What insurers actually look for when assessing SME cyber security.
Cyber insurance has changed dramatically in recent years. Premiums have increased, coverage has become more restrictive, and insurers are asking far more detailed questions about the security controls you have in place. A decade ago, a cyber policy was a simple add-on to your business insurance. Today, it is a standalone product with its own underwriting process, technical questionnaires, and a growing list of prerequisites.
Understanding what insurers look for helps you in two ways. First, it positions your business for better coverage terms and lower premiums. Second, and more importantly, the controls insurers require are precisely the controls that will protect your organisation from the most common attack vectors. Meeting insurance requirements and building a strong security posture are not separate goals. They are the same goal.
This guide explains the requirements most UK insurers now expect, why those requirements have tightened so significantly, and how to approach the application process with confidence.
Why requirements have tightened
Cyber claims have increased significantly, driven largely by ransomware. Insurers have paid out substantial sums across the market and have responded with a fundamental shift in how they assess and price risk. The days of ticking a box and receiving coverage are over.
Increasing premiums
Rates have risen substantially across the market, particularly for businesses without demonstrable security controls. Some sectors have seen double-digit percentage increases year on year, with no signs of reversal.
Adding exclusions
Policies now commonly exclude certain attack types or scenarios, particularly if basic security controls were not in place at the time of the incident. War exclusions, nation-state exclusions, and failure-to-patch clauses are increasingly standard.
Requiring specific controls
Many insurers now mandate particular security measures as a condition of coverage, not merely as factors influencing premium. Fail to meet them and the policy is void, regardless of what you paid.
Declining coverage outright
Some businesses are being turned away entirely if their security posture does not meet minimum standards. Insurers would rather refuse a customer than take on the risk of an under-protected organisation.
of UK businesses have experienced a cyber attack or breach in the last 12 months
average increase in cyber insurance premiums across the SME market since 2023
the patching window most insurers now require for critical vulnerabilities
Common security requirements
While requirements vary between insurers, these controls are now commonly required or heavily influence both pricing and the decision to offer coverage at all. Think of them as the baseline your organisation needs to meet before an insurer will seriously engage.
Multi-factor authentication (MFA)
Almost universally required for email, VPN, and remote access. Many insurers now require MFA for all user accounts, not just administrators. This is frequently a hard prerequisite: no MFA, no coverage. Some policies go further, specifying that SMS-based MFA is insufficient and requiring app-based or hardware token authentication.
Endpoint detection and response (EDR)
Basic antivirus is no longer sufficient. Insurers want to see advanced endpoint protection that can detect, investigate, and respond to threats in real time, not simply block known malware signatures. Centralised management and reporting are expected, along with evidence that alerts are actually being monitored and acted upon.
Backup and recovery capabilities
Verified backups that are isolated from the main network, whether immutable, air-gapped, or both. Insurers know that recovery from ransomware depends entirely on having backups that attackers cannot encrypt or delete. They will ask about your backup frequency, your retention period, and when you last tested a restore.
Email security
Advanced email filtering well beyond basic spam protection. Anti-phishing controls, link scanning, attachment sandboxing, and DMARC/DKIM/SPF configuration are increasingly expected. Email remains the primary attack vector for most incidents, and insurers know it.
Patch management
Evidence that critical vulnerabilities are patched promptly, typically within 14 days. Running unsupported operating systems or unpatched software is a red flag that will either inflate your premium or disqualify you from coverage entirely. Insurers may ask for your patching policy and evidence of compliance.
Security awareness training
Regular training for all employees covering phishing, social engineering, and security best practices. Human error is a contributing factor in the majority of breaches, and insurers expect organisations to address it. Annual training alone is rarely enough; quarterly sessions with simulated phishing are becoming the baseline expectation.
“Cyber insurance is not a substitute for security. It is a financial backstop for the risks that remain after you have done everything reasonable to protect your organisation. Insurers know the difference, and they price accordingly.”
Tips for insurance applications
The application process itself matters. How you present your security posture can be the difference between competitive terms and an inflated premium, or between approval and rejection. These five principles will serve you well.
Be accurate and honest
Answer every application question truthfully. Misrepresentation can void your policy at the worst possible moment: when you are making a claim. If you are uncertain about a control, say so. Insurers respect honesty far more than optimistic guesswork, and a voided policy is worse than a higher premium.
Document your controls thoroughly
Keep evidence of your security measures: written policies, configuration screenshots, training attendance records, patch logs, and incident response plans. You may need to demonstrate compliance during underwriting, at renewal, or after a claim. If you cannot prove it, assume the insurer will treat it as if it does not exist.
Consider Cyber Essentials certification
Cyber Essentials certification provides independent validation of your baseline controls. Some insurers offer premium discounts for certified organisations, and the certification process itself helps you identify and close gaps. It is a relatively small investment that pays for itself through improved insurability.
Work with a specialist broker
Cyber insurance is a complex and rapidly evolving market. A broker who specialises in cyber risk can help you find appropriate coverage, present your security posture effectively, and negotiate better terms. Generic business insurance brokers often lack the technical understanding needed to advocate for your position.
Review coverage carefully before signing
Understand precisely what is covered and what is excluded. Pay close attention to sub-limits on specific incident types, waiting periods before coverage activates, retroactive date restrictions, and conditions that could affect claims. A policy that looks comprehensive on the summary page may have significant gaps in the detail.
Insurance is not a substitute for security
Cyber insurance is valuable, but it has clear limitations. A policy can help with financial recovery: legal costs, notification expenses, forensic investigation, and business interruption. What it cannot do is undo reputational damage, recover data that was never backed up, restore client trust, or prevent the operational disruption of a serious incident.
The most effective approach is to implement strong security controls first. This protects your organisation from the majority of attacks and, as a direct consequence, makes you more attractive to insurers. Better controls mean better coverage at lower cost. Insurance then serves its proper role: a backstop for the residual risk that remains after you have done the work.
Organisations that treat insurance as a replacement for investment in security tend to find themselves in the worst possible position. Their premiums are high, their coverage is riddled with exclusions, and when an incident occurs they discover that the policy does not cover the scenario they are facing. Prevention is always cheaper than recovery.
Need help meeting insurance requirements?
We help UK businesses implement the security controls that insurers expect. From MFA and endpoint protection to backup verification and employee training, we can close the gaps that are costing you coverage or inflating your premiums.
Book a call to discuss your current position. We will review your security posture against common insurer requirements and give you a clear, prioritised action plan.