Cyber Insurance Red Flags: 8 Critical Controls

Cyber Insurance Red Flags have moved from technical fine print to board-level commercial risk. A UK SME can still buy cyber cover in many cases, but insurers and brokers now ask much sharper questions before granting, renewing, or pricing coverage. The answers are no longer limited to turnover, sector, and claims history. They increasingly test whether the business has multi-factor authentication, endpoint detection and response, reliable backups, patching discipline, remote access controls, incident response planning, and evidence that these controls actually work.

That change should not surprise anyone who has watched the UK threat landscape. The Cyber Security Breaches Survey 2025 found that 43% of UK businesses identified a cyber breach or attack in the previous 12 months, with phishing still the most common attack type among affected organisations. The same survey found that only 40% of businesses had a requirement for two-factor authentication, 30% used user monitoring, and 23% had a formal incident response plan. Insurers can see the gap between claimed cyber maturity and operational reality.

The insurance market is reacting to that gap. The Association of British Insurers says that during cyber insurance applications, businesses may be asked whether they use and implement multi-factor authentication, whether they have anti-virus and firewall software, whether they regularly apply patches, whether their business continuity or disaster response plan covers cyber attacks, and whether backups are offline, disconnected, access-restricted, restorable, and tested. The National Cyber Security Centre’s cyber insurance guidance also warns that most policies are reassessed every 12 months and that if an organisation claims security measures are in place when they are not, the insurer may not be obliged to pay claims.

This makes Cyber Insurance Red Flags a practical readiness checklist, not a scare phrase. Missing controls can lead to declined quotes, higher premiums, lower limits, exclusions, larger excesses, or urgent remediation requests before a policy is bound. Even where cover is offered, weak evidence can make claims harder if a serious incident reveals that the application answers were inaccurate.

For SMEs, the best response is not to treat cyber insurance as a substitute for cyber security. NCSC guidance is clear that insurance will not prevent a breach, and that organisations are still expected to put adequate safeguards in place. The right approach is to build a defensible control baseline, keep evidence current, and make sure someone can answer underwriting questions honestly.

This guide translates Cyber Insurance Red Flags into eight controls UK insurers, brokers, and underwriters commonly scrutinise before granting coverage. It focuses on the controls the user named, including MFA, EDR, and immutable backups, while adding the surrounding evidence that makes those controls credible.

Cyber Insurance Red Flags at a glance

Cyber Insurance Red Flags are the gaps that make an insurer doubt whether a business can prevent, detect, contain, or recover from a realistic cyber incident. They do not mean that every insurer uses the same checklist or that every missing control automatically prevents coverage. They do mean that certain weaknesses now attract attention because they are repeatedly linked to ransomware, business email compromise, data loss, claims disputes, and long recovery times.

The eight controls are easiest to understand as an underwriting evidence ladder:

Control	What insurers want to know	Common red flag
Multi-factor authentication	Is MFA enabled for email, remote access, privileged users, cloud apps, and key finance systems?	MFA is optional, partial, or missing for administrators.
EDR and endpoint protection	Can the business detect and contain suspicious endpoint behaviour?	Basic antivirus exists, but no managed alerting or response.
Immutable or offline backups	Can critical systems be restored if ransomware encrypts the network?	Backups are connected, untested, or accessible with ordinary admin credentials.
Patch and vulnerability management	Are known weaknesses fixed quickly?	No asset list, no patch evidence, unsupported systems still in use.
Privileged access control	Are admin accounts separated, limited, monitored, and reviewed?	Everyone has local admin or former staff accounts remain active.
Secure remote access	Are VPNs, RDP, cloud admin portals, and remote support tools controlled?	Remote access is exposed without MFA, device checks, or logging.
Logging and monitoring	Can suspicious activity be investigated before and during a claim?	Logs are unavailable, too short-lived, or never reviewed.
Incident response and business continuity	Has the business practised what it would do during ransomware, data loss, or fraud?	A plan exists in a folder, but nobody has tested roles, backups, communications, or insurer notification.

The pattern is important. Insurers are not just asking whether a tool exists. They are asking whether the control is deployed across the right scope, whether it is maintained, whether evidence exists, and whether the business can recover without improvising under pressure.

In practice, Cyber Insurance Red Flags should be tracked as a control register before renewal, with each gap assigned to a named owner and a target remediation date.

