Pass the questionnaire. Pay less. Sleep better.
Cyber insurance: what UK underwriters actually want
The control set that UK cyber-insurance underwriters score in 2026 — and how Letsma helps you tick every box.
Why cyber-insurance pricing has changed
UK cyber-insurance premiums roughly tripled between 2020 and 2024 as underwriters absorbed the ransomware payout boom. By 2026 the market has stabilised — but the price you pay (and whether you can get cover at all) is now closely tied to the technical controls you can evidence.
If you fill in next year’s renewal questionnaire with the same “yes, we have antivirus” answers as last year, expect either a 25-40% premium hike or an outright decline.
The eight controls underwriters score
1. MFA on all remote access and admin accounts
- Is MFA enforced for every user, including admins?
- Is it phishing-resistant (FIDO2 / passkey) for privileged accounts?
- Have you disabled legacy authentication?
2. Endpoint Detection and Response (EDR)
Traditional antivirus is no longer enough. Underwriters expect a managed EDR product — Microsoft Defender for Endpoint, SentinelOne, CrowdStrike — with centralised alerting.
3. Backups that can survive ransomware
Underwriters specifically test for the “3-2-1-1-0” rule:
- 3 copies of your data
- On 2 different media
- 1 offsite
- 1 immutable (cannot be deleted, even by an admin)
- 0 errors in restore testing
“We use OneDrive sync” is not a backup.
4. Patch management with evidence
Operating systems and applications patched within 14 days of critical updates, with reporting that proves it.
5. Network segmentation and email security
- Guest Wi-Fi isolated from staff Wi-Fi.
- Servers/critical kit on their own segment.
- DMARC enforced (not just DMARC = none).
- Safe links and safe attachments enabled in Microsoft 365.
6. Security awareness training
Quarterly phishing simulations plus a documented annual training programme.
7. Incident response plan (tested)
An IRP that exists in a Word doc nobody has read is worth nothing. Underwriters ask whether you’ve table-topped the plan in the last 12 months.
8. Privileged access management
Separate day-to-day accounts from admin accounts. Just-in-time admin elevation. Local admin rights removed from end-user laptops.
The questionnaire game
- “What percentage of your end-user devices are enrolled in a centrally managed EDR with 24/7 alerting?”
- “What was the date of your last tested backup restore?”
- “Have you had any administrative-account password reset in the last 90 days?”
- “List any third-party suppliers with access to your environment.”
How Letsma’s controls map to the questionnaire
| Insurer question | Evidence Letsma provides |
|---|---|
| MFA coverage | Entra ID sign-in report showing 100% MFA coverage |
| EDR coverage | Defender for Endpoint dashboard export |
| Backup test date | Monthly restore-test log |
| Patch compliance | Intune device compliance report |
| Phishing simulation results | Quarterly Attack Simulator / KnowBe4 report |
| IRP table-top date | Signed minutes from the last exercise |
| Privileged access controls | Entra ID PIM / Intune local-admin reports |
What it actually saves
- Typical premium reduction on a clean evidence pack vs. a vague one: 15–35%.
- Coverage caps raised (e.g. ransomware sublimit going from £100k to £500k).
- Excess reductions of £5k–£15k where MFA + EDR are evidenced.
For a typical Surrey SME paying £6,000/year for cyber cover, a 25% reduction recovers the cost of an entire annual managed-services contract.
“Letsma prepared our renewal pack and our premium dropped 32% with cover doubled. We invested some of the saving back into FIDO2 keys for the senior team.”
— Managing Partner, Horsham
Ready for your pre-renewal review?
Book a 60-minute review at least 6 weeks before your renewal date.
Book a pre-renewal reviewRelated reading: Cyber Security · Cyber Essentials made simple · Why MFA isn’t enough in 2026