Why cyber insurance readiness matters
Cyber insurance is increasingly common—and underwriters are tightening requirements. At renewal, insurers ask for evidence of governance, technical controls, compliance, and incident readiness. Gaps are common; the goal is to close them in a planned way and document progress for your broker or insurer.
What insurers typically want to see
Governance — Board-level ownership of cyber risk; regular review of policies and incident response; documented risk appetite and treatment. Evidence: board minutes, risk register, policy review dates.
Technical controls — MFA on all cloud and remote access; patching and vulnerability management; backup and restore tested; EDR or equivalent where appropriate. Evidence: policy or config plus sample evidence (e.g. MFA report, backup test record).
Compliance — Cyber Essentials or equivalent; alignment with NCSC/industry guidance. Evidence: certificate or gap-tracked plan.
Incident readiness — Documented and tested incident response plan; known escalation path and key contacts (internal, insurer, legal, comms). Evidence: plan, tabletop record, contact list.
Third parties — Awareness of key supplier risk and contract terms (e.g. breach notification, liability). Evidence: vendor register or due diligence summary.
How to use this as a pre-renewal checklist
Use this list 2–3 months before renewal. For each area, ask: "Can we evidence this?" If not, plan to close the gap and document progress. Insurers prefer a clear plan and evidence of improvement over vague assurances.
Common gaps that delay or limit cover
No MFA on all remote access; untested backup/restore; no incident response test in the last 12 months; no Cyber Essentials or equivalent; no board-level visibility of cyber risk.
Benchmark your posture with our StrategyOS Assessment, or speak to our team about preparing for cyber insurance.