What insurers actually require, why claims get denied, and how to secure better coverage.
The cyber insurance market has hardened dramatically since 2020. Premiums have risen, coverage has narrowed, and the application process has transformed from a simple questionnaire into something closer to a security audit. Insurers who once asked a handful of generic questions now demand detailed evidence of specific technical controls. Organisations that cannot demonstrate a mature security posture are finding themselves either uninsurable or facing premiums that make coverage economically unviable.
This shift was driven by claims experience. The ransomware epidemic of 2020 and 2021 generated catastrophic losses across the insurance market. Underwriters who had been writing cyber policies with minimal scrutiny discovered that many of their policyholders lacked even basic security controls. Claims payouts exceeded premiums collected by significant margins. The market corrected, and it corrected aggressively.
For businesses seeking coverage today, the relationship between security posture and insurability has never been clearer. The controls that make you a better insurance risk are the same controls that make you harder to breach. This guide explains what insurers are looking for, how to position your organisation for the best available terms, and what to watch out for in the fine print.
A market transformed by losses
Understanding why the market changed is essential to navigating it successfully. The cyber insurance industry has undergone a fundamental reassessment of risk, and the consequences affect every organisation seeking coverage.
The soft market era
Cyber insurance was a growth market with minimal underwriting discipline. Insurers were competing for market share and asking few questions. Application forms were short. Technical controls were rarely verified. Pricing was based on revenue and industry sector rather than actual security posture. Many organisations obtained generous coverage with little scrutiny of their defences.
The hard market correction
Ransomware losses forced a reckoning. Loss ratios exceeded 70% for many insurers, meaning they were paying out more in claims than they collected in premiums. The response was swift: premiums increased by 50 to 100 percent in many sectors, coverage limits were reduced, sublimits were introduced for ransomware, and application questionnaires expanded from a single page to twenty or more. Insurers began requiring specific controls as preconditions for coverage, not just factors in pricing.
What insurers require
The application questionnaire has become the gatekeeper. These are the controls that underwriters assess most rigorously. Missing any one of them can result in declined coverage, significantly higher premiums, or restrictive policy exclusions. Each control reflects a lesson learned from claims data, and insurers treat them as non-negotiable baseline requirements.
Multi-factor authentication on all access
This is the single most important control in every insurer’s questionnaire. MFA must be enforced on all remote access, all email accounts, all cloud platforms, and all administrative interfaces. Not ‘available’ or ‘encouraged’, but enforced. Insurers have learned the hard way that stolen credentials are behind the majority of successful breaches. If you cannot demonstrate that MFA is mandatory across your entire environment, most underwriters will decline to quote. Some will still offer cover, but at premiums that reflect the elevated risk. This is not a negotiable control. It is table stakes.
Endpoint detection and response
Traditional antivirus is no longer sufficient in the eyes of most underwriters. EDR provides continuous monitoring, behavioural analysis, and automated response capabilities that go well beyond signature-based detection. Insurers want to see a managed EDR platform deployed across every endpoint, with centralised reporting and 24/7 monitoring. The reason is straightforward: EDR dramatically reduces dwell time. An attacker who triggers an EDR alert is detected in minutes rather than months. For insurers, that means smaller claims, faster containment, and lower remediation costs. If you are still relying on Windows Defender alone, expect to face difficult questions during the application process.
Tested, immutable backups
Having backups is not enough. Insurers want evidence that your backups are offline or immutable, meaning an attacker who compromises your production environment cannot also encrypt or delete your backup data. They also want evidence that you have tested recovery. A backup that has never been restored is a hope, not a control. The distinction matters because ransomware operators now specifically target backup infrastructure before deploying their payload. If your backups are stored on the same network as your production data, connected to the same domain, and protected by the same credentials, they will be destroyed alongside everything else. Insurers know this. They will ask about it.
