destroy a small business. Insurance protection against them is valuable.

But it's only valuable if you've also done the prevention work. Otherwise you're just buying an expensive policy you might not be able to claim on.

My Story

When we started our Cyber Essentials journey, I looked at insurance first. The quotes were terrifying. Thousands of pounds annually for a small business like ours.

I nearly gave up on both. Couldn't afford the insurance, didn't understand the certification, figured we'd just take our chances.

Then TransCrypt helped me understand the difference. Get certified first. That's affordable. That's achievable. That actually protects you.

We got certified for a fraction of what insurance would have cost. Six months later, when we did get insurance, our premiums were lower because of the certification. The insurer saw us as a better risk.

If I'd done it the other way round - expensive insurance with no certification - I'd have spent more money for less protection. And I might not have been able to claim anyway if something went wrong.

The Question I Ask Clients

When someone asks me "insurance or certification?", I ask them this:

"If you had a break-in tomorrow, would you rather have prevented it, or have money to clean up afterwards?"

Everyone says prevention.

Then get certified first. That's prevention. Insurance is the cleanup fund - important, but secondary.

Can You Afford Either?

The honest answer: you can't afford not to.

Cyber Essentials certification: around £300-500 plus the monthly platform cost. Call it £500-700 for the first year.

Cyber insurance: varies wildly, but budget £1,000-3,000 annually for a small business.

The cost of a breach without either: potentially tens of thousands. Lost data. Lost customers. Lost reputation. Lost time. Some businesses never recover.

If budget is genuinely tight, prioritise certification. It's cheaper and it provides actual protection. Add insurance when you can afford it.

But don't skip both. Don't just hope you're too small to be targeted. You're not. We covered this in another post - small is actually why they target you.

The Bottom Line

Cyber insurance and Cyber Essentials are not alternatives. They're complements.

Certification prevents attacks. Insurance helps you recover when prevention isn't enough.

You need both, eventually. But if you're choosing where to start, choose certification. It's cheaper, it's more protective, and it might be required for your insurance to actually pay out anyway.

The roof is important. But build the foundation first.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. His insurance broker has stopped trying to sell him additional coverage and now just asks for advice on his own small business security. Jim considers this a win.