Bondgate IT White Logo

Cyber Insurance Renewal Checklist

47 question cyber insurance renewal checklist for SMEs: MFA, backup testing, EDR, Cyber Essentials v3.3

 

 

Cyber Insurance Readiness

Cyber Insurance Renewal Checklist: 47 Questions That Could Increase Your Premium or Block Cover

Last updated: May 14, 2026 | By Damien Harrison, Operations and Marketing Director

Cyber insurance renewal forms are becoming more demanding. For many SMEs, the uncomfortable moment now comes when the insurer asks for evidence that basic security controls are genuinely in place.

Download the Free Checklist

In this guide

Renewal Pressure

Why cyber insurers are asking harder questions

Cyber insurance used to feel like a financial safety net. For many SMEs, the renewal process now feels much closer to a cyber security audit.

Insurers are no longer satisfied with broad statements such as “we have antivirus”, “our IT company handles that”, or “we back everything up”. Renewal forms increasingly ask for detailed answers about how your systems are protected, who monitors them, how quickly you patch, whether staff are tested, and whether your backups would survive a ransomware attack.

The issue is not whether your organisation has an IT provider. The issue is whether your leadership team can stand behind the answers being given to the insurer.

Cyber insurance readiness The ability to answer an insurer’s security questions with confidence, evidence, and operational clarity before renewal paperwork lands. It is not the same as having cyber insurance. It is the work that makes cover easier to obtain, defend, and rely on.

Insurer forms are moving from promises to proof. If you answer “No”, “Partial”, or “Unsure” to key questions, that can affect your premium, cover limits, exclusions, or your ability to secure cover at all.

Context

This tightening should not surprise any SME leader

The UK Government’s Cyber Security Breaches Survey 2025 showed that 43% of UK businesses experienced a cyber breach or attack in the previous 12 months. That is around 612,000 businesses. Phishing remains the most common form of attack by a clear margin.

The uncomfortable part is that phishing is getting harder to spot. AI tools mean fraudulent emails can now be grammatically clean, accurately branded, and written in the correct business context. The old advice about looking for spelling mistakes and odd formatting is no longer enough.

Insurers are responding to that reality. They want to know whether your organisation can prevent, detect, contain, and recover from common attacks. That means they are looking closely at MFA, endpoint monitoring, email security, backup testing, staff training, privileged access, and incident response planning.

Change

What renewal forms are asking now

Recent renewal forms ask questions that reach across IT, finance, HR, operations, supplier management, and leadership governance. They do not simply ask whether you have security controls. They ask how those controls are configured, monitored, tested, and evidenced.

Insurer question What they are really testing Why weak answers matter
Is MFA required for all remote access? Can attackers log in with stolen passwords? No MFA on remote access is one of the clearest warning signs for underwriters
Is MFA required for cloud resources? Are Microsoft 365, finance, HR, CRM, and file systems protected? Cloud compromise is one of the fastest routes to data theft and invoice fraud
Is EDR deployed on all endpoints? Can you detect and respond to active compromise? Standard antivirus is no longer enough for many insurer expectations
Are backups air-gapped or immutable? Could you recover if ransomware encrypted live systems? Connected backups can be encrypted alongside live data
Do you test full restoration? Do your backups actually work under pressure? Untested backups create false confidence and delay recovery
Do you simulate phishing attacks? Are people prepared for realistic social engineering? Phishing is still the most common route into businesses
Do you have end-of-life software? Are known weaknesses still present in the estate? Unsupported software can create exclusions, remediation demands, or higher premiums
Do you verify payment changes through another channel? Can your finance process resist invoice fraud and impersonation? Financial fraud controls are often assessed separately from technical controls

The pattern is clear. Cyber insurance is no longer there to compensate for weak cyber security. It increasingly expects evidence of strong cyber security before cover begins.

Analysis

The questions that expose most gaps

In our experience working with North East businesses on cyber insurance readiness, certain questions consistently surface gaps that leadership was not aware of.

Backup testing

The most common gap. Organisations that back up regularly often discover, under examination, that they have never tested a full restoration. Backing up and recovering are different things. Insurers now ask for both.

MFA on cloud services

The second most common gap. Many businesses have MFA on their main email account but have not extended it to finance platforms, HR systems, or newer SaaS tools. Under Cyber Essentials v3.3, MFA is mandatory on all cloud services where it is available.

End-of-life software

A gap that often comes as a surprise. A machine running Windows 10 past its support date, or a server running an unsupported version of a database, can create an exclusion or a specific remediation demand in your policy.

Privileged access controls reveal governance gaps quickly. If the answer to “who has administrator access to your systems?” is “we are not sure” or “most of us”, that is a significant concern for underwriters.
Trust

Why evidence matters more than reassurance

The shift underwriters have made is from accepting statements to requiring evidence. “We have antivirus” is a statement. A named EDR product, an active licence confirmation, and a monitoring process is evidence.