Cyber Insurance Red Flags also vary by risk. A consultancy with five laptops, Microsoft 365, and no hosted customer data may face different underwriting questions from a SaaS provider, MSP, healthcare supplier, manufacturer, legal firm, or e-commerce business. Higher revenue, sensitive data, privileged customer access, regulated work, and dependency on online operations all raise scrutiny.

The safest SME posture is simple: assume the insurer will ask for evidence, not reassurance. If the answer is “our IT provider handles that”, ask the provider for proof. If the answer is “we think backups run”, test a restore. If the answer is “MFA is enabled”, check the admin portals, break-glass accounts, legacy protocols, VPNs, and service accounts. Cyber Insurance Red Flags often hide in exceptions.

Cyber Insurance Red Flags are now underwriting evidence, not IT buzzwords

Cyber Insurance Red Flags matter because cyber insurance underwriting has become more evidence-led. Earlier cyber policies were sometimes sold with lighter questionnaires. After repeated ransomware losses, business email compromise incidents, supply-chain attacks, and contested claims, underwriters have become more specific about the controls that reduce severity.

The NCSC cyber insurance guidance frames this clearly. It tells organisations to understand existing cyber defences before buying cover, to bring technical and non-technical expertise together, and to know what must be in place to claim against or renew a policy. It also warns that cyber insurance is not a replacement for safeguards. A policy can help with response, recovery, legal support, forensics, and business interruption, but it cannot stop an attacker from compromising an exposed account or deleting backups.

The ABI guide on how to buy cyber insurance gives a practical view of application questions. It lists questions about cyber policies, designated security responsibility, encryption, multi-factor authentication, secure remote access, anti-virus and firewall software, patching, business continuity or disaster response plans, Cyber Essentials, previous incidents, ransomware prevention, data use, backup frequency, offline backup storage, unique backup credentials, restore speed, restore testing, card payments, outsourcing, and third-party due diligence.

That list explains why Cyber Insurance Red Flags should be owned by leadership as well as IT. Some answers sit with IT, some with finance, some with legal, some with operations, some with an outsourced provider, and some with the board. A business cannot answer accurately if no one coordinates the whole evidence pack.

There is also a claims angle. If a business says MFA is enabled for all remote access, but the incident starts through an unmanaged remote desktop server without MFA, the application answer becomes uncomfortable. If a business says backups are offline and tested, but recovery fails because the backup system was domain-joined and encrypted by the attacker, the claim may involve difficult scrutiny. Cyber Insurance Red Flags are therefore both pre-bind and post-incident risks.

This does not mean SMEs should panic. It means they should treat the cyber insurance process as a useful control review. A good broker or insurer can help a business understand weaknesses before an incident. The ABI says insurers can support businesses by helping to detect issues early, prevent cyber attacks, and respond and recover if the worst happens. For SMEs without a large security team, that outside pressure can be useful.

The important distinction is between a tool purchase and an underwriting-ready control. Buying an endpoint product is not the same as having EDR coverage on every laptop and server, with alerts reviewed and response steps agreed. Buying cloud backup is not the same as immutable recovery points, separated credentials, tested restores, and retention that survives delayed detection. Turning on MFA for directors is not the same as enforcing MFA across email, VPN, SaaS, admin, finance, and remote support access.

Cyber Insurance Red Flags become manageable when the business documents three things for each control: scope, evidence, and owner. Scope says where the control applies. Evidence proves it is in place. Owner says who maintains it and who can answer the insurer.

That is why Cyber Insurance Red Flags work best as a renewal workstream, not a last-minute scramble after the broker sends the questionnaire.

Cyber Insurance Red Flags start with missing MFA on email, VPN, admin, and cloud

Cyber Insurance Red Flags often begin with identity. Attackers do not always need advanced malware when a reused password, phished credential, or unprotected admin account opens the door. That is why MFA has become one of the most visible underwriting controls.

The NCSC identity and access management guidance says access to data, systems, and services needs to be protected, and that a good approach makes it hard for attackers to pretend they are legitimate. It advises organisations to implement multi-factor authentication on online services to protect against password guessing and theft, and to enable MFA for administrative accounts. The NCSC small organisations guidance also says turning on two-step verification is one of the most effective ways to protect important accounts because it prevents criminals from accessing them even if they know the password.

