Cyber Insurance Requirements 2025: How to Qualify
Cyber Insurance Requirements 2025: How to Qualify
Cyber Insurance Requirements 2025: How to Qualify
In 2025, most cyber insurance requirements for small and mid-sized businesses include multi-factor authentication (MFA), endpoint detection and response (EDR), secure and tested backups, timely patching, and basic security policies and training. To qualify, SMBs in the US, UK and EU should run a quick cyber risk assessment, close obvious MFA/EDR/backup gaps, document their controls, and work with a broker or advisor to present clear evidence to underwriters.
Introduction
If cyber insurance once felt like ticking boxes on a questionnaire, 2025 is the year that stopped. Ransomware severity keeps climbing, with some portfolios seeing roughly a 25% year-on-year rise in attacks in 2024, even as frequency has stabilised. ([Munich Re][1]) At the same time, GDPR fines have passed roughly €6 billion in total, sharpening regulators’ and boards’ focus on cyber risk.
Insurers like Coalition, At-Bay, Beazley, Hiscox, Allianz and Munich Re now want hard proof of controls before offering cyber liability insurance coverage, especially to SMBs in New York, London, Berlin or across the wider EU. In this guide, we’ll look at what 2025 cyber insurance requirements actually are, why they’re tightening, and how your business can go from “declined” to “covered” in roughly 90 days even if you don’t have MFA or EDR in place today.
Note
This article is for general information only and is not legal, regulatory or financial advice. Always confirm details with your broker, insurer and legal counsel.
What Are Cyber Insurance Requirements in 2025?
Cyber insurance requirements in 2025 are the minimum security controls and governance practices you need in place to be eligible for a policy or to avoid punitive terms like high deductibles, low limits or ransomware exclusions. They’re different from coverage terms (what the policy actually pays for) but directly influence limits, sublimits and pricing.
Cyber insurance requirements vs. coverage terms
Think of cyber insurance requirements as the inputs: controls like MFA, EDR, backups, logging, governance and incident response capabilities that underwriters expect to see before they offer you cyber liability insurance coverage.
Coverage terms are the outputs: how much they’ll pay, for which types of incidents (ransomware, business interruption, data breach response, regulatory investigations), and under what conditions.
A typical pattern.
An insurer requires MFA on email and remote access as a condition of any ransomware cover.
If you don’t have it, they may exclude ransomware entirely or decline to quote.
If you do have strong controls, you may secure higher limits or better pricing because cyber risk assessment and scoring tools rate you more favourably.
Who sets the requirements: insurers, reinsurers, regulators
No single body owns cyber insurance requirements. They’re shaped by three main groups:
Retail insurers such as Coalition, Chubb, At-Bay, Beazley and Hiscox, who issue policies directly to businesses.
Reinsurers such as Munich Re and Allianz, who backstop large books of cyber risk and push for tighter underwriting standards when loss ratios rise.
Regulators and frameworks that underwriters quietly borrow from: GDPR and UK GDPR, NIS2, HIPAA Security Rule, PCI DSS, SOC 2, state breach laws in the US, BaFin guidance in Germany, NHS and ICO guidance in the UK.
In practice, each market (London, US admitted markets, EU carriers) has its own questionnaires but the core controls are converging.
How 2025 differs from “check-the-box” questionnaires
The old reality: tick “Yes” to “Do you have backups?” and “Do you patch regularly?” and you’d often get a quote.
The 2025 reality looks very different:
Underwriters increasingly ask for evidence screenshots from your EDR console, MFA policies, backup reports, SOC 2 roadmaps.
Many carriers run external attack-surface scans to see open ports, outdated TLS, exposed RDP or leaked credentials before quoting.
Some use continuous cyber underwriting, monitoring your security posture between renewals.
If you’re still treating the application as a paperwork exercise, you’ll struggle to qualify especially in higher-risk sectors like healthcare, financial services, SaaS and manufacturing.
Minimum Technical Controls Most Insurers Expect Now
For 2025, the minimum cyber insurance requirements for small and mid-sized businesses almost always include: MFA for key systems, EDR on endpoints, secure and tested backups, patch management, and basic security awareness and incident response planning. Without these, most SMBs in the US, UK or EU will either be declined, offered reduced cyber liability insurance coverage, or see ransomware carved out entirely.
