Why UK insurers scrutinise security controls
The UK cyber insurance market operates in an increasingly regulated environment with GDPR (UK GDPR), the Data Protection Act 2018, and emerging regulations like NIS2. Insurers are particularly strict because the UK Information Commissioner's Office (ICO) actively investigates breaches, issues substantial fines, and publicly lists enforcement actions.
You don't need to be a multinational corporation, but you must demonstrate that you have controls aligned with UK regulatory expectations and industry best practice.
Essential controls (required by virtually all UK insurers)
These are baseline expectations. Missing any of these will result in a declined application or severe premium penalties.
Multi-Factor Authentication (MFA)
MFA is now virtually universal among UK carriers. It must cover:
- All remote access (VPN, RDP)
- Email accounts (especially admin and service accounts)
- Cloud services (Microsoft 365, Google Workspace, AWS, Salesforce)
- Admin consoles and privileged access
- Backup and recovery systems
MFA implementation typically reduces premiums by 15β25%.
Endpoint Detection and Response (EDR)
Basic antivirus no longer meets expectations. UK insurers require EDR β continuous monitoring and threat response on all endpoints. Solutions like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne are standard for mid-market firms.
Email security
Email is the primary attack vector. Insurers require:
- Spam filtering and anti-phishing tools
- DMARC, DKIM, and SPF enforcement
- Secure email gateway or cloud-based protection
Backup and recovery procedures
The 3-2-1 rule applies in the UK too: 3 copies of data, on 2 different media types, with 1 copy offsite and offline. You must have tested and documented restore procedures. Untested backups count for nothing. Immutable or air-gapped backups score extra credit.
Patch management
A documented patch management process is essential. Standard expectation: critical patches deployed within 30 days. Show your policy and deployment schedule.
Security awareness training
Annual training is insufficient. UK insurers expect regular, documented training at least quarterly. Phishing simulations and tracking of click-through rates strengthen your application.
UK-specific regulatory requirements
Beyond baseline controls, UK insurers assess compliance with UK-specific legislation.
Cyber Essentials / Cyber Essentials Plus
Some UK insurers require or offer significant discounts (10β20%) for achieving Cyber Essentials or Cyber Essentials Plus certification. These certifications are based on a government-backed assessment framework and demonstrate compliance with five core controls: secure configuration, access control, malware protection, patch management, and basic firewall rules.
Cyber Essentials Plus goes further with third-party assessment and external penetration testing.
UK GDPR and Data Protection Act 2018
If you process personal data of UK residents, you must comply with UK GDPR and the Data Protection Act 2018. Insurers require documentation of:
- Lawful basis for processing and data inventory
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Consent management (where applicable)
- Breach notification procedures (72-hour notification to ICO)
- Data subject rights fulfillment (access requests, deletion, portability)
- Data processing agreements with all vendors
ICO registration and compliance
If you're not exempt from ICO registration (most organisations aren't), you must be registered and comply with ICO guidance. Insurers verify your registration status and assess your readiness for ICO investigations and audits.
NIS2 (Network and Information Security Directive 2.0)
NIS2 is being transposed into UK law. If your organisation operates critical infrastructure (energy, transport, water, digital services, healthcare), you must comply with NIS2 security requirements including:
- Risk assessments and security measures
- Incident response capability
- Supply chain security
- Reporting of significant incidents (24-hour notification)
ISO 27001 certification
Whilst not mandatory, ISO 27001 certification significantly strengthens your application and often qualifies for 10β20% premium discounts. It demonstrates a comprehensive, documented information security management system.
FCA requirements (financial services)
If you're a regulated financial services firm, the FCA requires operational resilience, incident reporting, and specific security standards. Insurers require documentation of FCA compliance, which significantly affects underwriting.
Important controls (expected by most UK insurers)
Without these, you're unlikely to be flat-out declined, but they're strongly expected and will improve your premium.
Privileged Access Management (PAM)
Separate admin accounts from regular user accounts. Implement just-in-time (JIT) access. Log and monitor all privileged access.
Network segmentation
Don't keep everything on a flat network. Separate systems, isolate critical assets, and limit lateral movement.