Disciplined patch management
Critical and high-severity vulnerabilities must be patched within 14 days. That is the benchmark most insurers use, and it aligns with the Cyber Essentials requirement. But insurers go further: they want to see a documented process, not just good intentions. Who is responsible for identifying patches? How are they tested? How are they deployed? What happens when a patch breaks something? The organisations that struggle here are those with legacy applications that cannot tolerate updates, or those without a centralised management platform. If you are patching manually, device by device, you will miss things. Insurers know this because they see the claims that result from it.
Security awareness training
Every member of staff with access to company systems needs regular, documented security awareness training. Insurers are looking for more than an annual compliance video. They want to see ongoing engagement: simulated phishing exercises, role-specific training for high-risk staff like finance teams, and measurable improvements over time. The reason is simple. Human error remains the most common initial attack vector. A well-trained workforce is genuinely harder to compromise. Insurers have enough claims data to know that organisations with active training programmes file fewer claims, and the claims they do file tend to be smaller.
Documented incident response plan
If a breach occurs, what happens in the first hour? The first day? The first week? Insurers want to see a written, tested incident response plan that defines roles, responsibilities, communication protocols, and escalation procedures. This is not about having a perfect plan. It is about having any plan at all, and having practised it. Tabletop exercises, where your team walks through a simulated incident scenario, are the gold standard. Organisations without a response plan tend to make poor decisions under pressure: paying ransoms unnecessarily, failing to preserve forensic evidence, delaying notifications that trigger regulatory penalties. All of these increase the cost of a claim.
“The application questionnaire is not a formality. It is a warranty. Every answer you give becomes a condition of your policy. If your security posture does not match your application, your claim will be disputed.”
Why claims get denied
Purchasing a cyber insurance policy is only half the equation. The policy is only valuable if it pays out when you need it. And increasingly, insurers are finding grounds to dispute or deny claims. Understanding why this happens is critical to ensuring your coverage actually protects you.
The most common reason for claim denial is a material misrepresentation on the application. If you stated that MFA was enforced across all accounts, but the forensic investigation reveals that the compromised account had MFA disabled, the insurer has grounds to void the policy entirely. This is not a theoretical risk. Major insurers have successfully denied claims on exactly this basis, and case law is increasingly favouring the underwriter’s position.
Late notification is another frequent issue. Most policies require you to notify the insurer within 24 to 72 hours of discovering a potential incident. Organisations that try to manage the situation internally before involving their insurer often find that the delay has prejudiced their coverage. The insurer’s incident response panel exists for a reason: they have pre-negotiated rates with forensic investigators, legal counsel, and crisis communications firms. Using your own providers without prior approval can result in costs that the insurer refuses to reimburse.
Policy exclusions catch many organisations off guard. War exclusions, waiting periods, sub-limits for specific attack types, and conditions around maintaining security standards can all reduce or eliminate coverage when you need it most. The time to understand your policy is before you need to use it, not during the chaos of an active incident.
How to secure better terms
The relationship between security investment and insurance cost is direct. Organisations that can demonstrate mature, well-documented security controls consistently achieve lower premiums, broader coverage, and fewer exclusions. The following strategies will help you position your organisation for the best available terms in the current market.
Achieve Cyber Essentials certification
Cyber Essentials is the single most effective way to demonstrate baseline security maturity to UK insurers. Some underwriters offer explicit premium discounts for certified organisations. Cyber Essentials Plus, which includes an independent technical audit, carries even more weight. Beyond the direct premium benefit, Cyber Essentials certification includes free cyber liability insurance cover for qualifying organisations, which can serve as a useful supplement to your primary policy. The certification process itself forces you to address the controls insurers care about most, making it an efficient way to improve both your security posture and your insurability simultaneously.
Document everything you do
Insurers are not interested in verbal assurances. They want evidence. When you complete the application questionnaire, every answer should be backed by documentation you can produce on request. Configuration screenshots, policy documents, training records, patching logs, backup test reports. The organisations that secure the best terms are those that can demonstrate their controls clearly and quickly. Think of the application process as a due diligence exercise. The insurer is assessing whether you are a good risk. The more evidence you provide, the more confidence they have, and confidence translates directly into better premiums and broader coverage.
