What Your Cyber Insurer Wants to See — and How to Get There Fast
Three years ago, cyber insurance was simple: you paid a premium, you got coverage. Today, it is conditional. Insurers are no longer accepting self-declarations. They want evidence — screenshots, configuration reports, audit logs — that you have implemented specific security controls. If you cannot evidence those controls, they will either decline your application or impose exclusions that render the policy worthless if you suffer a breach.
For Irish SMEs, this is a compliance problem and a business risk. You need cyber insurance. But you cannot get it without controls you may not have. This article explains what insurers want, why they want it, and how to get there.
Why Cyber Insurance Premiums Are Rising
The insurance industry is in crisis. Cyber claims have exploded. In 2023, the average cyber insurance claim was €180,000. By 2024, it had risen to €240,000. Insurers are losing money on every policy they write, so they are doing two things: raising premiums and tightening underwriting.
The tightening is not random. Insurers have analysed thousands of breaches and identified a pattern: businesses without specific controls are 10 to 100 times more likely to suffer a breach. So they are now requiring those controls as a condition of coverage.
The controls they are demanding are not exotic. They are not expensive. They are the baseline security measures that the NCSC Ireland, ENISA, and the NIS2 directive all recommend. But many Irish SMEs have not implemented them yet.
The 7 Controls Insurers Now Require
Here are the seven controls that cyber insurers are now asking for. If you cannot evidence all seven, you will struggle to get coverage — or you will get coverage with exclusions that eliminate protection for the very scenarios you are most worried about.
| Control | What It Is | Why Insurers Want It |
|---|---|---|
| Multi-Factor Authentication (MFA) | A second proof of identity (usually a code sent to your phone) required in addition to your password | Blocks 99% of credential-based attacks; Microsoft data shows MFA stops automated attacks cold |
| Endpoint Detection & Response (EDR) | Software that monitors endpoints for suspicious behaviour and can isolate infected devices | Detects and contains ransomware before it spreads across your network |
| Email Security | Dedicated email filtering beyond the built-in Microsoft 365 filter | Stops phishing, BEC, and ransomware delivered via email — the primary attack vector |
| Backup & Recovery | Tested, immutable backups stored offline with documented recovery procedures | Allows you to recover from ransomware without paying the attacker |
| Patch Management | A documented process for applying security updates to all systems within 30 days of release | Closes the vulnerabilities that attackers exploit to gain initial access |
| Access Control | Principle of least privilege — users have only the permissions they need for their role | Limits the damage if an account is compromised |
| Incident Response Plan | A documented plan for what to do if a breach occurs — who to contact, what to preserve, how to communicate | Reduces the cost and impact of a breach by enabling a coordinated response |
What Happens When You Cannot Evidence These Controls
Scenario 1: You apply for cyber insurance. The insurer asks for evidence of MFA, EDR, and backup. You do not have EDR. The insurer declines your application.
Scenario 2: You apply for cyber insurance. You have most controls, but your backup has not been tested in 18 months. The insurer approves your policy but excludes "recovery from ransomware" from coverage. Six months later, you suffer a ransomware attack. You file a claim. The insurer denies it because the exclusion applies.
Scenario 3: You have cyber insurance. You suffer a breach. The insurer investigates and discovers that your incident response plan does not exist — you have no documented process for what to do. The insurer argues that your failure to follow a documented process increased the cost of the breach, and they reduce their payout accordingly.
All three scenarios are real. We have seen them happen to Irish SMEs.
The Gap Between Knowing and Doing
Here is the frustrating part: most Irish SMEs know they need these controls. They have read the NCSC Ireland guidance. They have heard about NIS2. They understand the risk. But they have not implemented the controls.
Why? Because implementation requires specialist knowledge and time. Your IT person knows how to manage Microsoft 365. They do not know how to evaluate EDR products, configure email security, or design an incident response plan. So the controls remain on the to-do list, quarter after quarter.
Meanwhile, cyber insurance premiums keep rising, and insurers keep tightening underwriting. The window to get coverage on reasonable terms is closing.
Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.
How to Get There Fast
The fastest way to implement all seven controls is to hand the job to someone who does it professionally. Not a consultant who produces a report. Not a vendor who sells you one product. Someone who takes ownership of the entire implementation.
At Pragmatic Security, our managed security solutions are designed specifically to close this gap. We assess your current posture, identify which controls are missing, select the right tools for your business, deploy them, and manage them on an ongoing basis.
Here is what the implementation timeline looks like:
| Control | Timeline | Effort |
|---|---|---|
| MFA | 1–2 weeks | Low (mostly configuration) |
| Email Security | 2–4 weeks | Medium (requires testing and policy tuning) |
| EDR | 3–6 weeks | Medium (requires rollout across all endpoints) |
| Backup & Recovery | 4–8 weeks | High (requires testing and documentation) |
| Patch Management | 2–4 weeks | Medium (requires process definition and tooling) |
| Access Control | 4–8 weeks | High (requires user audit and permission review) |
| Incident Response Plan | 2–3 weeks | Medium (requires stakeholder input and documentation) |
Total timeline: 8 to 12 weeks to have all seven controls in place and evidenced.
For a business that is currently uninsured or underinsured, that is a 12-week window to close a critical gap.
Why This Matters Beyond Insurance
Implementing these seven controls does more than get you cyber insurance. It significantly reduces your actual risk of suffering a breach. These controls are not insurance company theatre — they are the real, proven defences against the attacks that are actually happening to Irish businesses.
A business with all seven controls in place is 10 to 100 times less likely to suffer a breach than a business without them. That is not a marketing claim. That is what the data shows.
Additionally, these controls are now required or strongly recommended by:
- NIS2 — the EU's updated cybersecurity directive, which applies to far more Irish businesses than most owners realise
- GDPR — which requires "appropriate technical and organisational measures" to protect personal data
- Enterprise clients — who are increasingly asking SME suppliers to evidence security controls before signing contracts
So implementing these controls is not just about insurance. It is about compliance, risk reduction, and competitive advantage.
The Bottom Line
Cyber insurance is no longer optional for Irish SMEs. But getting it requires specific controls. If you have not implemented those controls, the time to do so is now — before premiums rise further and underwriting tightens even more.
A 20-minute conversation will give you a clear picture of which controls you have, which you are missing, and how long it will take to get them all in place.
Related Reading
- Cyber Insurance for Irish SMEs: What You Need to Know
- NIS2 Compliance Checklist for Irish SMEs
- MFA: The Single Most Effective Security Control for Irish SMEs
Ready to Get Insurable?
If your business is uninsured or underinsured because of missing security controls, we can help you close that gap — fast. A 20-minute conversation will give you a clear roadmap to get all seven controls in place.
Book a free 20-minute strategy call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no sales pitch, just honest advice.
Sources: NCSC Ireland — Cybersecurity for SMEs, Cyber Insurance Trends 2024, ENISA — Cybersecurity Threats 2024
Share this article
Get the Pragmatic Security Briefing
Weekly cybersecurity insights for Irish business owners — threats, compliance changes, and practical steps you can act on. No jargon, no fluff.
Related Articles
View all articlesThe Cyber Insurance Broker's Checklist: What Your Broker Should Be Asking You.
Is your cyber insurance broker asking the right questions? Discover the critical checklist every Irish business needs to ensure proper coverage and mitigate ris
What Cyber Insurance Actually Covers — and the Six Things It Does Not.
Cyber insurance is a vital safety net for Irish SMEs, but what does it truly cover? Discover the six critical exclusions that could leave your business exposed.
The Cyber Insurance Questionnaire: What Insurers Are Actually Asking — and What Your Answers Mean.
Navigating cyber insurance? Learn what insurers really ask about MFA, EDR, patching, and incident response, and how your answers impact your coverage in Ireland
Ready to strengthen your security?
Get expert vCISO guidance tailored to your business needs.