Multi-factor authentication (MFA) for email, VPN and remote access
Underwriters now treat MFA as non-negotiable for.
Email (Microsoft 365, Google Workspace)
VPNs and remote desktop
Critical SaaS (e.g., finance, HR, production control systems)
Expect questions like.
Is MFA enforced for all admin users and remote access?
Are you using phishing-resistant methods (e.g., app-based tokens, FIDO keys) rather than SMS where possible?
Insurers in markets like London and New York routinely decline accounts with shared admin passwords or no MFA on remote access because these are still the most common footholds in ransomware incidents.
For a deeper dive into the broader zero trust posture MFA sits inside, see Mak It Solutions’ guide on Zero Trust Security in 2025.
Endpoint Detection & Response (EDR), AV and device management baselines
Traditional antivirus is no longer enough on its own. Most 2025 questionnaires explicitly ask whether you have:
Endpoint detection and response (EDR) or XDR on servers and laptops
Centralised device management (e.g., Intune, Jamf, MDM)
Policies for blocking unsupported or unpatched OS versions
Insurers focus on EDR because modern ransomware often moves laterally within minutes; EDR tools like CrowdStrike, Microsoft Defender or SentinelOne can stop that before it escalates. Many carriers expect at least “next-gen AV/EDR” on all internet-facing and privileged endpoints, especially for remote workers in San Francisco, London or Berlin
Backups, recovery and ransomware resilience (offline copies, RPO/RTO)
Ransomware is still one of the most expensive causes of claims, even where frequency has stabilised. Questionnaires now drill into.
Do you have immutable or offline backups (e.g., object-lock, tape, vaulted snapshots)
What’s your RPO/RTO (how much data you can afford to lose, and how quickly you can recover)
Have you tested restores in the last 12 months?
If your backups are online-only and reachable from production accounts, many underwriters will treat ransomware as functionally uninsurable. For practical ransomware defence techniques, see Mak It Solutions’ piece on Ransomware Trends 2025.
Patch management, vulnerability scanning and basic hardening
Insurers see patching and hardening as hygiene, not heroics. Expect them to ask:
Do you have automated patching for OS and core apps?
How quickly do you patch critical vulnerabilities (e.g., within 7–14 days)?
Do you run regular vulnerability scans or penetration tests?
These controls map closely to NIS2 Article 21 and SOC 2 requirements, which emphasise risk-based patch management and vulnerability management.
Security awareness training and incident response planning
“Soft” controls still strongly influence eligibility and pricing. Underwriters often ask whether you:
Run phishing awareness training at least annually
Have a documented ransomware incident response (IR) plan
Have an internal or external incident commander and legal counsel on call
In the UK, NHS suppliers and financial services firms are expected to show evidence of regular training and rehearsed IR plans. Many SMBs in Chicago, Manchester or Munich can quickly uplift this area using online training platforms plus a simple tabletop exercise. Mak It Solutions’ Phishing Awareness Training in the Middle East offers transferable patterns you can adapt for US/EU teams.
How to Qualify for Cyber Insurance
If you don’t yet meet minimum cyber insurance requirements, you can still become insurable by taking a structured, step-by-step approach. The fastest path is to understand your current gaps, prioritise MFA/EDR/backups, and line up trusted partners before you approach brokers in the US, UK or EU.
Run a quick internal cyber risk assessment and gap analysis
Start with a lightweight cyber risk assessment and scoring exercise:
Inventory key systems (email, ERP/CRM, cloud, production)
Identify where MFA, EDR, backups and patching are missing
Map your posture to a simple framework (NIST CSF, CIS Controls, NIS2)
You don’t need a 200-page SOC report to begin; a concise gap analysis aligned to insurer questionnaires is often enough to move from “no quote” to “conditional quote.” Mak It Solutions’ Business Intelligence Services can help you turn raw IT data into clear risk dashboards for boards and underwriters.
Prioritise “must-have” controls for your next renewal (MFA, EDR, backups first)
For most SMBs, the 80/20 moves to qualify are.
