Cyber insurers won’t cover every business by default. To qualify, you need to meet baseline security standards that prove you can prevent, detect, and recover from attacks. This guide explains the core requirements most insurers expect, how they vary by business type, and what happens if you fall short.
Cyber insurance is about managing risk for both you and the insurer. Before they agree to cover you, insurers want proof that your business can prevent and respond to common cyber threats. The stronger your defences, the less likely you are to claim and the more confident the insurer will be in offering cover at a competitive price.
Every insurer has a threshold for the level of risk it will accept. Businesses with no MFA, outdated systems, or poor backup practices often fall outside that threshold. Meeting baseline security standards shows you are a lower risk and gives you access to broader policy options.
Security controls are not just for ticking boxes. They reduce the chance of a breach, limit the scale of damage if one occurs, and speed up recovery. This means fewer claims for the insurer, and less downtime and cost for your business.
Typical controls include:
If you do not meet the insurer’s minimum standards, they may refuse cover altogether. Even if you get a policy, a breach linked to missing controls can lead to a reduced payout or a denied claim. Some insurers offer conditional cover with a set timeline for improvement, but until those changes are implemented, your cover may be limited.
Most insurers look for the same baseline controls before they agree to cover you. These measures protect your systems, limit the impact of attacks, and demonstrate to the insurer that you take security seriously.
Passwords alone are no longer enough. MFA adds an extra layer, such as a code, mobile app approval, or hardware token, to confirm identity. Insurers often insist that MFA is enabled on email accounts, remote access, and critical cloud systems. Without it, stolen passwords can lead directly to a breach and a denied claim.
Unpatched software is one of the most common causes of cyber attacks. Insurers expect you to apply security updates promptly, especially for internet-facing systems such as firewalls, servers, and VPNs. Many policies now require evidence that patching is scheduled and documented.
A delay can give attackers an open door and may put your cover at risk.
Backups are your safety net in case ransomware or data loss occurs. Insurers seek encrypted backups stored offline or on a secure cloud platform. They may also ask if you test restores regularly, since an untested backup is as risky as having none at all. Proving you have resilient, immutable backups can also lower premiums.
Phishing remains the most common attack method. Filtering tools scan incoming emails for malicious links, attachments, or spoofed domains before they reach staff inboxes.
Insurers expect these controls as they drastically reduce the risk of ransomware or fraud. Without filtering, a single click could trigger a costly claim.
Traditional antivirus is no longer enough. Insurers now expect endpoint detection and response (EDR) or equivalent advanced tools. These devices continuously monitor the network, detect suspicious activity, and isolate threats before they spread across the network. Laptops, desktops, and servers all need protection. Insurers often ask what endpoint solution you use during underwriting.
A written incident response plan shows you are prepared. It outlines who to contact, what steps to take, and how to recover systems in the event of an attack. Insurers value this because it reduces downtime, minimises losses, and facilitates easier claim validation. Many will request a copy of your plan, or at least a summary of your escalation process.
Meeting these requirements is more than ticking boxes. Each one directly reduces the chance of a breach and ensures your insurer will stand by you if a claim is made.
Cyber Essentials is not a legal requirement for most cyber insurance policies. Many insurers will still offer cover without it. However, certification can speed up approval, reduce the number of security questions you need to answer, and in some cases, lower your premium.
Some insurers, particularly those covering public sector suppliers or regulated industries, require at least Cyber Essentials certification before offering a policy. For most SMEs, it is optional but strongly recommended.
Certification proves you meet a recognised security baseline. Insurers view this as a sign of lower risk, which can result in cheaper premiums, broader coverage, or fewer exclusions.
Related guide: Cyber Essentials & Insurance: How certification affects your cover
Insurers adjust their expectations based on your turnover, headcount, industry, and the type of data you handle. Larger businesses or those in high-risk sectors often face stricter standards.
Requirements are usually lighter, but core controls, such as MFA, backups, and antivirus, are still mandatory. Some insurers may waive advanced measures if your risk profile is low, though you may pay more without them.
Expect more detailed risk assessments, written policies, and regular penetration testing. You may also need endpoint detection and response (EDR) and advanced email security.
These sectors face higher scrutiny because of the sensitivity of the data they hold. Insurers may require Cyber Essentials Plus, encryption for data in transit and at rest, and strict identity access management.
Insurers focus on intellectual property protection, data classification, and managing third-party risks. You may also need secure software development practices and regular code audits.
Not meeting an insurer’s security standards can put your cover at risk. In some cases, you may not be able to obtain a policy at all. In others, you might be approved but find your claim reduced or denied if the missing control is linked to the breach.
Insurers check for baseline protections like MFA, patch management, and secure backups. If these are missing, they may decline your application or only offer reduced cover limits. In practice, this means you could pay the same premium but get far less protection.
Having a policy is not enough. If a breach occurs because your business failed to implement basic controls, the insurer may reject the claim. For example, if ransomware takes hold and you cannot restore from offline backups, recovery costs may not be paid.
Occasionally, insurers issue cover on the condition that you close security gaps within a set timeframe. Until you do, higher premiums or exclusions may apply. You might also face stricter reporting obligations, such as quarterly security checks or evidence of patching.