For insurance, the MFA question is rarely just “do you have MFA?” A better underwriting-ready answer covers:

Email and Microsoft 365 or Google Workspace.
VPNs and remote desktop gateways.
Cloud administration portals.
Financial systems, payroll, HR, and banking.
Password managers and identity providers.
Privileged accounts, domain admins, global admins, and break-glass accounts.
Remote monitoring and management tools used by MSPs.
Customer portals and production systems where applicable.

The red flag is partial MFA. Many SMEs enable MFA for staff email but miss shared mailboxes, legacy authentication, admin accounts, VPN users, third-party support accounts, or cloud dashboards. Underwriters increasingly notice those gaps because they map to real attack paths.

A stronger posture includes conditional access, single sign-on, disabled legacy protocols, admin separation, account lockout or throttling, suspicious login monitoring, and a joiner-mover-leaver process. The NCSC guidance also tells organisations to review unnecessary privileges and ensure access is revoked when no longer required. That matters for insurance because dormant accounts are a common exposure.

Cyber Insurance Red Flags around MFA also include weak exception handling. Some accounts cannot use ordinary MFA because they are service accounts, emergency accounts, or automation accounts. That is not automatically fatal, but it must be controlled. The business should document why the exception exists, how credentials are stored, who can use the account, how access is logged, and how the account is tested.

Evidence can be simple. Export conditional access policies. Capture screenshots from the identity platform. Keep an admin account list. Record the date of the last access review. Ask the MSP to confirm MFA on remote support tools. Store evidence that legacy authentication is blocked. For a small business, this may be enough to turn a nervous underwriting answer into a credible one.

For insurance evidence, Cyber Insurance Red Flags around identity should show both the policy and the exceptions, because exceptions are where many real compromises begin.

Progressive Robot has written separately about Identity-First Security because identity is now the control plane for cloud, SaaS, remote work, and supplier access. In an insurance context, that same logic applies: if identity is weak, every other control has to work harder.

Cyber Insurance Red Flags in identity should be fixed first because they are often cheap, fast, and high impact. MFA is not perfect, but missing MFA is one of the hardest gaps to defend when applying for cover.

Cyber Insurance Red Flags include weak EDR, malware protection, logging, and monitoring

Cyber Insurance Red Flags do not stop at access. Insurers also want confidence that malware, ransomware, suspicious scripts, compromised accounts, and lateral movement can be detected and contained before they become a claim.

The ABI application questions refer to anti-virus and firewall software and ask whether the business takes additional steps to detect and prevent ransomware attacks. In current SME language, that often leads to endpoint detection and response, managed detection and response, security monitoring, or a managed security service. The exact product label matters less than the outcome: can the business detect harmful behaviour, alert the right people, isolate affected devices, and preserve useful evidence?

The NCSC malware and ransomware guidance recommends a defence-in-depth approach and says organisations should assume some malware will infiltrate, then take steps to limit impact and speed response. It recommends actions to make regular backups, prevent malware being delivered and spreading, prevent malware from running on devices, and prepare for an incident. Endpoint protection and EDR fit into that layered model.

Basic antivirus may satisfy a minimal hygiene question for very small, low-risk firms, especially when built-in protections are properly enabled and updated. But Cyber Insurance Red Flags appear when the business has many devices, remote staff, servers, sensitive data, or high revenue and still has no monitored endpoint protection. A silent tool that nobody reviews is weak evidence.

The NCSC logging and monitoring guidance says logs are essential to understand how systems are used and to investigate incidents, while security monitoring actively analyses log information for signs of attacks or unusual behaviour. It recommends storing important logs for at least six months, protecting logs from tampering, monitoring networks, devices, and cloud services where applicable, and aligning monitoring with incident response.

For insurance readiness, EDR and monitoring evidence should answer:

Which laptops, desktops, servers, and cloud workloads are covered?
Are all devices enrolled, including remote staff devices and new starters?
Who receives alerts?
What happens out of hours?
Can a device be isolated remotely?
Are ransomware behaviours, suspicious PowerShell, credential dumping, and privilege escalation monitored?
Are logs retained long enough to investigate delayed discovery?
Does the MSP or MDR provider provide reports?
Has anyone tested the alert workflow?