MFA everywhere important (email, VPN, admin, finance SaaS)
EDR on servers and laptops, starting with admins and critical systems
Immutable/offline backups, with at least quarterly restore tests
Set a target date (for example, “before our October London Market renewal”) and work backwards. You can leave cosmetic items (like new SIEM tooling) for later insurers mainly want to see the big three plus basic governance.
How to qualify if you lack internal IT or a CISO (MSPs, MSSPs, vCISO options)
If you don’t have an internal CISO in New York, Manchester or Munich, underwriters don’t automatically penalise you. What they care about is whether you have credible partners:
MSPs for day-to-day IT and patching
MSSPs for 24/7 monitoring, EDR and incident response
vCISO services to design policies, run tabletop exercises and interface with insurers
Many cyber carriers even maintain partner lists of approved MSSPs or incident response firms. Mak It Solutions works with security and cloud providers across the US, UK, Germany and wider Europe, helping teams integrate these services into DevSecOps and cloud architectures. ([Makitsol][9])
Working with a broker or advisor to present your security posture
A good cyber broker can be the difference between a painful decline and a competitive quote. They can:
Match you to markets (Coalition vs. London syndicates vs. regional EU carriers)
Help translate your technical posture into underwriter-friendly language
Time your submissions around visible improvements (e.g., MFA rollout completed)
Bring them a clear story: “Here’s our 2024 incident history, here’s what went wrong, here’s the 2025 remediation plan we’re executing (MFA, EDR, backups, NIS2 alignment).” That alone significantly improves your odds.
Cyber Insurance Eligibility Checklist for 2025
Here’s a practical cyber insurance eligibility checklist you can use before you renew or apply. Many elements mirror underwriter questionnaires in the US, UK and EU, and align with NIS2 Article 21 requirements.
Governance & policies.
Written acceptable use policy (AUP) for staff
Documented incident response plan covering ransomware, data breach and business interruption
Vendor risk management process (especially for cloud, SaaS, MSPs and payment processors)
Defined roles for IT, security, legal, communications and external IR firms
Identity & access: MFA, privileged access, offboarding controls
MFA enforced on email, VPN, admin consoles and critical apps
Role-based access control with least privilege for admins
Joiners-movers-leavers process with timely offboarding
Centralised identity (e.g., Azure AD/Entra ID, Okta, Google) with logs retained
Devices & networks.
EDR or next-gen AV deployed on servers and endpoints
Disk encryption on laptops and mobile devices
Network segmentation between critical systems and general office networks
Hardened remote access (no open RDP to the internet; VPN with MFA; split-tunnel considered carefully)
Data protection.
Regular, tested backups with at least one offline/immutable copy
Encryption in transit (TLS 1.2+) and at rest for key systems
Basic data classification (e.g., public/internal/confidential) mapped to controls
For payments and healthcare: PCI DSS and HIPAA-aligned protections where applicable
Documentation you should have ready for the underwriter
Before you complete any 2025 questionnaire, assemble:
Screenshots from your MFA, EDR and backup dashboards
A one-page summary of your cyber risk assessment and scoring
Key policies: AUP, IR plan, backup policy, vendor management policy
Any SOC 2 roadmap or ISO 27001 plan you’re already working on
This bundle becomes your “eligibility pack” and speeds up underwriting dramatically.
2025 Policy Changes and Underwriting Trends You Need to Know
Cyber insurance policies are becoming harder to qualify for in 2025 because loss severity keeps rising, regulations are getting tougher, and reinsurers are pushing carriers to tighten controls. S&P Global expects the cyber market to grow around 5–10% annually over the next three years, but only with stricter underwriting and careful exposure management. ([Insurance Insider][12])
Why cyber insurance premiums and requirements are rising in the US, UK and EU
Key drivers include.
Ransomware severity: some reports show roughly a 25% increase in attacks in 2024, with data exfiltration and double extortion now the norm
Systemic events: incidents like large healthcare or cloud outages impact thousands of organisations at once.
Regulatory fines and litigation: GDPR fines alone now exceed €6 billion.
