Cyber insurance is not a contractual requirement for GP practices and is not included within NHS provision of GP IT services.
Practices are not expected to hold cyber insurance, and many do not.
It is helpful to distinguish between different types of risk:
- NHS-managed infrastructure
Core GP IT systems and networks are centrally managed. In the event of a significant cyber incident, NHS England and the ICB will coordinate the technical response. - Practice-level risk
Practices remain responsible for the operational and financial impact on their own business. This may include:- disruption to services and income
- administrative costs of managing an incident
- communication with patients
- potential legal costs in relation to data breaches
The NHS does not cover practices for business interruption or associated losses.
Policies vary, but may include:
- business interruption or loss of income
- costs of managing a data breach (e.g. notification, communications)
- legal expenses relating to data protection issues
- access to specialist advice and support during an incident
Practices should check carefully whether similar cover already exists within existing business interruption or legal expenses policies.
It is important to be clear about the limitations:
It may have limited relevance to incidents affecting centrally managed NHS systems
It does not prevent cyber incidents
It will not restore NHS systems or infrastructure
It cannot cover regulatory fines such as those issued by the Information Commissioner’s Office
This is a matter of risk appetite rather than requirement.
Practices may wish to consider it where:
- there is limited financial resilience to absorb disruption
- previous incidents have had a significant operational impact
- there is no existing cover for business interruption or legal expenses
It may be less relevant where:
- the primary concern is regulatory fines
- the expectation is that it will cover NHS system failures
- similar risks are already covered elsewhere
NHS-provided IT equipment (such as laptops and core infrastructure) is not generally expected to be insured by practices.
Replacement and support arrangements are typically managed through NHS IT services. However, in some cases practices may be recharged for repair or replacement, particularly where damage is considered avoidable (for example, dropped devices or cracked screens).
Practices should therefore:
- understand local processes for reporting loss or damage
- ensure appropriate handling and storage of devices
- reinforce basic expectations with staff, particularly for portable equipment
While it may be tempting to seek recovery of costs from individual staff members, this is often difficult in practice and can create wider employment issues. A clearer and more effective approach is to focus on prevention, consistent expectations, and proportionate internal policies.