How to Get Cyber Insurance in the UK
Cyber insurance protects UK businesses against the financial costs of cyber attacks. To get the best terms, you need to demonstrate strong security controls. Insurers increasingly require Cyber Essentials, MFA, EDR, and regular backups as minimum prerequisites.
Direct Answer
To get cyber insurance in the UK, you must demonstrate strong security controls before applying. Insurers now require MFA, endpoint detection, tested backups, email security, and staff training as minimums. Holding Cyber Essentials or CE Plus reduces premiums by 10–25% with many insurers and demonstrates to underwriters that your baseline security posture is sound. Businesses without these controls face higher excess, reduced coverage, or outright rejection.
What Cyber Insurers Require
Common prerequisites that UK cyber insurers look for during underwriting.
Multi-Factor Authentication
MFA on all remote access, admin accounts, and cloud services is now a universal requirement. Insurers will not cover businesses without MFA.
Endpoint Protection (EDR)
Modern endpoint detection and response on all devices. Traditional antivirus alone is no longer sufficient for most insurers.
Tested Backups
Regular, tested, immutable backups stored separately from your network. Insurers want evidence that backups are tested, not just that they exist.
Email Security
Advanced email filtering, DMARC/SPF/DKIM authentication, and anti-phishing controls to reduce the most common attack vector.
Staff Awareness Training
Regular security awareness training and simulated phishing exercises. Insurers recognise that human error is the biggest risk factor.
Cyber Essentials Certification
Holding Cyber Essentials or CE Plus demonstrates your commitment to security and can reduce premiums by 10–25% with some insurers.
With vs Without Proper Security Controls
How your security posture affects insurance outcomes.
| Feature | Weak ControlsHigh premiums / Rejection | Strong ControlsBetter termsRecommended |
|---|---|---|
| Application outcome | Often rejected | Accepted |
| Annual premium (50 users) | £3,000–£8,000+ | £1,500–£3,000 |
| Excess/deductible | Higher | Lower |
| Coverage exclusions | Many | Fewer |
| Claims honoured | Risk of rejection | More likely |
Frequently Asked Questions
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
Ransomware is malicious software that encrypts your data and demands payment for its return. Approximately 19,000 UK businesses were hit by ransomware in 2025. The median UK ransom demand has doubled to $5.37 million, and average recovery costs reach $2.58 million excluding the ransom itself.
BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.
Only 14% of UK businesses formally review cyber risks from their immediate suppliers. 35.5% of all global data breaches in 2024 originated from third-party compromises. Supply chain attacks add an average of £241,620 to the total cost of a breach and take 267 days to detect and contain.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
Get Insurer-Ready
AMVIA helps UK businesses meet cyber insurer requirements. We assess your current position and close the gaps.
Related Questions
Cyber Essentials Certification
AMVIA's managed Cyber Essentials service — get certified and insurer-ready at a fixed price.
What Is Multi-Factor Authentication?
MFA is the single most impactful control insurers require — and it prevents 99.9% of account compromise attempts.
How Much Does Managed Cybersecurity Cost?
Per-user pricing for managed cybersecurity — the controls insurers require, delivered as a fixed monthly service.