Somewhere, likely buried in an email thread from your broker, is a document that could determine whether your business survives a cyber-attack. Not your insurance certificate, but the conditions attached to it.
UK insurers paid out £197 million in cyber claims in 2024, more than triple the previous year’s total, according to the Association of British Insurers. The UK Government’s Cyber Security Breaches Survey 2025 found that 62% of small businesses now carry some form of cyber insurance, up from 49% in 2024.
But having a policy and being able to claim on it are two different things. And this is where the cyber insurance small print starts to matter.
What Insurers Are Asking For
To make this practical, we looked at the published cyber insurance requirements from Beazley, one of the UK’s major cyber insurers. This is one insurer’s framework, but the requirements are broadly representative of what the market is asking for. If your insurer is not making similar demands yet, they are likely heading that way.
What caught our attention is the two-tier structure. Four requirements must be met before the policy is even active. Three more are strongly encouraged, and meeting all of them removes the excess you would otherwise pay on a breach response claim. Most business owners we speak to across East Anglia have no idea this structure exists.
The Four Non-Negotiables
Tested, Offline Backups
Most businesses have a backup in some form. It’s more about having backups that are disconnected from your live environment, so ransomware cannot reach them. And it is about testing those backups to confirm they actually work. The National Cyber Security Centre’s backup guidance recommends keeping at least one backup copy separate from your network. We regularly find businesses whose backups have been running for months without anyone double-checking whether a restore would succeed. The gap between having backups and being able to recover is exactly where claims fall apart.
Multi-Factor Authentication on All Critical Services
MFA adds a second step to your login process – typically a code from your phone – so a stolen password alone is not enough to get in. Insurers now treat this as non-negotiable because, as the NCSC’s MFA guidance puts it, passwords alone no longer provide enough security – users choose weak ones, reuse them, or give them away through phishing.
Having MFA on your email but not your CRM, accounting software or remote desktop leaves gaps that insurers will investigate after an incident. For a team of 10-20 people, this is usually straightforward to implement, but someone must make sure it is enforced.
No Remote Access without a VPN
If your team connects to office systems from home or on the move, that connection needs to run through a virtual private network. Without one, remote access services like Remote Desktop are visible to anyone scanning the internet, and attackers do this constantly. A VPN hides those services from view. There are also dedicated VPN services designed for business use that offer stronger encryption and centralised management.
Annual Cyber Security Awareness Training
Your insurer wants evidence that everyone with access to your systems has been trained to spot threats like phishing emails. This needs to happen at least once a year, and it needs to be documented. The NCSC offers free training resources that cover the basics, including a dedicated anti-phishing module. The important thing for IT compliance purposes is the paper trail. If you cannot prove the training happened, it effectively did not.
Three Standards That Could Save You Money
The second tier covers three additional standards. These are not mandatory before your policy starts, but meeting all three removes the retention on your breach response cover.
Prompt Patching, No End-of-Life Software
When software vendors release security updates, they are fixing known vulnerabilities. Delaying those updates leaves known entry points open. Running software that the vendor has stopped supporting entirely, like older versions of Windows Server, is an even bigger red flag. Insurers want to see that patching is a routine part of how your IT is managed, not something that happens when someone remembers.
Email Scanning for Threats
Phishing remains the most common attack method, reported by 85% of businesses that identified a breach or attack in the Cyber Security Breaches Survey 2025. An email gateway that filters suspicious messages before they reach your team’s inboxes is standard practice for a reason. Most email platforms, including Microsoft 365, offer built-in filtering, but it needs to be properly configured.
Endpoint Protection on All Devices
Every laptop, desktop and phone that connects to your business data should be running security software. Modern endpoint protection goes beyond traditional antivirus, actively monitoring for suspicious behaviour across your network. The word “all” matters here, too; it only takes one unprotected device.
The Question Worth Asking
Most businesses across Norfolk, Suffolk and Cambridgeshire took out cyber security insurance because their broker recommended it. That was a sensible decision. But the conditions attached to that policy create obligations that many have never reviewed – obligations that directly affect whether a claim will be honoured.
If you have already been through Cyber Essentials certification, you will recognise most of these requirements. The overlap is significant. But certification and insurance compliance are not the same thing, and your policy may have specific conditions that go beyond what Cyber Essentials covers.
So the question is straightforward: how many of these seven requirements does your business meet right now in practice, with evidence you could show an insurer?
It is worth pulling out your own policy documentation or asking your broker to walk you through the conditions. If you would like help making sense of what those conditions mean in practical terms – or if you are looking for East Anglia IT support that understands compliance – we’d be more than happy to jump on a free 30-minute call with you to provide clarity.
Frequently Asked Questions
Why is IT infrastructure important for small businesses in Norwich?
IT infrastructure underpins cloud performance, communications, and security. Poor infrastructure leads to slow systems, unreliable connections, and increased risk.
How often should office networks be reviewed or upgraded?
Most businesses should review their office network every three to five years, or sooner if performance issues appear.
Is business-grade networking really necessary for SMEs?
Yes. Business-grade equipment is designed for multiple users, consistent performance, and stronger security controls.
What are the warning signs that an office network needs upgrading in 2026?
Common indicators are slow cloud access, unreliable Wi-Fi, dropped calls, ageing hardware, and difficulty supporting new systems.
Can VMIT help plan office network upgrades without unnecessary costs?
Yes. VMIT focuses on identifying genuine issues and recommending only the upgrades that deliver meaningful improvements.