Five years ago, cyber insurance renewals asked: “Do you have antivirus?”

Today they ask: “Provide evidence of MFA deployment, backup testing logs, incident response documentation, and staff training records.”

Insurers aren’t guessing anymore. They’ve paid too many claims from businesses that thought they were protected but weren’t.

The result: premiums have increased, coverage has become conditional, and businesses without documented security controls are being declined or facing exclusions.

This guide covers what insurers are actually asking for in 2025, why they’re asking for it, and how to demonstrate you meet their requirements without expensive consultants or complicated projects.

Get the guide: Our Insurer’s IT Requirements checklist shows exactly what underwriters look for.

Why Insurers Changed Their Approach

The Claims Reality

Insurance works on risk pooling. If claims are predictable and manageable, premiums stay reasonable.

Cyber claims broke that model:

  • Ransomware payouts increased 80% between 2020-2023
  • Average claim size now exceeds £100,000
  • Business interruption claims often dwarf the ransom itself
  • Regulatory fines and legal costs multiply the impact

Insurers realised that businesses saying “we’re secure” and businesses actually being secure were very different populations.

The Evidence Shift

Previously: Self-attestation. “Yes we have security measures.”

Now: Evidence-based underwriting. “Show us the configuration. Show us the logs. Show us the training records.”

This isn’t insurers being difficult. It’s actuarial reality. Businesses with documented controls have demonstrably fewer and smaller claims. Getting there does not require a huge project, but it does mean meeting the security controls insurers now expect rather than guessing at them.

The Standard Requirements (2025)

Most cyber and PI insurers now require evidence of these controls:

1. Multi-Factor Authentication (MFA)

What they want:

  • MFA enabled on all email accounts
  • MFA on remote access (VPN, RDP, cloud applications)
  • MFA on admin and privileged accounts
  • Not just “available” – actively enforced

Why it matters: Microsoft research shows MFA blocks 99.9% of automated attacks. Insurers know this. If you’re not using it, you’re choosing to accept preventable risk.

Evidence required: Screenshot of MFA policy configuration, admin portal showing enforcement status, sometimes attestation from IT provider.

Common failure: MFA available but not mandatory. Users can opt out. One compromised account without MFA = claim denied.

2. Backup and Recovery

What they want:

  • Regular automated backups (daily minimum)
  • Offsite or cloud backup (separate from main systems)
  • Backup testing documented (not just configured – tested)
  • Recovery time objectives defined

Why it matters: Ransomware claims are often business interruption claims. If you can recover quickly, the claim is smaller. If you can’t, it’s catastrophic.

Common failure: “We have backups” but last test was 18 months ago. Ransomware hits, backups fail, insurer questions why testing wasn’t done.

3. Endpoint Protection

What they want:

  • Managed antivirus/EDR on all devices
  • Automatic updates enabled
  • Centralised monitoring
  • Coverage of all endpoints (including laptops, mobile)

Common failure: Desktop protection fine, but consultants’ laptops unmanaged. That’s the device that gets compromised.

4. Patch Management

What they want:

  • Critical patches applied within 14-30 days
  • Documented patching process
  • Coverage of operating systems, applications, and firmware
  • Evidence of compliance (not just policy)

Common failure: Policy says “patch within 30 days.” Reality: some systems haven’t updated in 6 months. Gap between policy and practice = problem.

5. Security Awareness Training

What they want:

  • Annual training for all staff
  • Phishing simulation exercises
  • Documented completion records
  • Role-specific training for high-risk users

Why it matters: 78% of attacks start with email. Trained staff catch threats. Untrained staff click links.

Common failure: Training done at onboarding, never refreshed. Three-year employee hasn’t seen training in three years.

6. Incident Response Plan

What they want:

  • Documented incident response procedures
  • Defined roles and responsibilities
  • Contact information for key responders
  • Regular review and testing

Common failure: Plan exists but nobody knows where it is. Incident happens, panic ensues, plan never consulted.

