What the New UK Cyber Insurance Requirements Mean for SMEs

Cyber insurers are tightening requirements. They now expect SMEs to demonstrate strong identity governance, consistent MFA enforcement, and clear evidence of access reviews. This shift reflects a growing recognition that identity failures—not technical vulnerabilities—drive most claims.

SMEs that cannot demonstrate governance will face higher premiums, reduced coverage, or outright denial. Insurers want proof that organisations understand their identity surface and can justify their decisions.

AISF provides the evidence layer insurers look for. It documents policy changes, access decisions, and identity behaviour in a defensible format. SMEs that adopt identity-first governance will be better positioned to secure affordable coverage.

The changing cyber insurance landscape

Cyber insurance was once a simple product. Organisations paid a premium, and if they were breached, the insurer paid the costs. Premiums were relatively stable. Underwriting was straightforward.

Those days are over.

Rising losses

Cyber insurance losses have skyrocketed. The average cost of a data breach in the UK now exceeds £3 million. Ransomware payments have reached millions of pounds. Business interruption costs can be devastating.

Insurers are responding. Premiums have increased dramatically. Coverage has been reduced. Underwriting has tightened.

Claims analysis

Insurers have analysed thousands of claims. What they've found is striking: most breaches aren't caused by sophisticated attacks or zero-day vulnerabilities. They're caused by identity failures.

Common claim scenarios:

• Phishing leads to compromised credentials
• Attackers use valid accounts to access systems
• Dormant accounts provide entry points
• Excessive permissions enable data exfiltration
• Lack of MFA allows lateral movement

The root cause is almost always identity-related. And that means identity governance is the control that matters most.

The new requirements

Cyber insurers are now requiring evidence of identity governance as a condition of coverage:

MFA enforcement

Insurers want to see:

• MFA enabled on all user accounts
• MFA enforced on all systems containing sensitive data
• Phishing-resistant MFA methods (FIDO2, authenticator apps) preferred
• Exceptions documented and minimal

If you can't demonstrate MFA coverage, expect higher premiums or coverage denial.

Identity governance

Insurers want to see:

• Documented access review processes
• Evidence that reviews are conducted regularly
• Clear ownership of identity management
• Processes for joiner/mover/leaver handling

If you can't demonstrate governance, insurers will assume you have gaps—and price accordingly.

Access visibility

Insurers want to see:

• Ability to enumerate all accounts across systems
• Understanding of who has privileged access
• Monitoring for dormant accounts
• Ability to revoke access quickly

If you can't demonstrate visibility, you'll be seen as higher risk.

Incident response

Insurers want to see:

• Documented identity-related incident response procedures
• Ability to disable accounts quickly
• Ability to investigate account compromise
• Evidence of previous incident handling

If you can't demonstrate response capability, expect coverage gaps.

The compliance gap

Most SMEs are not prepared for these requirements. Here's why:

Visibility gaps

SMEs often don't know what identity infrastructure they have. They might know about their main systems, but not about:

• All SaaS tools with company data
• Service accounts and API integrations
• Contractor and partner accounts
• Dormant accounts from former employees

This lack of visibility means they can't demonstrate control.

Governance gaps

SMEs often lack formal identity governance processes:

• Access reviews happen ad-hoc or not at all
• Joiner/mover/leaver processes are manual and incomplete
• Policy exceptions are not tracked
• Documentation is minimal

This means even well-intentioned SMEs can't demonstrate governance to insurers.

Evidence gaps

Even SMEs that do things right often can't prove it:

• No documentation of access reviews
• No evidence of policy enforcement
• No audit trails of identity changes
• No baseline of normal behaviour

Without evidence, insurers assume the worst.

The cost of non-compliance

SMEs that can't meet new requirements face:

Higher premiums

Insurers are pricing for risk. If you can't demonstrate identity governance, you'll pay more—often 50-100% more than comparable organisations that can demonstrate controls.

Reduced coverage

Some insurers are reducing coverage for organisations that can't meet requirements. You might get coverage, but with exclusions for identity-related incidents.

Coverage denial

Some insurers are declining to cover organisations with significant gaps. If you can't demonstrate basic identity governance, you might not be able to get coverage at all.

Claims denial

The most concerning trend: insurers are increasingly denying claims when organisations lack required controls. If you're breached and didn't have MFA enforced as required, your claim might be denied.

This is a significant shift. Previously, insurers rarely investigated whether policyholders had implemented required controls. Now they're actively checking.

What SMEs need to do

The solution isn't to avoid cyber insurance. It's to meet the requirements.

Assess your current state

Start by understanding where you stand:

• What identity systems do you have?
• What's your MFA coverage?
• When were access reviews last conducted?
• What documentation exists?

Implement required controls

Address gaps systematically:

• Enable MFA everywhere
• Implement access review processes
• Document policies and exceptions
• Create audit trails

Generate evidence

Document everything:

• Access review reports
• Policy change logs
• MFA enforcement evidence
• Incident response procedures

Get evaluated

Consider third-party security assessments:

• Cyber Essentials certification
• ISO 27001 certification
• SOC 2 reports
• Identity-specific assessments

Third-party validation carries weight with insurers.

How AISF helps

AISF provides the identity governance layer that insurers are looking for:

Continuous visibility

AISF continuously maps identities across all your systems—on-prem, cloud, and SaaS. You'll always know what accounts exist and what access they have.

Automated evidence

AISF automatically generates evidence of governance:

• Access review documentation
• Policy enforcement evidence
• MFA coverage reports
• Audit trails

Compliance reporting

AISF produces reports mapped to common frameworks, making it easy to demonstrate compliance to insurers.

Risk scoring

AISF continuously scores identity risk, helping you prioritise remediation and demonstrate security posture improvement.

With AISF, you can demonstrate identity governance—not just claim to have it.

The path forward

The new cyber insurance requirements are here to stay. Insurers have recognised that identity failures drive most breaches, and they're demanding evidence of identity governance.

SMEs that adapt will benefit from:

• Lower premiums
• Broader coverage
• Stronger security posture
• Better negotiating position

SMEs that don't adapt will face:

• Higher premiums
• Coverage gaps
• Claims denial
• Increased risk

The choice is clear. The time to act is now.