Cyber Insurance Red Flags appear when coverage is assumed rather than measured. If 80% of devices are protected, the remaining 20% may be the exact laptops used by directors, finance, developers, or field engineers. If servers are excluded, ransomware can still damage core systems. If alerts go to an unmanaged mailbox, detection is not really detection.

A practical SME does not always need a full security operations centre. It does need a proportionate monitoring model. That might be Microsoft Defender for Business with managed alerting, an MDR service, an MSP with agreed security response, or another stack that fits the environment. The crucial point is that someone is responsible for triage and response.

Cyber Insurance Red Flags around EDR are also evidence gaps. Keep monthly device coverage reports. Keep a record of critical alerts and actions taken. Store the supplier contract that defines response hours. Keep proof that endpoint agents cannot be disabled by standard users. Document exceptions for legacy systems. Evidence turns a tool into an underwriting answer.

The key test is whether Cyber Insurance Red Flags can be answered with current reports rather than verbal reassurance from an IT supplier.

Cyber Insurance Red Flags include backups that attackers can delete or encrypt

Cyber Insurance Red Flags around backups are among the most important because cyber insurance is often most valuable when recovery is expensive, slow, or contested. If a business cannot restore data after ransomware, the claim becomes much larger. If backups fail, the insurer may ask why the application said recovery was under control.

The ABI asks detailed backup questions: how frequently systems are backed up, whether backup is stored offline in a secure location, whether access is restricted, whether backup credentials are unique and stored separately, whether backup is disconnected from and inaccessible through the organisation’s network, how quickly data can be obtained, how long full restore would take, and how regularly backup is tested.

The NCSC data security guidance says organisations should maintain up-to-date, isolated, offline backup copies of important data. It recommends multiple backups in different locations, the 3-2-1 rule, offline backups kept separate from the network or in a cloud service designed for that purpose, restricted access to backup credentials and servers, retention for a period rather than a single rolling backup, regular backup testing, and care when restoring to avoid re-infection.

For SMEs, the phrase “immutable backups” usually means backup copies cannot be changed or deleted during a defined retention period, even by an ordinary administrator. It can be delivered through object lock, hardened backup repositories, write-once retention, isolated cloud backup, backup appliances, or an offline copy. The important underwriting point is not the marketing label. It is whether ransomware can use compromised admin credentials to destroy the recovery path.

Cyber Insurance Red Flags include:

Backups stored on the same network share as production files.
Backup admin accounts using the same identity system as ordinary domain admins.
No MFA on backup consoles.
No offline, immutable, or separated copy.
Only one rolling backup, overwritten daily.
No evidence of restore testing.
Backups of files but not systems, configurations, SaaS data, or cloud workloads.
Recovery time assumptions that have never been tested.
MSP-managed backups with no customer evidence or contract clarity.

A good backup answer includes four layers. First, define what must be restored: files, databases, servers, cloud apps, Microsoft 365, website, customer portal, endpoint configurations, firewall rules, and identity settings. Second, define recovery objectives: how much data can be lost and how quickly systems must return. Third, protect backup access with separated credentials, MFA, role separation, encryption, and deletion protection. Fourth, test restores and record results.

Cyber Insurance Red Flags are reduced when the business can show a recent restore test. A screenshot of a green backup dashboard is weaker than a record showing that a finance folder, a server, a Microsoft 365 mailbox, or a customer database was restored successfully on a specific date. Recovery is a business capability, not just an IT setting.

This is also where workflow automation can help. Backup test schedules, evidence reminders, restore reports, exception approvals, and renewal questionnaires should not live in one engineer’s inbox. A repeatable workflow makes the control easier to prove when the broker asks.

Cyber Insurance Red Flags around backups are unforgiving because backups are often the last line of defence. If they are connected, untested, and easy to delete, they are not recovery assurance.

For ransomware-heavy underwriting, Cyber Insurance Red Flags around backups deserve board attention because failed recovery can turn a technical incident into a business survival problem.

Cyber Insurance Red Flags include unmanaged patching, assets, and unsupported systems

Cyber Insurance Red Flags also appear when a business cannot show what systems it has or how quickly it fixes known weaknesses. Patching is not glamorous, but insurers care about it because attackers often exploit known vulnerabilities quickly after disclosure.