This matters because a claim at the point of an incident will be reviewed against the answers given at renewal. If you stated that backups were tested and they were not, that can affect whether a claim is paid.

The organisations that navigate renewal well are not necessarily the ones with perfect security. They are the ones who can answer clearly, consistently, and with supporting documentation.

Update

How Cyber Essentials v3.3 changes the baseline

Cyber Essentials v3.3 came into force on 27 April 2026. It raises the baseline that many insurers are now using as a reference point.

The key changes relevant to renewal readiness:

  • MFA is now mandatory on all cloud services where available. This includes Microsoft 365, file storage, finance platforms, and AI tools that process organisational data.
  • AI tools such as Microsoft Copilot and similar products cannot be excluded from scope. If they process organisational data, they are in scope.
  • The 14-day patching requirement now applies to any vulnerability scoring 7 or above on the CVSS v3 severity scale.
  • Director or owner sign-off is required before a Cyber Essentials submission is made.

If your organisation holds Cyber Essentials certification, that certification may already be acting as positive evidence for your insurer. If it does not, now is a reasonable time to understand what gap analysis would reveal before renewal lands.

Action

What to do before renewal lands

The businesses that find renewal straightforward are the ones that treat readiness as an ongoing operational state, not a form-filling exercise.

Practical steps to take before your renewal window:

  • Work through the 47 questions in the checklist and mark honestly: Yes, Partial, No, or Unsure.
  • For every answer that is not a clear Yes, identify the action needed and the person responsible.
  • Prioritise MFA coverage, backup testing, and patching currency. These are the areas underwriters weight most heavily.
  • Document what you have. A written policy, a recent test result, a named product with an active licence are all forms of evidence.
  • If you have Cyber Essentials, confirm it is current. If you do not, consider whether a gap analysis would be a practical preparatory step.
  • Speak to your IT provider before your broker. If your provider cannot give you clear answers to the questions in the checklist, that is itself a gap worth addressing.
Download the Free Checklist
Partnership

How Bondgate IT can help

Bondgate IT has supported North East businesses through cyber insurance renewals, supplier security questionnaires, and Cyber Essentials certification since 1998. We hold ISO 27001 certification for our own operations, which means we operate to the same standard we help clients achieve.

Our cyber insurance readiness work typically covers:

  • A structured review against the questions insurers are currently asking
  • Gap identification across MFA, endpoint protection, backup testing, email security, and access controls
  • A plain-English summary that leadership can use directly with their broker or underwriter
  • Remediation support for any gaps identified, with clear ownership and timelines
  • Cyber Essentials certification support if that is appropriate for your situation

If your renewal is approaching, or if you simply want to know where you stand before it does, the right place to start is a conversation.

Start with a Free Conversation

Call 01325 369 950 or visit bondgate.co.uk

FAQs

Frequently asked questions

How far in advance should we start preparing for cyber insurance renewal?
Start at least 90 days before your renewal date. If gaps are identified, remediation takes time. Some actions, such as backup testing or MFA rollout, require scheduling and change management. Leaving it to the week before the form arrives removes your ability to address anything meaningful.
What happens if we answer honestly and admit gaps?
Honesty is the correct approach. Insurers are reviewing claims against the answers given at renewal. A gap identified before renewal can be remediated or disclosed with context. A gap discovered at claim stage, after a “Yes” was recorded, is a materially different situation.
Does having Cyber Essentials certification improve our renewal outcome?
In most cases, yes. Cyber Essentials demonstrates that the five foundational controls have been independently verified. Many insurers now reference Cyber Essentials explicitly in their renewal questions, and a current certificate provides documented evidence rather than a statement. If you do not hold the certification, a recent gap analysis can serve a similar purpose as preparatory evidence.
Our IT provider says everything is covered. Is that enough?
It depends on what “covered” means and whether there is evidence to support it. Insurers are asking for specifics: named products, tested processes, documented policies, and confirmation of MFA coverage across all relevant services. A reassurance from your IT provider is a starting point, not a final answer. You need to be able to stand behind the answers on the form yourself.
What is the biggest mistake businesses make at renewal?
Answering based on assumption rather than evidence. The most common scenario is a business that believes controls are in place because they pay for managed IT, but has never confirmed whether backups are tested, which accounts have MFA, or whether any end-of-life software is still running. The form asks what you know, not what you hope is true.

Ready to get a clear answer

Download the free checklist

47 readiness questions, built from real renewal forms. Use it before your insurer calls.

Download the Free Checklist

Bondgate IT. ISO 27001 certified. Cyber Essentials certified. Serving North East businesses since 1998.
Phone: 01325 369 950 | Web: bondgate.co.uk

 

Facebook
Twitter
LinkedIn
WhatsApp
Email
Print