Incident response plan
A documented plan covering roles, escalation procedures, containment, communication, recovery timelines, and regulatory notifications (especially ICO notification for GDPR breaches). Test annually via tabletop exercises.
Vulnerability scanning
Regular internal and external scans. Quarterly minimum. Insurers may conduct their own external scans during underwriting.
Encryption
Data at rest (full-disk encryption, encrypted databases) and in transit (TLS/SSL).
Logging and monitoring
Collect logs from critical systems. SIEM or cloud-based log aggregation. Retain for at least 90 days (1+ year preferred).
Advanced controls (significant premium reduction)
- 24/7 Security Operations Centre (SOC) or Managed Detection and Response (MDR)
- Zero trust architecture
- Third-party risk management programme
- Cyber risk quantification
- Annual penetration testing
- Data Loss Prevention (DLP)
- Identity governance and access reviews
UK broker application process
Step 1: Initial proposal form
Detailed questionnaire covering your business, employees, data types, regulatory compliance status, and security posture. Be thorough and honest.
Step 2: Compliance documentation
Insurers will request:
- Evidence of Cyber Essentials or ISO 27001 (if applicable)
- GDPR compliance documentation (DPIAs, processing agreements)
- ICO registration confirmation
- Incident response plan and tabletop test results
- Security training records
Step 3: External security assessment
Many insurers conduct external vulnerability scans and check for security misconfigurations, outdated certificates, and missing headers.
Step 4: Broker consultation
Larger accounts typically have a discussion with the underwriter to discuss security programme, incident history, and regulatory compliance.
Timeline
- Small businesses: 2β4 weeks
- Mid-market: 4β10 weeks
- Enterprise: 8β14 weeks
Common reasons for declined applications in the UK
- No MFA in place
- No EDR deployed
- No evidence of backup testing
- Previous data breach not disclosed to insurer
- Non-compliance with GDPR (no DPIAs, no breach procedures)
- Not registered with ICO (when required)
- Flat network with no segmentation
- No incident response plan
- Multiple claims in past 3 years
- Operating in critical infrastructure with no NIS2 readiness
Cyber insurance requirements checklist for the UK
Below is your complete checklist for UK underwriting.
| Control | Description | Priority |
|---|---|---|
| Multi-factor authentication (MFA) | MFA on all remote access, email, cloud services, admin accounts | Essential |
| Endpoint detection and response (EDR) | Advanced endpoint protection with continuous monitoring | Essential |
| Email security | DMARC/DKIM/SPF, anti-phishing, spam filtering | Essential |
| Backup and recovery (3-2-1) | Tested, documented backups with offline/immutable copy | Essential |
| Patch management | Critical patches within 30 days, documented process | Essential |
| Security awareness training | Quarterly+, documented, with phishing simulations | Essential |
| Cyber Essentials or Cyber Essentials Plus | Certification preferred; some insurers require or discount for it | Important |
| UK GDPR compliance documentation | DPIAs, processing agreements, breach procedures, 72-hour notification | Important |
| ICO registration and compliance | Registered with ICO (where applicable), compliant with ICO guidance | Important |
| Privileged access management (PAM) | Separate admin accounts, JIT access, logging | Important |
| Network segmentation | Isolate critical systems, restrict lateral movement | Important |
| Incident response plan | Documented, tested annually via tabletop | Important |
| Vulnerability scanning | Internal and external scans (quarterly+) | Important |
| Encryption | Data at rest and in transit | Important |
| Logging and monitoring | SIEM or log aggregation, 90+ day retention | Important |
| NIS2 compliance (if critical infrastructure) | Risk assessments, incident response, supply chain security, 24-hour reporting | Important |
| ISO 27001 certification | Comprehensive information security management system | Advanced |
| 24/7 SOC or MDR | Continuous threat hunting and response | Advanced |
| Zero trust architecture | "Never trust, always verify" approach | Advanced |
| Penetration testing | Annual or biannual third-party assessments | Advanced |
Next steps
Ready to apply for cyber insurance in the UK? Get matched with a specialist broker who understands GDPR, Cyber Essentials, NIS2, and UK regulatory expectations.
Ready to get covered in the UK?
Tell us about your business and we'll match you with a specialist UK cyber insurance broker.
Get a Quote βLast updated: April 2026