The NCSC vulnerability management guidance says the majority of cyber security incidents result from attackers exploiting publicly disclosed vulnerabilities, and that attackers often seek to exploit vulnerabilities as soon as they are disclosed. It advises enabling automatic updates where practicable, monitoring update status, ensuring every system has a software update strategy, using supported software, developing a vulnerability management process, using scanning, triaging by business risk, and managing legacy equipment carefully.

The NCSC asset management guidance explains why this is hard. Incidents can occur because organisations do not fully understand their environment, such as an unpatched service, exposed cloud storage account, or misclassified document. An asset inventory helps identify technology, data, accounts, suppliers, critical dependencies, and unsupported systems.

For insurance applications, patching answers often sound simple: yes, updates are applied. But Cyber Insurance Red Flags appear when there is no evidence. The insurer may not need every patch record, but it will expect the business to know who owns updates, what is in scope, how internet-facing systems are handled, what the patch window is, and what happens when a patch cannot be applied.

Practical evidence includes:

Asset inventory for laptops, servers, network devices, cloud services, and key SaaS.
Patch policy with timelines for critical, high, and standard updates.
Reports from endpoint management, MDM, RMM, vulnerability scanner, or patch tool.
Exception register for systems that cannot be patched immediately.
Evidence that unsupported software is removed, isolated, or scheduled for replacement.
External vulnerability scan results for public-facing systems.
Records of firewall, VPN, router, and remote access updates.

Cyber Insurance Red Flags often sit in edge systems. A supported Microsoft 365 tenant may be well controlled, while an old VPN appliance, forgotten website plugin, unpatched NAS, exposed remote desktop server, unsupported Windows machine, or old firewall firmware creates the real underwriting concern. Insurers know that ransomware groups and opportunistic attackers search for those weak points.

This is why Cyber Essentials remains a useful foundation. The NCSC says Cyber Essentials is the UK Government-recommended minimum cyber security standard and is aligned to five technical controls, including malware protection, user access control, secure configuration, firewalls, and security update management. Cyber Essentials is not a full insurance guarantee, but it gives insurers a recognisable baseline and shows that the business has faced core hygiene questions.

Cyber Insurance Red Flags are reduced when patching becomes part of normal operations. New device? Add it to the inventory. New SaaS? Record owner and MFA status. New server? Add backup, monitoring, patching, and access controls before it goes live. Old system? Add a retirement date or compensating controls. Insurance readiness is not a once-a-year questionnaire; it is asset discipline.

Cyber Insurance Red Flags include privileged access, remote access, and third-party exposure

Cyber Insurance Red Flags become sharper when privileged access is involved. An ordinary user account can cause damage, but an admin account can disable security tools, delete backups, create persistence, change firewall rules, access sensitive data, and spread ransomware across the estate.

The NCSC identity guidance advises organisations to use a tiered model for administrative accounts, only use full privileges when absolutely necessary, enable MFA for administrative accounts, separate admin accounts from day-to-day accounts, block unnecessary browsing and email on admin devices where appropriate, and review unnecessary privileges regularly. These are not abstract enterprise ideas. They translate directly into insurance questions about who can make changes and how those accounts are protected.

Cyber Insurance Red Flags include:

Shared admin accounts.
Admin rights given to ordinary users by default.
Domain admin accounts used for email and web browsing.
Former staff or suppliers still holding access.
MSP accounts with broad access and weak MFA.
Remote access tools installed outside formal approval.
RDP exposed to the internet.
VPN accounts not reviewed.
No logs showing who used privileged access.

Remote access is a special concern because it is a bridge from the internet into the business. The ABI asks whether businesses have secure remote access and access control procedures to prevent unauthorised access. A strong answer covers MFA, device trust, VPN or zero trust access, disabled direct RDP exposure, approved remote support tools, logs, and supplier access reviews.

Third-party exposure matters too. The ABI asks what IT and data services are outsourced and what due diligence is performed. The NCSC supply chain security guidance says most organisations rely on suppliers and that vulnerabilities can be introduced or exploited at any point in the supply chain. For cyber insurance, an SME that relies on an MSP, cloud provider, website agency, payment provider, software vendor, or outsourced helpdesk should know who has access and under what conditions.

