Cyber insurance

Conditions

• Cyber insurance premiums are allowable under the wholly-and-exclusively test. GOV.UK's self-employed expenses guidance (updated November 2024) states: 'you can claim for any insurance policy for your business.' A cyber policy protecting the business against the costs of a data breach, ransomware attack, business interruption, or third-party liability arising from a cyber incident is taken out wholly for business purposes.
• Cyber insurance typically covers two broad areas. First-party cover reimburses the business directly for costs arising from a cyber incident — for example forensic investigation, data recovery, business interruption losses, and any cyber extortion payments made under duress. Third-party (liability) cover meets claims from customers, suppliers, or other parties who suffer loss because of a breach originating from the insured business.
• GDPR fines and civil penalties imposed by the Information Commissioner's Office (ICO) are not allowable tax deductions — they are penalties for breaking the law. Most cyber insurance policies explicitly exclude regulatory fines from cover in any case. If a policy did include regulatory penalties, the premium attributable to that element of cover would not be allowable as a business expense.
• For a limited company, cyber insurance premiums are an allowable corporation tax deduction provided the cover is for the company.
• Employees cannot claim cyber insurance premiums as a personal tax deduction — this is the employer's cost.

Common mistakes

• Assuming a standard combined business insurance policy already includes meaningful cyber cover — many policies exclude cyber events entirely or provide only minimal coverage. Check the policy wording specifically and consider a standalone cyber policy if data risk is significant.
• Overlooking the third-party liability angle — if a breach exposes customer data, the business may face claims from those customers even if its own direct costs are manageable.
• Treating insurance proceeds for a business interruption loss as non-taxable — insurance receipts that replace taxable trading income are themselves taxable receipts, in the same way the lost income would have been.

What to keep

• Policy schedule showing the insured, cover limits (first-party and third-party), period of cover, and premium.
• Premium invoices or payment records.

Real-world example

A limited company provides cloud-based software to business clients and holds customer data on its servers. It takes out cyber insurance with £1 million third-party liability cover and first-party cover for breach response costs and business interruption, at a combined premium of £1,800 per year. The premium is allowable in full as a business insurance cost.

Frequently asked

Related allowances