Cyber insurance questionnaires are getting tougher. Here are the controls UK SME insurers expect—MFA, backups, patching, email security—and how to evidence them.
Cyber Insurance for UK SMEs: The Security Controls Insurers Now Expect (and How to Evidence Them)
Cyber insurance used to feel like a simple purchase: answer a few questions, pay the premium, and feel safer. For UK SMEs today, it’s more like a security assessment. Insurers have seen too many claims driven by the same patterns—phishing, weak identity controls, unpatched devices, and poor recoverability—so the bar has risen. Questionnaires are longer, evidence requests are more common, and some policies now include stricter conditions around what must be in place.
That’s not necessarily a bad thing. If you treat the insurance process as a forcing function, it can help you tighten the same controls that reduce real-world incidents. The key is to approach it like readiness: understand what insurers are asking, put the controls in place consistently, and make sure you can evidence them without panic when renewal comes around.
Amazing Support is a multi-award-winning, Microsoft Partner, Cyber Essentials and Cyber Essentials Plus certified provider supporting UK SMEs across London, Greater London and Manchester. In our experience, the SMEs who get the best outcomes from cyber insurance are the ones who can clearly demonstrate their identity controls, patching discipline, email security, and recovery capability.
The short answer is: insurers increasingly expect strong identity security (MFA), patching, endpoint protection, email controls, and proven backups—and they want evidence, not assumptions.
The controls insurers commonly expect (in plain English)
1) MFA (especially for Microsoft 365 and admin accounts)
Expect questions like:
- is MFA enforced for all users?
- are admins protected more strongly?
- do you block legacy authentication?
2) Patching and vulnerability management
They’ll want to know:
- how quickly critical updates are applied
- whether you can report patch compliance
- whether unsupported operating systems exist
3) Endpoint protection and monitoring
Common expectations:
- centrally managed endpoint protection
- alerting/monitoring with a defined response process
- device encryption and secure configuration
4) Email security and phishing resilience
Expect questions around:
- anti-phishing/impersonation controls
- link/attachment protection approaches
- user reporting and response process
5) Backups and recovery (and whether you test restores)
This is where many SMEs get caught out. Insurers often ask:
- are backups protected from deletion/encryption?
- do you have offline/immutable options?
- when was your last restore test, and did it work?
6) Incident response readiness
They may ask:
- do you have an incident response plan?
- do you run tabletop exercises?
- who is responsible for decisions and communications?
How to evidence controls without scrambling
- keep a simple security “evidence pack” updated quarterly
- export MFA coverage / Conditional Access policy summaries
- maintain an asset list with patch compliance reporting
- record backup success + last restore test results
- document incident response roles and key contacts
- keep supplier contracts and SLAs accessible
FAQ
Will cyber insurance prevent incidents?
No—insurance helps with financial impact. Controls prevent incidents and reduce disruption.
What’s the most common weak spot in SME applications?
Proven recovery: restore testing and backup protection.
Does Cyber Essentials help with insurance?
It often helps demonstrate baseline controls, but insurers may still require additional evidence and specifics.
If you’re renewing cyber insurance or applying for the first time, we can help you map the
Cyber Essentials questionnaire to real controls, close the gaps, and build an evidence pack that makes renewals far less painful.
