The renewal email lands in March: your cyber insurance broker needs the security questionnaire back in ten working days, and the underwriter has added forty new questions since last year. Multi-factor authentication evidence. Privileged access management. EDR coverage percentages. Backup immutability. Third-party risk register. Incident response testing dates. The form is no longer a formality — it is the underwriting decision.
Cyber insurance underwriting has tightened every year since the ransomware surge of 2020-2021, and 2026 applications are the most forensic yet. Lloyd's Market Bulletin Y5381 (November 2022) reshaped how syndicates treat state-backed cyber events, and the downstream effect is that primary insurers now demand granular control evidence before they price the risk. Coalition, Beazley, CFC, Hiscox, AIG and the London market all run their own questionnaires, but the control gaps that trigger premium hikes — or outright refusal — are remarkably consistent.
Our team has walked dozens of UK SMEs and mid-market firms through these applications. The pattern is clear: the firms that fail are not the ones with weak security overall — they are the ones who cannot evidence the specific controls insurers care about. Below are the seven gaps we see most often, and what to do about each before your next renewal.
1. MFA coverage that stops at the perimeter
Underwriters no longer accept "yes, we have MFA." They want to know which systems, which user populations, and which authentication factors. The question on most 2026 questionnaires reads something like: "Is MFA enforced on all remote access, all privileged accounts, all email, and all administrative access to cloud platforms and security tools?" A single "no" against any of those four categories can move you into a higher premium band or trigger a sub-limit on ransomware cover.
The common failure is administrative access to SaaS platforms — Microsoft 365 Global Admin, AWS root, Google Workspace super admin, GitHub organisation owners, the firewall management console. Firms enforce MFA for end users but leave break-glass admin accounts on password-only or SMS. SMS as a second factor is now treated as inadequate by most underwriters; they want app-based or FIDO2 hardware tokens for privileged accounts.
Fix this before applying. Pull a report from your identity provider showing MFA enforcement per application and per user group. If you cannot produce that report in under an hour, you have a visibility problem the underwriter will spot in the follow-up call.
2. Privileged access without separation or monitoring
Insurers want to see that domain admins, cloud root accounts, and service accounts with elevated permissions are separated from daily-use accounts, time-bound where possible, and logged. The questionnaire will ask about Privileged Access Management (PAM) tooling, just-in-time elevation, and review cadence for standing privileges.
Smaller firms often answer "we have a small IT team, everyone needs admin." That answer alone can knock you out of preferred pricing. The fix does not require a £100k PAM deployment. For most SMEs, the practical baseline is: separate admin accounts (never the same login as email), no standing Global Admin in Microsoft 365 (use Privileged Identity Management for just-in-time elevation), and a quarterly review of who holds privileged roles with sign-off from the senior management team.
3. EDR that does not cover every endpoint
"Do you have endpoint detection and response deployed on 100% of servers and 100% of endpoints?" The honest answer for most firms is no — there is always a legacy server, a developer's Linux box, a printer-attached PC, or a branch-office machine that slipped through. Insurers will accept 95%+ if you can name the exceptions and explain the compensating controls. They will not accept "we think it's everywhere."
Run an asset reconciliation: compare your EDR console's installed-agent list against your authoritative asset inventory (or your Active Directory/Intune device list). Document the deltas. Underwriters reward firms that show they know what they own and where the gaps are — far more than firms that claim perfection.
The EDR product matters too. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint (P2), Sophos Intercept X, Huntress — all acceptable to most carriers. Traditional signature-based antivirus on its own is increasingly flagged as inadequate.
4. Backups that ransomware can reach
The backup question on 2026 applications has three parts: are backups encrypted, are they immutable or air-gapped, and have you tested restoration within the last twelve months? A "yes, yes, yes" with evidence is the answer underwriters want.
The failures we see most often:
- Backup admin credentials shared with the same domain admin account that runs daily IT — meaning a compromised admin can delete backups
- Cloud backups in the same tenant as production, with no separate identity boundary
- No documented restoration test in the last year, or a test that only covered file recovery and not full system rebuild
- Backup retention shorter than the typical ransomware dwell time (60-90 days minimum is now expected)
Document your last restoration test with date, scope, recovery time achieved, and sign-off. Attach it to the application. This single piece of evidence often moves applications from "referred" to "quoted."
5. Email security without DMARC enforcement
Business email compromise remains the highest-frequency claim driver in the London market. Underwriters now ask specifically about SPF, DKIM, and DMARC — and whether DMARC is set to p=reject or still on p=none. They also ask about email filtering for malicious attachments and links, banner warnings on external email, and training programmes.
DMARC on p=none tells the underwriter you have configured the record but are not enforcing it. Move to p=quarantine at minimum, with a plan and timeline to reach p=reject. Use a DMARC reporting tool (Dmarcian, EasyDMARC, Valimail) to handle the report aggregation. This is a low-cost, high-signal control that materially affects pricing.
6. Third-party risk that lives only in your head
Since the Blackbaud, Kaseya, MOVEit and Snowflake-related incidents, supply-chain questions have moved from optional to mandatory. Underwriters want a vendor register, a risk classification, and evidence that critical vendors are reviewed. The UK's Cyber Security and Resilience Bill — currently progressing through Parliament — will sharpen supply-chain expectations further for designated organisations.
You do not need a sophisticated GRC platform. A spreadsheet listing each vendor that processes personal data or has access to your environment, classified by criticality, with the date of last review and the contract clauses covering security, is enough for most SME applications. What is not enough: "we trust our suppliers."
For firms pursuing ISO 27001 certification, supplier management (Annex A.5.19-5.23 in the 2022 revision) gives you the framework the underwriter expects to see.
7. Incident response plans that have never been tested
"Do you have a written incident response plan? When was it last tested?" If your answer to the second question is "we haven't" or "during a real incident," your premium will reflect it. Underwriters want to see a tabletop exercise within the last twelve months, with named participants including senior leadership, and documented lessons learned.
A tabletop does not need to be expensive. A two-hour facilitated scenario walkthrough — ransomware on a critical server, BEC with attempted invoice fraud, data exfiltration discovered by a customer — with the senior management team, IT lead, legal counsel and communications lead in the room, is sufficient. Document attendance, the scenario, decisions made, and three improvement actions. That document is gold during application.
How Pyralink helps
Pyralink Innovation Ltd works with UK firms preparing for cyber insurance renewals and first-time applications. Our consultants — led by Michael Adedeji (CISM, CISA, CC, MSc Data Science) — review the underwriter's questionnaire alongside your current control evidence and identify the specific gaps that will cost you on pricing or trigger referral to senior underwriting.
For ongoing support, our fractional vCISO service (from £497/month) gives you a named security leader who owns the insurance relationship, runs the annual tabletop, and maintains the evidence library underwriters ask for. For cloud-heavy environments, CloudAuditX produces the AWS, Azure and Google Cloud control evidence directly from your tenants — MFA enforcement, privileged role inventory, backup configuration, logging coverage — in the format insurers accept. More guidance is available across our insights, and you can baseline your current posture using the free compliance scanner.
Pyralink holds £5M professional indemnity insurance and works with organisations from pre-revenue startups to FCA-regulated firms preparing for their first cyber policy or defending a renewal against a hardening market.