Insights
Insights
Cyber insurance has moved well beyond being a tick-box purchase. It is no longer just another line on the renewal spreadsheet. It’s how organisations protect themselves, and a critical part of their disaster recovery planning should things go wrong.
With the increase in uptake in cyber insurance coupled with the increase in cyber threats, underwriters are asking tougher questions, looking more closely at the evidence behind the answers, and taking a far more active view of cyber risk.
This increase in diligence from insurers’ is having two major impacts on businesses:
Why cyber insurers have tightened their requirements
Cyberattacks remain a pressing business issue across the UK. The government’s Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber security breach or attack in the previous 12 months, with medium and large organisations reporting even higher rates. Against that backdrop, it is no surprise that insurers have become more selective about the risks they are willing to take on.
In practical terms, that means underwriting has changed from trust-based to evidence-based. A few years ago, organisations could complete a short questionnaire, confirm they used an antivirus, and receive a quote. Today, proposal forms are more technical, with insurers wanting clear evidence of technical controls. This has led to organisations with weaker security paying higher premiums, having narrower cover, and, in extreme cases, having cover completely declined.
This is a reaction to claim patterns. Ransomware, credential theft and email compromise continue to drive losses, and insurers know that many of the biggest incidents stem from basic control failures. In other words, the organisations that cannot demonstrate the fundamentals are the ones most likely to make claims.
What insurers are looking for in 2026
While every insurer and broker has its own wording, the themes are now remarkably consistent. The controls that carry the most weight are the ones that reduce the likelihood of an attack succeeding and limit the damage if one does.
1. Multi-factor authentication (MFA) that is enforced
MFA is now a baseline requirement, not a nice-to-have. Insurers want to see it enabled and enforced across the areas attackers target most often: email, remote access, cloud services and administrative accounts.
There is a good reason for this focus. Correctly implemented MFA can block more than 99.2% of account compromise attacks, according to Microsoft data
Simply having MFA available is not enough. If users can bypass it, or if only part of the estate is covered, underwriters identify this as a weakness and a reason for higher premiums.
2. Backups that support recovery
Insurers are no longer reassured by the phrase “we have backups.” They want to know whether those backups are separated from production, protected from tampering (immutable) and capable of being restored quickly. In a ransomware scenario, recoverability is everything. If attackers can encrypt or delete the backups along with the live estate, the organisation’s defenses are significantly undermined.
From the insurer’s perspective, backup is not just an IT housekeeping task. It is one of the clearest indicators of how well an organisation can bounce back after an incident.
3. Patching discipline and vulnerability management
Delayed patching remains one of the biggest security flaws for attackers to exploit, so underwriters pay close attention to update management. A credible plan means there is a defined patching process, clear ownership, and evidence that critical updates are deployed promptly.
The tightening of the Cyber Essentials scheme makes this especially relevant. The April 2026 updates introduced automatic failure where high-risk or critical security updates are not installed within 14 days. For insurers, that is a strong signal that patching should be treated as a hard control, not an optional extra.
4. Endpoint security that goes beyond legacy anti-virus
Insurers are also looking for stronger visibility and response at the device level. Traditional anti-virus is no longer enough. Modern endpoint protection, supported by monitoring and response capabilities, is required for insurers to be confident that devices arey covered.
This matters particularly for organisations with hybrid working, a growing SaaS estate or multiple third-party integrations. As each adds complexity and introduces additional routes into an IT estate.
5. A wider picture of cyber maturity
Most progressive insurers are looking beyond individual point controls and asking broader questions about security maturity. That can include awareness training, incident response plans, vulnerability scanning, email protection and governance. In other words, they are assessing whether your business has a mature strategy to prevent, detect, respond and recover, not just a handful of technologies stitched together.
That broader view is important because cyber insurance is increasingly tied to overall resilience. The stronger and better documented your controls are, the more confident an insurer can be in both your risk profile and your ability to respond well under pressure.
What a credible cybersecurity posture looks like to an insurer
From an insurer’s perspective, a credible security posture is not about claiming perfection. It is about demonstrating consistency, control, and accountability. They want to see that your organisation understands its exposure and risks, has implemented the right baseline safeguards, and can provide evidence to those safeguards when asked.
This is where technical and commercial priorities meet. Good cyber resilience reduces risk in the real world, but it also makes an organisation easier and cheaper to insure. That is the link budget holders increasingly need to make.
Why Cyber Essentials and Cyber Essentials Plus matter in this conversation
The Cyber Essentials schemes remain one of the clearest ways for an organisation to demonstrate that essential controls are in place. It is the UK government-backed minimum baseline for cybersecurity, designed to reduce exposure to the most common internet-based threats. For insurers, it provides external authority to an organisation’s cybersecurity rather than relying on informal assurances.
There is also a direct insurance link worth noting. Government guidance states that organisations with the Cyber Essentials controls in place make 92% fewer insurance claims, and eligible organisations with a turnover under £20 million can receive cyber liability insurance as part of certification. While that will not replace the need for standalone cyber cover, it reinforces the commercial value of getting the basics right.
The financial case is now much easier to explain
For CFOs and FDs, this is where the return on investment in cybersecurity becomes tangible. Stronger controls do not just reduce the chance of an attack. They influence premiums, improve insurability, reduce underwriting friction, and increase the likelihood that cover will respond as expected when needed. Making cyber resilience justifiable in financial terms.
For technical leaders, the message is equally useful. If the executive team is asking for comprehensive MFA, tighter patching discipline, better backup evidence and clearer endpoint coverage, it is not because they have suddenly become more interested in the details of IT operations. It is because those decisions now have a direct financial and risk-transfer outcome.
The real question for organisations considering purchasing or renewing cyber insurance is no longer simply ‘do we need it?’ It is ‘Would an insurer view us as a credible risk?’ That is a more useful question, and a far more commercially important one.
How Aura can help
If you are unsure how your organisation would stand up to insurer scrutiny, Aura’s Cyber Resilience Roadmap is a sensible place to start. It reviews your current controls, identifies any gaps, and outlines practical steps to strengthen both your resilience and your renewal readiness.
Want to know how your business would look to an insurer today?
If you want to reduce surprises at renewal and make better-informed decisions booking a Cyber Resilience Roadmap is a practical first step.