Use a specialist cyber insurance broker
The cyber insurance market is highly specialised, and general business insurance brokers often lack the expertise to navigate it effectively. A specialist broker understands which insurers are writing in your sector, what controls they prioritise, and how to present your risk profile in the most favourable light. They can also help you understand what you are actually buying. Cyber insurance policies vary enormously in scope, limits, sub-limits, and exclusions. A specialist broker will ensure you get coverage that matches your actual risk, rather than a generic policy that looks adequate until you need to make a claim.
Shop the market every year
Loyalty is not rewarded in the cyber insurance market. Renewal quotes from existing insurers are frequently higher than competitive quotes from new entrants. The market is evolving rapidly, with new capacity entering regularly and insurers adjusting their appetites based on claims experience. Review your coverage annually, even if you are satisfied with your current insurer. Your security posture may have improved since your last application, which could qualify you for better terms elsewhere. A specialist broker can run a market exercise on your behalf, comparing quotes from multiple underwriters to ensure you are getting the best available deal.
“Cyber insurance is not a substitute for security. It is a complement to it. The organisations that get the best coverage are the ones that need it least, because they have invested in the controls that prevent claims in the first place.”
Common exclusions to understand
Every cyber insurance policy contains exclusions that limit or eliminate coverage in specific scenarios. These exclusions are where claims disputes most frequently arise, and where organisations are most often caught unaware. Understanding them before you buy is essential.
War and nation-state exclusions
This is the most contentious area in modern cyber insurance. Following the NotPetya attack in 2017, which caused billions in damages and was attributed to a nation-state actor, insurers began introducing specific exclusions for cyber attacks carried out by or on behalf of nation-states. The challenge is attribution. Determining whether an attack was conducted by a nation-state, a criminal group, or a criminal group with loose state affiliations is rarely straightforward, and it is almost never clear at the time the claim is filed. Lloyd’s of London issued a market bulletin in 2022 requiring all cyber policies to include clear state-backed attack exclusions, and this has reshaped the entire market. Read your policy carefully and understand exactly what is excluded.
Failure to maintain security standards
Most cyber insurance policies include a condition that you maintain the security controls you declared during the application process. If you stated that MFA was enforced on all accounts but your forensic investigation reveals that the breached account did not have MFA enabled, the insurer may deny the claim. This is not hypothetical. It happens regularly. The application questionnaire is a warranty, not a wish list. If your security posture deteriorates after policy inception, you are obligated to notify your insurer. Failing to do so can void your coverage entirely. This is why maintaining your controls is not just good security practice; it is a contractual obligation.
Known, unpatched vulnerabilities
If a breach occurs through a vulnerability that had a published patch available for more than 30 days, many insurers will argue that you failed to exercise reasonable care. Some policies contain explicit exclusions for this scenario. Others rely on general policy conditions about maintaining minimum security standards. Either way, the result is the same: a disputed claim and a difficult conversation with your underwriter. The Log4Shell vulnerability in late 2021 was a watershed moment. Organisations that were breached months after the patch was available faced intense scrutiny from their insurers. The lesson is clear: patching is not optional, and delays have consequences that extend beyond the technical.
Social engineering and voluntary payments
Business email compromise and invoice fraud are among the most common cyber claims, yet many policies either exclude social engineering losses entirely or cap them at a fraction of the overall policy limit. The logic from the insurer’s perspective is that the victim authorised the payment, even if they were deceived into doing so. This is a fundamentally different risk from a technical breach. If social engineering cover is important to your business, and for most organisations it should be, you need to check that your policy covers it explicitly and with adequate limits. Do not assume it is included. Some policies require you to have specific verification procedures in place before social engineering cover applies.