All of this has made cyber insurance a capital-intensive line, so carriers manage it with tighter eligibility requirements and more selective deployment of capacity.
Ransomware coverage tightening.
Even when you qualify, ransomware cover is often:
Subject to sublimits (e.g., lower limits for ransom payments than for forensics)
Limited by co-insurance (you may have to pay a percentage of ransom or restoration costs)
Excluded entirely for businesses with weak backups, no MFA or legacy unsupported systems
If your infrastructure is heavily dependent on a single cloud region or MSP, expect extra scrutiny and questions about resilience, backups and ransom negotiation policies.
Continuous cyber underwriting and external attack-surface scanning
A growing trend in 2025 is continuous underwriting insurers use external scanners and threat intel providers to:
Monitor your exposed infrastructure (domains, IPs, TLS, open ports)
Pick up leaked credentials or exposed databases
Track patching of critical CVEs on public-facing systems
If they see persistent risky patterns e.g., exposed RDP from a UK office or an unpatched VPN appliance in Germany expect tougher renewal negotiations or, in extreme cases, mid-term conditions.
What underwriters look at beyond your questionnaire
What you type into the form is no longer the only source of truth. Underwriters may also look at:
Domain reputation and email security (SPF, DKIM, DMARC)
Third-party risk cloud, Open Banking APIs, KRITIS providers and MSPs you depend on
Historic incident patterns and how effectively you remediated them
This is where a DevSecOps approach pays off. Mak It Solutions’ guide on DevSecOps Best Practices 2025 shows how to bake these expectations into your pipelines instead of treating them as last-minute underwriting homework.
GEO Snapshot.
While core controls are converging, underwriters in the US, UK, Germany and the wider EU still reflect local regulations and norms in how they apply cyber insurance requirements.
United States: HIPAA, PCI DSS, SOC 2 and state breach laws as de-facto baselines
In the US, insurers commonly gauge your posture against:
HIPAA Security Rule for healthcare and health-tech, focusing on safeguards for ePHI.
PCI DSS for merchants, fintechs and processors handling card data.
SOC 2 for SaaS, MSPs and cloud services.
State-level breach laws and CCPA/CPRA in California.
A hospital network in Chicago or a telehealth startup in San Francisco may need to show underwriters their HIPAA risk analysis, encryption, MFA and vendor management programmes before getting meaningful limits.
United Kingdom: UK GDPR, NHS suppliers, London Market expectations
In the UK, the London Market (Beazley, Hiscox, etc.) is influential. Underwriters typically expect:
Strong alignment with UK GDPR security expectations, as articulated by the ICO.
For NHS suppliers: compliance with NHS DSPT (Data Security and Protection Toolkit).
Documented IR processes that include notification to the ICO and potentially affected individuals.
A managed service provider in Manchester working with NHS trusts will see more questions around segmentation, logging and IR readiness than a purely local retailer.
Germany & EU: NIS2, GDPR and BaFin guidance for critical & financial entities
In Germany and the EU, insurers are rapidly aligning questionnaires with NIS2 and sectoral guidelines
NIS2 Article 21’s ten minimum risk management measures are becoming a reference checklist.
BaFin guidance for banks, insurers and KRITIS entities emphasises resilience, outsourcing and IT risk management.
GDPR remains the central framework for breach handling and data security expectations.
A KRITIS energy operator near Munich or a bank in Frankfurt will see heavier emphasis on OT segmentation, incident reporting and board-level governance than a small design agency in Amsterdam.
Sector-specific differences.
Across all GEOs, underwriting is more demanding where stakes are higher.
Healthcare & NHS suppliers
HIPAA/UK GDPR alignment, IR maturity, resilience to system outages.
Financial services & Open Banking:
PCI DSS, PSD2/Open Banking API security, third-party risk management.
Manufacturers & industrials: convergence of IT/OT, segmentation between office IT and plant networks.
Critical infrastructure (KRITIS)
NIS2-level controls, supply chain security, well-rehearsed crisis management.