Progressive Robot’s guide to Supply Chain Vulnerability is relevant here because insurance readiness and supplier assurance now overlap. Your insurer may ask who manages IT. Your customers may ask who can access their data. Your board may ask who can recover systems. The same access map answers all three.

Evidence does not need to be overcomplicated. Keep a privileged account register. Review it quarterly. Record MSP access and MFA. Disable unused remote access paths. Store VPN logs. Require named accounts rather than shared credentials. Keep supplier contracts that define incident notification and access responsibilities. Test whether former users are removed quickly.

Cyber Insurance Red Flags in privileged access are high priority because one uncontrolled admin path can undermine MFA, backups, EDR, and patching. A business cannot claim mature security if it cannot say who has the keys.

Cyber Insurance Red Flags include untested incident response, business continuity, and claims evidence

Cyber Insurance Red Flags are not only technical. Insurers also want to know whether the business can make decisions during a real incident. Ransomware, data theft, business email compromise, and supplier outages create legal, financial, operational, customer, and communications problems. The best endpoint tool will not decide who calls the insurer, who shuts down a system, who contacts customers, or who approves a recovery path.

The ABI asks whether the business has a business continuity or disaster response plan that includes cyber attacks such as data breaches, security breaches, denial of service, and ransomware, and whether the plan has been tested in the last 12 months. The NCSC incident management guidance says planning in advance reduces impact, a practised plan helps good decisions under pressure, and clear communication builds trust with shareholders and customers. It also advises organisations to define roles and responsibilities, involve legal, HR, PR, suppliers, vendors, and senior management, align incident response with disaster recovery and business continuity, and practise response plans.

For insurance, the incident plan should include the policy itself. Cyber Insurance Red Flags appear when no one knows:

Which policy applies.
Which broker or insurer contact must be notified.
Whether panel providers must be used.
What incident response services are included.
What evidence must be preserved.
Who can authorise containment actions.
When to notify the ICO, customers, banks, police, Action Fraud, or the NCSC.
How legal privilege is handled.
Who communicates with staff, customers, suppliers, and media.
Which recovery priorities matter most to revenue and safety.

The Cyber Security Breaches Survey 2025 found that only 23% of businesses had a formal incident response plan, although adoption was higher among medium and large businesses. It also found that of organisations with cyber insurance, just over half said they would inform their cyber insurance provider in the event of a breach or attack. That is a red flag in itself: if the policy requires prompt notification, but the response process forgets the insurer, the business may create a claims problem.

Cyber Insurance Red Flags around incident response often surface during tabletop exercises. A team discovers that the broker contact is outdated, the finance director owns the policy but IT owns the incident, the MSP has no contractual response time, the backup restore process needs a person who is on holiday, and the customer notification template has never been approved. Better to find that in a workshop than during ransomware.

A coverage-ready incident response pack should include:

Evidence item	Why it matters
Incident response plan	Shows roles, escalation, containment, and decision authority.
Cyber insurance notification process	Reduces the chance of late or incorrect claims notification.
Backup restore runbook	Connects technical recovery to business priorities.
Contact list	Keeps insurer, broker, MSP, legal, finance, PR, and leaders reachable.
Tabletop exercise record	Proves the plan was tested and improved.
Communications templates	Speeds internal, customer, supplier, and regulator messaging.
Evidence preservation checklist	Supports forensics, legal review, and claims handling.

Cyber Insurance Red Flags are reduced when incident response is treated as a business process. The goal is not a huge binder. The goal is a plan people can use at 2 a.m. when email is down, systems are locked, and the insurer needs facts.

Cyber Insurance Red Flags 90-day roadmap for coverage-ready SMEs

Cyber Insurance Red Flags can feel overwhelming if a business tries to fix everything at once. A 90-day roadmap keeps the work practical and insurer-facing. The aim is not instant perfection. The aim is honest, defensible progress that reduces underwriting friction and improves real resilience.

Days 1 to 15 should focus on the insurance and evidence baseline. Find the current policy, renewal date, limits, exclusions, broker contact, and application answers. Identify who owns insurance, IT, finance, legal, data protection, and incident response. Ask the broker which controls are likely to matter at renewal. Create a single evidence folder.

Days 16 to 30 should focus on identity and access. Enforce MFA for email, cloud, VPN, admin, finance, and key SaaS. Disable legacy authentication. Separate admin accounts. Review leavers, dormant accounts, shared accounts, and supplier accounts. Export evidence. If an exception remains, document it.