Industry-Specific Requirements

Beyond the standard requirements, some industries face additional scrutiny:

Professional Services (Accountants, Law Firms)

Additional requirements:

  • Client data handling procedures
  • Regulatory compliance evidence (SRA, ICAEW)
  • Professional body guidance adherence
  • Client notification procedures for breaches

Why: High-value data, regulatory exposure, client liability.

Financial Services

Additional requirements:

  • FCA compliance documentation
  • Consumer Duty considerations
  • Transaction monitoring
  • Enhanced access controls

Why: Regulatory requirements, high-value transactions, sophisticated threat actors.

Healthcare

Additional requirements:

  • NHS Data Security Toolkit compliance
  • Patient data handling procedures
  • Medical device security
  • Care continuity planning

Why: Life safety implications, regulatory requirements, sensitive data.

Get the guide: Our Insurer’s IT Requirements checklist shows exactly what underwriters look for.

What Happens If You Don’t Meet Requirements

Scenario 1: Declined Cover

Insurer reviews application. MFA not deployed. Application declined.

Result: No cyber insurance. Business carries full risk.

Scenario 2: Increased Premium

Basic controls in place but gaps identified. Policy offered at 40% premium increase.

Result: Insurance costs eating into margins.

Scenario 3: Exclusions Applied

Policy issued but with exclusions: “No cover for incidents arising from unpatched systems” or “Ransomware exclusion for systems without MFA.”

Result: Think you’re covered. Claim happens. Denied.

Scenario 4: Claims Denied

Incident occurs. Investigation reveals controls weren’t actually in place despite attestation.

Result: Claim denied. Plus potential fraud implications for misrepresentation.

How to Demonstrate Compliance

Documentation Approach

Create a simple evidence pack:

  1. Control inventory – List each required control
  2. Implementation evidence – Screenshots, configuration exports
  3. Testing evidence – Logs, reports, test results
  4. Policy documents – Written procedures
  5. Training records – Completion certificates, dates

Update annually or when major changes occur.

Third-Party Validation

Some insurers accept (or require):

  • Cyber Essentials certification
  • SOC 2 reports from cloud providers
  • Penetration test results
  • Security assessment reports from qualified providers

Third-party validation often results in better premium terms.

What NOT to Do

Don’t misrepresent: Saying “MFA is enabled” when it’s optional is misrepresentation. Claims get investigated. Misrepresentation voids policies.

Don’t rely on policy alone: “We have a patching policy” means nothing if systems aren’t patched. Evidence must show implementation, not just intent.

Don’t assume you’re covered: Read policy exclusions carefully. Many policies exclude ransomware, nation-state attacks, or incidents from unpatched systems.

Get the guide: Our Insurer’s IT Requirements checklist shows exactly what underwriters look for.

Quick Action Plan

This Week

  1. Review your current cyber/PI policy – what does it actually cover?
  2. Check MFA status – is it mandatory on email and remote access?
  3. When did you last test backup restoration?

This Month

  1. Document your current controls – even a simple spreadsheet
  2. Identify gaps against insurer requirements
  3. Get training completion records from your platform

Before Renewal

  1. Close identified gaps
  2. Prepare evidence pack for underwriting questions
  3. Consider Cyber Essentials certification
  4. Get a security assessment to identify unknown issues

Free Download

Tackling Your Insurer’s IT Requirements

Insurers aren’t guessing anymore. Know exactly what they’re looking for before your renewal.

This guide covers:

  • The controls insurers now require as standard
  • How to document evidence they’ll accept
  • What triggers premium increases (and how to avoid them)

Weighing this up for your own business?

We help UK organisations get their cloud, Microsoft 365 and security done properly, without the guesswork or the surprise bills. Independent advice, nothing to resell.

Book a 30-minute scoping call and we will look at where you are, flag the gaps, and answer your questions honestly. No pitch, just straight advice.