← Back to Blog
Cyber Insurance · May 2026 · 6 min read

What Do Cyber Insurers Actually Check? A UK Small Business Guide

Cyber insurance applications have become significantly more detailed. Here's exactly what UK insurers are looking for in 2026 — and how to make sure you can answer confidently.

Cyber insurance has changed

A few years ago, getting cyber insurance was straightforward. Answer a handful of basic questions, pay your premium, done. That's no longer the case.

The surge in ransomware attacks and data breaches has forced insurers to take a much harder look at applicants' security practices. Many insurers now use detailed technical questionnaires, and some require evidence of specific controls before they'll offer cover at all.

For small business owners without an IT department, this has become a genuine headache. Here's what's actually being asked.

The questions that appear on almost every application

Multi-factor authentication

Do you use MFA on email, cloud services, remote access, and financial systems? This is now the most heavily weighted question on most applications. Some insurers will decline cover entirely if MFA is not enabled on email and Microsoft 365 or Google Workspace.

Backup procedures

Do you have recent backups? Are they stored separately from your main systems — ideally offline or in a different cloud account? Have you tested restoring from them? Insurers have been burned by ransomware claims where backups either didn't exist or were encrypted along with everything else.

Patch management

How quickly do you apply security updates? Insurers typically want to see updates applied within 14 days of release. Running unsupported software — anything that no longer receives security patches from its vendor — is increasingly a reason to decline or restrict cover.

Endpoint protection

Do all computers and devices have active, up-to-date antivirus software? For Windows 10 and 11 users, Microsoft Defender counts — but it needs to be active and updating automatically.

Access control and privileged accounts

Are admin accounts limited to those who need them? Are they used only for admin tasks, not general browsing? Is access removed when staff leave? These questions target one of the most common attack vectors — compromised privileged accounts.

Questions that are becoming more common

Beyond the core questions above, a growing number of insurers are also asking about:

  • Whether you have a written cyber security policy or incident response plan
  • Whether staff have received any security awareness training
  • Whether you use a password manager
  • Whether remote desktop protocol (RDP) is exposed to the internet
  • Whether you conduct any form of security testing or assessment

What happens if you answer no to these questions?

It depends on the insurer and the question. Some controls — particularly MFA — have become near-mandatory. Answering no may result in a flat decline, a significantly higher premium, or policy exclusions that effectively make ransomware claims impossible.

For other controls, the impact is more nuanced. Insurers are looking at the overall picture — a business that has MFA, good backups, and keeps software updated but hasn't done formal security training is in a very different position from one that has none of these things.

The practical implication: it's better to know your position before you apply. If you have gaps, addressing the most critical ones first — particularly MFA and backups — will materially improve your application.

How to prepare for your application

The best preparation is a structured assessment of where you currently stand. Going through the five Cyber Essentials control areas before you fill in an application form gives you two things: clarity on your actual position, and a document you can refer to when answering questions.

Our 10-minute assessment tool walks through all five areas in plain English — no technical knowledge required — and produces a professional PDF report showing your current security posture, gaps, and priority actions. Many businesses find it the most useful thing they can do before an insurance renewal.

At £49 for the report, it's likely the cheapest preparation you can do for an application that could save you significantly more if things go wrong.

Find out where your business stands

Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.

Start Your Free Assessment →

£49 for the full report · No account required

More from CyberReport UK

Cyber Insurance
Do UK Small Businesses Need Cyber Essentials? What Insurers Are Actually Asking For in 2026
Cyber insurers are asking harder questions than ever. Here's what they actually want to know — and how a small business owner can prepare without hiring an IT consultant.
GDPR & Compliance
GDPR Article 32: What 'Appropriate Security Measures' Actually Means for UK Small Businesses
Article 32 of the UK GDPR requires businesses to implement 'appropriate technical measures' to protect personal data. But what does that actually mean in practice for a small business without an IT department?