Days 31 to 45 should focus on endpoint protection and monitoring. Confirm every laptop, server, and critical workload has endpoint protection or EDR. Decide who receives alerts and what happens out of hours. Check whether logs are available for identity, endpoint, firewall, cloud, and backup systems. Document gaps and response owners.

Days 46 to 60 should focus on backups and recovery. Identify critical systems and data. Confirm backup frequency, retention, separation, credentials, MFA, immutability or offline copies, and restore process. Test at least one meaningful restore. Record the result. If recovery time is longer than the business expects, tell leadership now.

Days 61 to 75 should focus on patching, assets, and remote access. Build or refresh the asset inventory. Confirm patch status for devices, servers, network equipment, VPNs, firewalls, websites, and SaaS integrations. Remove unsupported software where possible. Close exposed remote access. Review MSP and supplier access.

Days 76 to 90 should focus on incident response and renewal evidence. Run a short ransomware or business email compromise tabletop exercise. Include insurer notification, broker contact, legal reporting, customer communications, backup restore, and decision authority. Update the plan based on what breaks. Prepare a concise cyber insurance evidence pack for renewal.

Cyber Insurance Red Flags should finish the 90 days with these outputs:

Output	What it gives the SME
Control evidence pack	Faster, more accurate insurer and broker responses.
MFA and privileged access register	Proof that identity risk is being managed.
EDR and monitoring coverage report	Evidence that detection and response are not assumed.
Backup restore record	Stronger ransomware recovery evidence.
Patch and asset register	A clearer answer to vulnerability questions.
Incident response exercise notes	Proof that business continuity has been tested.
Renewal action log	A practical list of remaining gaps and owners.

Once that evidence pack exists, Cyber Insurance Red Flags become easier to discuss honestly with brokers, insurers, MSPs, and board members.

Progressive Robot’s vCIO advantage is especially relevant for SMEs that do not have a full-time CIO or security leader. Cyber insurance readiness cuts across finance, IT, operations, suppliers, and leadership. Someone has to turn the insurer’s questions into a working governance rhythm.

Do UK insurers always refuse cover if MFA is missing?

No. Underwriting varies by insurer, sector, size, revenue, data sensitivity, and access risk. However, missing MFA is one of the clearest Cyber Insurance Red Flags because it is a basic defence against credential theft. Even if coverage is offered, missing MFA can affect pricing, limits, exclusions, or remediation conditions.

Is EDR mandatory for cyber insurance?

Not universally. Some smaller, lower-risk businesses may be asked about anti-virus and firewall software rather than full EDR. But Cyber Insurance Red Flags become more serious when a business has servers, remote staff, sensitive data, high revenue, or ransomware exposure and cannot show managed endpoint detection, monitoring, and response.

What makes a backup immutable enough for insurers?

The practical test is whether an attacker with ordinary admin access can delete, overwrite, or encrypt the backup before the business notices. Stronger answers include offline copies, object lock, hardened backup repositories, separate credentials, MFA on backup consoles, protected retention, and tested restores. Cyber Insurance Red Flags remain if the backup is connected, untested, or controlled by the same compromised identity.

Can Cyber Essentials help with cyber insurance?

Yes, but it is not a complete substitute for underwriting evidence. Cyber Essentials shows that the business has addressed a recognised UK baseline across firewalls, secure configuration, user access control, malware protection, and security update management. Cyber Insurance Red Flags may still remain around EDR, immutable backups, incident response, logging, supplier access, or sector-specific requirements.

What evidence should an SME prepare before renewal?

Prepare evidence for MFA, privileged access, EDR or endpoint protection, backup configuration and restore tests, patching, asset inventory, remote access, incident response exercises, business continuity, supplier access, and previous incidents. Cyber Insurance Red Flags are easier to resolve before renewal than during a rushed application.

Cyber Insurance Red Flags are not just insurer bureaucracy. They are the controls that help a business survive the incidents cyber policies are designed to fund. MFA reduces account takeover. EDR improves detection. Immutable backups protect recovery. Patching closes known doors. Privileged access control limits blast radius. Monitoring preserves evidence. Incident response keeps decisions clear. SMEs that can prove these controls are more coverage-ready, more resilient, and easier to trust.