How NIS2, GDPR and Other Regulations Affect Cyber Insurance Requirements
Regulations don’t directly write your cyber insurance policy, but they heavily shape the control checklists insurers use and the types of loss they expect to cover. That’s one reason 2025 cyber insurance requirements feel stricter: carriers are trying to keep pace with NIS2, GDPR/UK GDPR, HIPAA and PCI DSS all at once.
NIS2 minimum security measures and how insurers reuse them
NIS2 Article 21 lists minimum measures like risk analysis, incident handling, backup management, supply chain security, vulnerability handling and cryptography. Insurers increasingly treat this list as a ready-made checklist for NIS2-critical entities in Germany and the wider EU.
If you can show clear mapping between your controls and NIS2 requirements (for example, using ENISA’s technical implementation guidance), your odds of getting competitive cyber terms improve dramatically.
GDPR/UK GDPR data breach obligations and the role of cyber insurance
GDPR and UK GDPR require “appropriate technical and organisational measures” for security, and strict timelines for breach detection and notification. Most cyber policies now focus on covering:
Forensics and incident response
Legal advice and regulatory engagement
Notification, credit monitoring and PR support
Fines themselves are often uninsurable or only insurable where local law permits. Underwriters want to see that you treat GDPR fines as something to be prevented via strong controls not simply transferred to insurers.
HIPAA and PCI DSS.
US healthcare entities and payments companies face a double burden:
HIPAA Security Rule requires administrative, technical and physical safeguards for ePHI.
PCI DSS sets strict requirements for storing, processing and transmitting card data.
Underwriters expect.
Documented HIPAA risk analyses and remediation plans
Segmented cardholder data environments with strong access controls
Evidence of ongoing assessments (e.g., PCI SAQs, pen tests)
BaFin, NHS and other regulators’ guidance insurers care about
Insurers also track sector-specific regulatory guidance, including:
BaFin IT and outsourcing circulars for German financial institutions and insurers.
NHS England and DSPT requirements for healthcare providers and vendors.
ICO guidance for UK GDPR compliance
If you can demonstrate alignment with these, it becomes easier for underwriters to justify broader coverage and higher limits.
Fast-Track Playbook.
If you currently lack MFA or EDR, you can still quickly become eligible for cyber insurance by following a 90-day playbook. The goal is to move from ad-hoc controls to a demonstrably insurable posture before your next renewal.
Baseline assessment and picking the right controls
Run a focused risk and gap assessment against insurer requirements.
Prioritise systems: email, identity, VPN, production apps, backups.
Decide which MFA, EDR and backup solutions you’ll implement first (cloud-native where possible).
This is also the time to clean up obvious red flags disable unused remote access, remove shared admin accounts, and document a simple IR plan.
Rolling out MFA, EDR and hardened backups without breaking the business
Roll out MFA in phases (admins and finance first, then all staff).
Deploy EDR to high-value endpoints, then expand to all workstations and servers.
Implement immutable/offline backups and perform at least one restore test.
Keep communication tight with business units so changes don’t disrupt critical operations in New York, London or Berlin. DevSecOps practices from Mak It Solutions’ cloud and security work can help you automate these rollouts.
Proving your posture with reports and roadmaps
Export summary reports from your MFA, EDR and backup systems.
Update your policies and attach them to a simple security programme overview.
Draft a SOC 2 or ISO 27001 roadmap if relevant, even if it’s a 12–18 month journey.
Insurers don’t need perfection; they need credible evidence that you’re actively improving. Mak It Solutions’ AI in Cybersecurity article covers how to use automation and AI safely to support this work.
When to re-approach insurers or brokers for quotes or improved terms
Once your big-ticket items (MFA, EDR, backups) are live and you’ve got documentation in hand:
Re-approach your broker with a clear before/after narrative.
Ask specifically for improved ransomware terms or higher limits.
Use competitive quotes (where available) to negotiate on pricing and conditions.
For many SMBs, this 90-day playbook is enough to move from “uninsurable” to “insurable with conditions” and, over time, to more favourable terms.
Common Reasons Businesses Fail to Qualify.
Many businesses fail to qualify for cyber insurance in 2025 for predictable reasons most of which are fixable in weeks, not years.
