Cyber insurance readiness for UK businesses: what underwriters now expect
(and what UK businesses should do now with their IT)
Cyber insurance is no longer “fill in a questionnaire and get a policy.” In 2026, most UK underwriters are looking for proof that your security controls are real, enforced, and monitored, not just written down. That shift is happening for a simple reason: cyber incidents are common, disruptive, and expensive for small and mid-sized organisations, so insurers are tightening terms and asking more precise questions. (For context, the UK government’s 2025 Cyber Security Breaches Survey found 43% of UK businesses reported a breach or attack in the past 12 months.)
If your renewal is approaching, or you’re buying cyber cover for the first time, here’s what underwriters typically expect today, and how to get “insurance-ready” in a way that genuinely reduces risk for your business.
1) Evidence-based answers (not “yes, we do that”)
A clear pattern in recent cyber insurance content is the move from self-attestation to evidence-based underwriting. Insurers increasingly want screenshots, reports, and configuration proof for key controls (especially identity, endpoints, and backups).
Practical tip: Start building a simple “insurance evidence pack” that you can reuse each renewal:
- MFA and conditional access screenshots (email, remote access, admin accounts)
- Endpoint/security dashboard exports (coverage, policy, alerts)
- Patch compliance reporting (critical updates, time-to-deploy)
- Backup reports + restore test results
- Incident response plan + tabletop exercise notes
- Security awareness training completion reports
2) Identity is the first gate: MFA everywhere (especially Microsoft 365)
Expect detailed questions about:
- MFA on all email users (and ideally phishing-resistant methods for admins)
- MFA on remote access (VPN/RDP/remote tools)
- Separate admin accounts, least privilege, and strong password policy
This matters even more in the UK as Cyber Essentials is tightening MFA expectations. IASME has announced that for assessments created after 27 April 2026, if MFA is available for in-scope cloud services and you haven’t implemented it, that can trigger an automatic failure.
If you’re on Microsoft 365, your fastest win is to validate your current tenant settings and risky behaviours. Our Microsoft 365 Security Audit
is designed to identify common gaps (unexpected forwarding rules, unusual sign-ins, risky admin settings) and produce a clear action list.
3) Endpoint security: “antivirus” isn’t enough anymore
Underwriters increasingly distinguish between basic AV and managed, monitored endpoint protection (often framed as EDR/EPDR). Industry guidance consistently highlights MFA + EDR + secured/tested backups as core controls.
What insurers often want to see:
- Every laptop/desktop covered (including remote staff)
- Central management and alerting
- Rapid isolation/containment capability
- Evidence of monitoring and response
If you want to align to these expectations, see our Antivirus & Endpoint Security and Cyber Security Monitoring services.
4) Patch management with measurable timelines
A common underwriting pain-point is vague patching. Insurers prefer clear standards, such as:
- Critical security updates deployed within defined timeframes
- High coverage across endpoints/servers
- Visibility into exceptions (and why)
Our System Updates & Patch Management service is built around identifying missing updates, testing, deployment, and reporting, the exact kind of evidence underwriters like to see.
5) Backups: secured, separated, and tested (proof of restore)
Insurers are very focused on ransomware outcomes: do you have backups that can’t be easily encrypted or deleted, and can you actually restore? Marsh guidance calls out best practice: encrypted backups, logical separation/immutability, and a restoration testing schedule.
To strengthen your position:
- Use 3-2-1 style thinking (multiple copies, different media, one offline/immutable)
- Lock down backup admin accounts (MFA + least privilege)
- Run restore tests and keep the results
For implementation and documentation, see Data Backup & Disaster Recovery and Business Continuity
6) Email controls: filtering + domain protection (DMARC)
Email is still the most common route to business disruption (phishing, malware, invoice fraud). Underwriters increasingly ask about:
- Advanced email filtering
- Impersonation protection
- Domain controls (SPF/DKIM/DMARC) to prevent spoofing
We typically recommend pairing Email Security with DMARC for Email for a practical, insurer-friendly uplift.
7) People and process: training + incident response readiness
Insurers don’t just insure your technology, they insure your ability to respond quickly. Expect questions about:
- Security awareness training frequency
- Phishing simulations (where appropriate)
- A documented incident response plan (who does what, who calls whom)
- Whether you’ve tested the plan (tabletop exercise)
Our Cyber Security Awareness Training and IT Security Service pages outline the practical steps we use to reduce real-world risk.
8) UK-specific credibility: Cyber Essentials and compliance signals
For many UK SMEs, Cyber Essentials is a strong, recognisable baseline. GOV.UK notes that businesses with Cyber Essentials controls in place make 92% fewer insurance claims, and the scheme is widely used in supply chains.
Also worth knowing: IASME states that eligible UK-domiciled organisations (under £20m turnover, whole-organisation self-assessment) may be entitled to Cyber Liability Insurance as part of Cyber Essentials, though you should always validate suitability with your broker.
If you want help achieving it, see Cyber Essentials Support
A simple “insurance-ready” next step
If you want to be confident before renewal, start with a clear view of your current gaps, then fix what matters most to insurers.
Book a Free IT Audit (we review security, backup, maintenance, capacity and resilience)
Or schedule a Free IT Consultation to map your insurer questionnaire to a practical improvement plan
Then implement a structured uplift using Managed IT Services and our security stack (monitoring, endpoint, email, patching, backups, continuity)
Cyber insurance should never be your only defence, but getting “underwriter-ready” usually makes you measurably safer, too.
