Cybersecurity Insurance: How Strong Security Reduces Your Premiums

The cyber insurance market has changed significantly

A few years ago, cyber insurance was relatively easy to obtain: fill in a short questionnaire, receive a policy. The frequency and severity of ransomware claims since 2020 changed that permanently. Insurers have tightened underwriting criteria substantially, with some withdrawing from the market entirely and others moving to risk-based pricing that reflects the actual security posture of the applicant.

For UK SMEs, the practical consequence is that the controls you have — or don't have — in place now directly affect whether you can get cover at all, and at what cost. According to industry data from the British Insurance Brokers' Association (BIBA), organisations with mature cyber security programmes pay materially less for equivalent coverage than those without.

What underwriters look for

Modern cyber insurance questionnaires are detailed and technically specific. Underwriters focus heavily on the following areas:

Multi-factor authentication (MFA)

MFA on email, VPN, remote desktop access and cloud platforms is now a near-universal underwriting requirement. Businesses without MFA on email may find cover refused outright, or offered only with a substantial exclusion. Some underwriters require MFA on all administrative accounts as a minimum condition of the policy.

Backup quality and testing

Insurers want to see that backups are not only taken regularly but are stored in an immutable, offsite location and are tested for recoverability. A business whose only backup is a NAS drive on the same network as production systems — directly accessible to ransomware — represents a very different risk from one with daily immutable cloud backups and quarterly restore tests.

Endpoint detection and response

Legacy antivirus is no longer considered adequate by most underwriters. EDR solutions that provide behavioural analysis and automated threat response demonstrate a more robust security posture. Some insurers specifically ask whether you run an EDR product and which vendor.

Patch management

Underwriters are interested in how quickly critical patches are applied, particularly to internet-facing systems. A documented patch management policy with defined timescales for critical vulnerability remediation is a positive signal. Evidence of unpatched systems running unsupported software is a significant negative factor.

Email security

DMARC enforcement, anti-phishing filtering, and mail gateway solutions all feature in underwriting questionnaires. Email is the primary attack vector for ransomware, and insurers have learned this from claims data. A business with DMARC set to reject and an active email gateway presents less phishing risk than one with no email security beyond basic spam filtering.

Cyber Essentials and insurance

Cyber Essentials certification — the UK government-backed scheme covering five foundational security controls — is increasingly recognised by insurers as a positive signal of baseline competence. Some insurers offer premium discounts to Cyber Essentials-certified organisations. Cyber Essentials Plus, which involves independent technical testing, carries more weight in underwriting conversations.

The certification is not a guarantee of coverage or discounts, and it does not replace a thorough security posture review, but it provides documented evidence of controls that underwriters can rely on rather than taking your word for it.

The cost of not investing in security

The maths is fairly straightforward for most SMEs. A managed cybersecurity programme — including EDR, email security, backup monitoring and Cyber Essentials certification — typically costs between £500 and £2,000 per month depending on business size. The premium difference between a business with a good security posture and one without can easily exceed this, whilst the potential claim — including ransomware recovery, business interruption, legal costs and regulatory fines — runs to tens or hundreds of thousands.

Insurers are not being unreasonable in their requirements. They are simply pricing the risk accurately. The businesses paying the most for cyber insurance are often those where a claim is most likely.

Incident response planning and insurance

A documented, tested incident response plan is another factor underwriters consider. The ability to detect, contain and respond to an incident quickly materially reduces the cost of a claim. Insurers may also require that certain IR retainers are in place, or that you use their preferred incident response firm in the event of a claim — this should be reviewed carefully when comparing policies.

AMVIA supports UK businesses in building the security posture that insurers expect to see — from Cyber Essentials certification through to managed detection and response — and can provide documentation of controls that supports the insurance application process.

Reviewing your policy annually

Cyber insurance policies should be reviewed annually. The threat landscape changes, your business changes, and underwriting requirements evolve. A policy taken out three years ago may have exclusions that have become more significant, or may no longer reflect your actual coverage needs. Working with a specialist cyber insurance broker alongside your managed security provider gives the most complete picture.