Regulatory fines and penalties
Whether cyber insurance covers regulatory fines depends on your jurisdiction and the specific policy wording. In the UK, GDPR fines from the ICO are potentially insurable, though this remains a grey area legally. Some policies explicitly include regulatory defence costs and fines where legally permissible. Others exclude them entirely. The distinction between first-party fines, those levied directly on you, and third-party fines matters. Most policies will cover defence costs associated with a regulatory investigation, but coverage for the fines themselves is inconsistent. If regulatory exposure is a significant concern for your business, ensure your policy addresses it clearly.
The direct link between security and premiums
Cyber insurance pricing has matured significantly. In the early days of the market, premiums were largely determined by company revenue and industry sector. Today, underwriters use sophisticated models that weigh your actual security controls heavily. The difference in premium between a well-secured organisation and a poorly-secured one in the same sector can be 300 percent or more.
Some insurers now offer scanning services that assess your external attack surface as part of the underwriting process. They will check your publicly facing infrastructure for known vulnerabilities, misconfigurations, and exposed services before quoting. A poor scan result can mean a declined application or a significantly loaded premium. This means your external security posture is not just a technical concern; it is a financial one.
The economics are straightforward. Every pound you invest in security controls reduces your insurance cost and reduces the probability that you will need to make a claim. Organisations that view security and insurance as complementary investments, rather than alternatives, consistently achieve the best outcomes on both fronts.
The numbers behind the market
The data tells a clear story. Cyber risk is growing, insurer scrutiny is increasing, and organisations that invest in security are rewarded with better coverage and lower costs.
of cyber insurance claims involve compromised credentials as the initial attack vector
average premium increase for organisations renewing without security improvements
average cost of a UK cyber breach in 2025, driving insurer scrutiny of applicants
Becoming insurable: a practical roadmap
If your organisation is struggling to obtain cyber insurance, or if you are paying more than you should, the path forward is systematic. These steps will improve both your security posture and your attractiveness to underwriters.
Audit your current controls
Start by mapping your existing security controls against the insurer requirements outlined above. Be honest about where you stand. If MFA is enforced on 90 percent of accounts, that means 10 percent are unprotected. Insurers will not accept partial implementation. Document every gap, no matter how small, and prioritise remediation based on insurer expectations.
Close the MFA gap first
If you do only one thing, make it this. Enforce MFA on every account, every cloud service, every administrative interface. No exceptions. This single control has the greatest impact on both your insurability and your actual security. It is the first question every underwriter asks, and a negative answer can end the conversation before it begins.
Deploy and manage EDR
Replace traditional antivirus with a managed EDR platform. Ensure it is deployed on every endpoint and that alerts are monitored around the clock. If you do not have the internal capability to manage EDR effectively, engage a managed security services provider. Insurers will ask whether your EDR is monitored 24/7, and the honest answer needs to be yes.
Implement immutable backups
Ensure your backup infrastructure is isolated from your production environment. Use immutable storage where possible. Test your recovery process quarterly, and document the results. When an underwriter asks whether you can recover from a ransomware attack, you need to answer with specifics: recovery time objectives, tested restore procedures, and evidence of recent testing.
Document your incident response plan
Write a clear, practical incident response plan. Include contact details for your insurer, your broker, your legal counsel, and your technical responders. Define roles and responsibilities. Then test it. Run a tabletop exercise at least annually. The plan does not need to be perfect. It needs to exist, be practical, and be practised.
Engage a specialist broker
Before approaching the market, work with a broker who specialises in cyber insurance. They will review your security posture, advise on any remaining gaps that could affect your application, and present your risk to the underwriters most likely to offer competitive terms. A good broker will also help you understand the policy wording and negotiate coverage that matches your actual risk profile.
Need help becoming insurance-ready?
We help UK businesses implement the security controls that insurers require. That includes MFA enforcement, EDR deployment, backup architecture, incident response planning, and Cyber Essentials certification. We work with your broker to ensure your security posture is reflected accurately in your application.
If you are paying too much for cyber insurance, struggling to obtain coverage, or unsure whether your current policy would actually pay out, a readiness review will give you a clear picture of where you stand and what needs to change.