Let us set the scene. You’ve won a great new deal after rounds of back and forth, pitching and relationship building, and the champagne is on ice. Then the legal team drops a 50-page contract on your desk. Deep in the “Insurance” section, there it is: a demand for £5m, or even £10m of Cyber Insurance.
Your instinct might be to sign and sort it later, because you want the work, and you definitely want the fees. But before you sign on the dotted line, we need to talk…
Blindly agreeing to high cyber limits is a bit like buying a commercial fire engine to protect a garden shed – it’s overkill, and it’s going to cost you.
Here’s why you should push back before you sign on the dotted line.
Cyber insurance requirements under contract aren’t new, but they’re evolving quickly. Engaging your broker to review them is crucial, as the coverage requested by your client may already be covered under your Professional Indemnity (PI) policy depending on the specifics required.
We are seeing more tailored requests for coverage under contract, explicitly requiring cyber policies to be purchased at certain limits to meet those contractual obligations.
These range from the vague requirement for some form of cyber insurance, through to specifically requiring insurance for unauthorised access, network liability, privacy breaches, denial of service attacks and liability for the end client’s business interruption.
Remember, not every cyber policy is the same, so the small print needs care and attention before signing.
For most SME businesses, depending on the data you hold and its volume, cyber insurance is reasonably priced for lower limits.
As the limits increase, generally past the £2m point, the premium can increase significantly and the terms applied become more onerous. Insurers may require more from your agency in respect of cyber security and risk management.
It’s common for these contract clauses to contain provisions that require you to keep insurance in place for a period after you finish the contract, often up to 6 years.
This is relatively standard for claims-made policies like PI, but we would still suggest pushing back to reduce this as much as possible. Whilst you should keep coverage in place, it’s better to not have the contractual obligation.
Now bear in mind, if you have to pay to increase your limit and continue with that limit for years after the work is done, you could be paying premium prices years later for a project you just finished. That’s a long-term financial commitment for a short-term gain.
We’ve seen clients agree to onerous insurance obligations under a Master Service Agreement (MSA), only to find they get little work, cease the relationship, but are still contractually obliged to buy the higher level insurance for six years post-termination.
We see this too often. A client contract might ask the agency to hold £10m in cover, even when the deliverables do not require exposure to sensitive data. For example, if you’re providing strategic consultancy advice via email, your exposure to that client is worlds apart from a company hosting their entire customer database or involved in data migration.
Often, these numbers are pulled out of thin air by a legal department using a generic template or from a dive into ChatGPT. The customer hasn’t assessed your risk, or even their own exposure – they’ve just picked a number from their standard terms.
Never be afraid to challenge the requirement. As well as protecting your agency, it also shows you’re professional and thorough in your due diligence.
We get it, terms and conditions aren’t all that interesting, especially after landing a great new client. But not reading them can have serious drawbacks and cost the business money.
If you need support understanding the T&Cs in your contracts, don’t hesitate to speak to our specialists for honest advice and support. Reach us on 0161 533 0411, or fill in our contact form and we’ll get back to you.
Photo by Annika Wischnewsky on Unsplash
Blog - April 16, 2026
