Cyber insurance: what IT controls insurers now require

Why cyber insurance underwriting changed

The ransomware surge between 2020 and 2022 was costly for insurers in a way the market hadn't anticipated. Claims volumes rose sharply, average payouts increased and – critically – post-claim investigations revealed a consistent pattern: most of the affected businesses were inadequately protected by any reasonable standard. MFA wasn't in place. Backups weren't immutable or weren't tested. Patching was ad hoc. The losses were large, and many of them were preventable.

Insurers responded. Underwriting questionnaires became longer and more technical. Premiums rose significantly. Ransomware coverage was split out into sublimits or excluded entirely in some policies. Some carriers withdrew from the market altogether. Others tightened minimum requirements to the point that businesses without certain baseline controls couldn't get coverage at commercially viable rates.

The current environment is different in character from what existed five years ago. Underwriters are now treating cyber insurance as a technical risk assessment, not an administrative formality. The questions they ask reflect what actually drives claims – and if your answers indicate inadequate controls, the premium will reflect that, or the coverage won't be offered.

The controls that appear on most questionnaires

Underwriting questionnaires vary between insurers, but certain controls appear on virtually all of them. The most consistent are:

Multi-factor authentication (MFA) is now near-universal on renewal questionnaires. Insurers want to know whether MFA is in place specifically for email, remote access (VPN, RDP) and administrative accounts. These are the three vectors most commonly exploited in ransomware attacks – which is why insurers ask about them explicitly rather than MFA in general. A blanket "yes" that covers only some accounts or some services is where the risk lies.

Endpoint detection and response (EDR) has largely replaced "do you have antivirus?" as the relevant question. Basic antivirus operates on known malware signatures. EDR monitors endpoint behaviour continuously and can detect and contain threats that signature-based tools miss. Insurers increasingly distinguish between the two, and businesses running legacy antivirus rather than EDR may find this reflected in their underwriting assessment.

Backup practices appear on almost every questionnaire, and the questions have become more specific. It's not enough to confirm that backups exist – insurers now commonly ask whether backups are immutable (can't be altered or deleted), whether they're stored separately from the primary environment and whether restore processes are tested. The ransomware claim context is obvious: if your backups can be encrypted alongside your primary data, they don't function as a recovery mechanism.

Patching processes feature regularly. Insurers want to know how quickly critical patches are applied and whether there's a defined process rather than ad hoc updates. Software vulnerabilities are a primary attack vector, and an unpatched estate is a material risk signal.

Privileged access management (PAM) – controlling and auditing access to administrative accounts – appears less universally but is becoming more common at higher coverage levels. The concern is lateral movement: once an attacker has admin credentials, they can move across a network with minimal resistance.

Email security – specifically SPF, DKIM and DMARC records – is increasingly asked about in the context of phishing and business email compromise. These DNS records authenticate outbound email and make it harder to spoof your domain. Their absence is a signal that email security basics haven't been addressed.

Cyber Essentials as a baseline – and its limits

Holding Cyber Essentials certification is positively viewed by most UK insurers. Some will offer a premium reduction for certified businesses; others use it as a baseline filter. The certification demonstrates that a minimum set of controls – firewalls, secure configuration, access control, malware protection and patch management – are in place and have been independently assessed.

What Cyber Essentials doesn't cover is equally worth understanding. The scheme doesn't assess EDR specifically (it addresses malware protection more broadly), doesn't require immutable backups and doesn't include privileged access management. A Cyber Essentials certificate is genuinely useful – both commercially and as a security baseline – but at higher coverage levels, underwriters will ask questions that go beyond what the scheme certifies.

Cyber Essentials Plus, which involves independent technical testing rather than self-assessment, carries more weight. But neither certification substitutes for addressing the controls insurers are specifically asking about.

What happens when there's a gap between the questionnaire and reality

This is where it becomes commercially significant. Cyber insurance policies contain a duty of fair presentation – the insured must disclose all material information honestly at the point of underwriting. If a claim is made and the subsequent investigation reveals that the security posture at renewal didn't match what was represented on the questionnaire, the insurer has grounds to reduce the payout or decline the claim entirely.

The gap we see most often is MFA. A business indicates on the questionnaire that MFA is in use, which is accurate – but MFA is enabled only on some accounts or some services. Email has MFA; the cloud backup portal doesn't. Microsoft 365 has MFA; the remote desktop gateway doesn't. An attacker exploits the unprotected service, causes a significant incident, and the claim investigation reveals the discrepancy. That's a defensible claims dispute for the insurer.

Insurers are increasingly forensic in claims investigations. They bring in specialist incident response firms whose job is to understand exactly what happened and what controls were or weren't in place. Misrepresentation – even unintentional – is a risk that's grown as underwriting has become more technical.

Honest self-assessment at renewal matters for two reasons: it's ethically the right thing to do, and practically it protects you when you need the policy to pay out.

How to use the renewal questionnaire to prioritise IT improvements

The questionnaire is a useful signal of what a reasonable security baseline looks like, independent of the insurance context. Underwriters have refined these questions based on what actually drives claims – so the controls they ask about are the controls that most commonly feature in preventable incidents.

If you can't honestly answer "yes" to a question, that's a prioritisation signal. Not every gap can be closed before renewal, but the questionnaire tells you where the gaps are and – implicitly – how significant they are based on how consistently they appear across different insurers.

If you can only address a few controls before renewal, the highest-weighted ones are:

• MFA on all accounts – not just some. Email, remote access and admin accounts as a minimum, but ideally all systems that support it.
• Tested, immutable backups. Not just backups that exist, but backups that are isolated from the primary environment and have been successfully restored from.
• EDR on all endpoints. If you're still running legacy antivirus, the upgrade to EDR is both technically straightforward and directly relevant to underwriting.
• Email authentication records. SPF, DKIM and DMARC are DNS configuration changes – relatively low-effort, with a direct impact on phishing risk.

Before your next renewal: what to do

Start preparation three to four months before renewal, not the week before. Late-stage preparation means rushing decisions, implementing controls without testing them and potentially having to represent a security posture on the questionnaire that hasn't been fully validated.

Get an honest assessment of your current posture against the questionnaire you expect to receive. If you don't have last year's questionnaire, most major insurers publish example questionnaires or you can request the format from your broker. Work through it systematically and identify where you'd have to answer "no" or where a "yes" would require qualification.

Address MFA and backup gaps first. These carry the most weight in underwriting and are also the controls most directly linked to ransomware recovery – the claim type that reshaped the market in the first place.

Document what you've implemented. Insurers may ask for evidence, not just assertions. A record of when MFA was enforced across accounts, a log of backup restore tests and confirmation of EDR deployment across your endpoint estate all support the representations you make on the questionnaire. If a claim arises, that documentation matters.

If your broker isn't guiding you through the technical requirements, ask them to. A good broker will help you understand what underwriters are specifically looking for and where your current posture is likely to be scrutinised.