Axia Computer Systems Ltd

Cyber Security

Cyber insurance in 2026: what underwriters now require from UK SMEs

Cyber-insurance questionnaires have got a lot harder in the last two years. Here is what underwriters are actually asking, the answers that get cover renewed, and the controls that increasingly make the difference between a payout and a refusal.

Cyber SecurityBy Axia Computer Systems Ltd
Cyber InsuranceComplianceRisk
Cyber insurance in 2026: what underwriters now require from UK SMEs

If you have renewed a cyber-insurance policy in the last year, you will have noticed the questionnaire. It used to be twenty questions about backups and antivirus. It is now a comprehensive security audit that takes a competent IT team several days to answer properly, and the cover you get at the end depends significantly on what you put in it. The market has hardened, claims have grown, and underwriters now expect SMEs to operate to controls that would have looked enterprise-grade five years ago.

What the questionnaire now asks

  • Evidence of multi-factor authentication on every account that can access email, file shares or administrative systems — including admin and break-glass accounts.
  • Endpoint detection and response (EDR) deployed across all in-scope devices, with central reporting and a named human or managed service accountable for alerts.
  • Tested, immutable backups with a documented recovery time objective for critical systems and an annual restore drill against a real workload.
  • An incident response plan that is written, rehearsed and contactable — including out-of-hours escalation and named decision-makers.
  • Security awareness training, with evidence of phishing simulations and refresher cadence.
  • Email security that goes beyond Microsoft’s defaults — DMARC, SPF and DKIM correctly configured, sandboxing on attachments and links.
  • Privileged Access Management: separated admin accounts, no standing domain admin, time-bound elevation.

The common reasons cover is reduced or refused

The single biggest reason for a partial payout is inadequate MFA — typically an environment where MFA is "available" but not enforced, so a single compromised password is enough to walk into corporate data. The second biggest is an untested backup estate: insurers increasingly want evidence of a real restore, not just a backup report. The third is a missing or out-of-date incident response plan: at claim time, the insurer expects you to be able to produce it and to follow it. None of these are hard to fix in advance. All of them are expensive to be missing at claim time.

Cyber Essentials — the cheap shortcut

Most UK cyber insurers will accept a current Cyber Essentials (or Cyber Essentials Plus) certification as evidence of the baseline security controls. It does not waive the questionnaire, but it materially simplifies the answers and removes several of the trickier questions. For an SME that already has the certification, renewal is a paperwork exercise; for one that does not, it is a six-to-eight-week project. The economics almost always work out in favour of getting certified first.

What we recommend ahead of a renewal

  • 1. Pull last year’s renewal questionnaire and the answers you submitted. Treat it as the working list of controls to evidence this year.
  • 2. Run a gap review against the controls above. Where there are gaps, prioritise the ones that affect cover terms first — MFA enforcement, tested backups, EDR with central reporting.
  • 3. Get Cyber Essentials certified if you are not already. The badge is the cheapest evidence an insurer will accept for the baseline questions.
  • 4. Test a real backup restore against a critical system in the 90 days before renewal. The restore report is the single most useful artefact for the questionnaire.
  • 5. Document the incident response plan in one page. Print it. Rehearse it once. The insurer will not read the plan unless there is a claim, but they will read whether you have one.

The pricing reality

Premiums for SME cyber cover rose sharply through 2023 and 2024 and have stabilised at a higher level since. The SMEs seeing flat or reducing premiums at renewal are the ones with the best questionnaire answers — particularly MFA, tested backups, EDR and a current Cyber Essentials badge. For everyone else, premium increases have been significant and excesses larger. The path to better cover at renewal is the same path as better security in general: stop relying on hope.

We help SMEs across Hertfordshire, Bedfordshire and London prepare for cyber-insurance renewals — both as a one-off gap-review project and as an ongoing managed service. If your renewal is inside the next six months and you would like a free gap review, get in touch.

More from Cyber Security

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners