How to Get Cyber Insurance in the UK
Cyber insurance protects UK businesses against the financial costs of cyber attacks. To get the best terms, you need to demonstrate strong security controls. Insurers increasingly require Cyber Essentials, MFA, EDR, and regular backups as minimum prerequisites.
Direct Answer
To get cyber insurance in the UK, you must demonstrate strong security controls before applying. Insurers now require MFA, endpoint detection, tested backups, email security, and staff training as minimums. Holding Cyber Essentials or CE Plus reduces premiums by 10–25% with many insurers and demonstrates to underwriters that your baseline security posture is sound. Businesses without these controls face higher excess, reduced coverage, or outright rejection.
What Cyber Insurers Require
Common prerequisites that UK cyber insurers look for during underwriting.
Multi-Factor Authentication
MFA on all remote access, admin accounts, and cloud services is now a universal requirement. Insurers will not cover businesses without MFA.
Endpoint Protection (EDR)
Modern endpoint detection and response on all devices. Traditional antivirus alone is no longer sufficient for most insurers.
Tested Backups
Regular, tested, immutable backups stored separately from your network. Insurers want evidence that backups are tested, not just that they exist.
Email Security
Advanced email filtering, DMARC/SPF/DKIM authentication, and anti-phishing controls to reduce the most common attack vector.
Staff Awareness Training
Regular security awareness training and simulated phishing exercises. Insurers recognise that human error is the biggest risk factor.
Cyber Essentials Certification
Holding Cyber Essentials or CE Plus demonstrates your commitment to security and can reduce premiums by 10–25% with some insurers.
With vs Without Proper Security Controls
How your security posture affects insurance outcomes.
| Feature | Weak ControlsHigh premiums / Rejection | Strong ControlsBetter termsRecommended |
|---|---|---|
| Application outcome | Often rejected | Accepted |
| Annual premium (50 users) | £3,000–£8,000+ | £1,500–£3,000 |
| Excess/deductible | Higher | Lower |
| Coverage exclusions | Many | Fewer |
| Claims honoured | Risk of rejection | More likely |
Frequently Asked Questions
In many cases, yes. Several UK cyber insurers offer premium discounts of 10-25% for organisations holding a current Cyber Essentials certificate. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME), which is why underwriters view the certification favourably. Some insurers now require Cyber Essentials as a minimum condition for coverage, making it both a cost-saving measure and an eligibility requirement.
Underwriters typically ask about MFA enforcement, endpoint detection, backup testing frequency, email filtering, staff training, and patch management cadence. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), and MFA is now a universal prerequisite — applications without it are routinely declined. Having documented evidence of each control in place speeds up the application process and improves the terms offered.
Yes. If the insurer determines that you misrepresented your security posture on the application or failed to maintain the controls you declared, the claim may be reduced or rejected entirely. The average cost of the most disruptive breach is £3,550 (DSIT 2025), and that burden falls entirely on the business if the claim is denied. Maintaining the controls you declared — and keeping evidence — is essential for a successful claim.
Get Insurer-Ready
AMVIA helps UK businesses meet cyber insurer requirements. We assess your current position and close the gaps.
Related Questions
Cyber Essentials Certification
AMVIA's managed Cyber Essentials service — get certified and insurer-ready at a fixed price.
What Is Multi-Factor Authentication?
MFA is the single most impactful control insurers require — and it prevents 99.99% of account compromise attempts.
How Much Does Managed Cybersecurity Cost?
Per-user pricing for managed cybersecurity — the controls insurers require, delivered as a fixed monthly service.
Protect your business → Get Cybersecurity Assessment