No MFA, weak passwords or shared admin accounts
This is the single biggest underwriter red flag. To fix it quickly:
Enforce MFA for all remote and admin access.
Remove shared admin logins; move to named accounts and password managers.
Implement basic password policies and, ideally, SSO.
Legacy systems, unsupported OS and unpatched vulnerabilities
Unpatched or unsupported systems are often where attackers start. Prioritise:
Isolating legacy systems behind firewalls and jump hosts
Applying vendor patches or moving to supported versions
Logging and monitoring access paths carefully
Poor backup practices and lack of tested recovery
From an insurer’s perspective, if backups fail, everything fails. Fixes include:
Implementing immutable or offline backups
Testing restores for critical applications
Documenting RPO/RTO for key services
Limited documentation: “We do it, but we can’t prove it”
Underwriters can’t price what they can’t see. Solve this by:
Writing concise policies (AUP, IR, backup, vendor management)
Exporting configuration screenshots and reports
Keeping a central “underwriter pack” up-to-date year-round
When Cyber Insurance Is Not Enough
Cyber insurance is a risk transfer tool, not a substitute for cybersecurity. The most resilient organisations in the US, UK and EU treat insurance as one layer in a stack that includes prevention, detection and response.
Where insurance fits in the broader risk stack (prevent, detect, respond, transfer)
Prevent: MFA, EDR, secure coding, segmentation, training
Detect: logging, SIEM, MDR services, anomaly detection
Respond: rehearsed IR plans, crisis communications, legal support
Transfer: cyber insurance and contractual risk allocation
Getting the first three layers right gives you better options—and better pricing—on the fourth.
Partnering with MSSPs, incident response firms and legal counsel
Insurers often prefer (or require) that you work with approved incident response firms and cyber specialist law firms. Many SMBs also lean on MSSPs to provide 24/7 monitoring that would be impossible to staff in-house. Mak It Solutions frequently collaborates with cloud, security and MSSP partners to give clients a coherent operating model across AWS, Azure and Google Cloud.
How to turn insurer requirements into a long-term security roadmap
Instead of viewing questionnaires as a nuisance, treat them as a free roadmap:
Use each renewal to upgrade one or two big capabilities (e.g., this year: MFA and EDR; next year: data classification and DLP).
Align projects with regulatory milestones (NIS2, SOC 2, HIPAA updates).
Measure progress with simple metrics (phishing click rate, patching SLAs, backup success).
Over a few renewal cycles, you’ll build a mature, resilient cyber programme almost “for free” as a by-product of staying insurable.
Key Takeaways
In 2025, MFA, EDR, secure backups, patching and basic governance are table stakes for cyber insurance eligibility.
Underwriters now use external scanning, NIS2/GDPR expectations and sector standards like HIPAA and PCI DSS to judge your posture.
A focused 90-day playbook can move an SMB from declining terms to credible cyber liability insurance coverage.
GEO and sector matter: US healthcare, UK NHS suppliers and German KRITIS operators face stricter expectations than low-risk sectors.
Use insurer questionnaires as a roadmap to build a long-term, resilient cyber programme—not just to chase a policy.
If you meet the core 2025 cyber insurance requirements and can clearly demonstrate your controls, you dramatically improve your chances of getting sustainable, long-term coverage.
If you’re staring at a renewal form and realising your controls won’t pass a 2025 underwriting test, you don’t have to guess what to fix first. Mak It Solutions already helps teams in the US, UK, Germany and across Europe align cloud, application and data architectures with modern ransomware and compliance realities.
Book a short readiness conversation via our Contact page, share your latest questionnaire or broker request, and we’ll help you design a pragmatic plan to become and stay insurable on sustainable terms.
FAQs
Q : Can you still get cyber insurance without MFA in 2025?
A : In most cases, you’ll struggle to get meaningful cyber insurance coverage without MFA in 2025, especially for email and remote access. Some insurers may offer a restricted policy or exclude ransomware until MFA is fully deployed, but a growing number will simply decline high-risk accounts. If you’re not using MFA today, treating it as a first-month priority is the quickest way to move from “no quote” to realistic options.
Q : How do cyber insurance requirements differ between the US, UK and EU?
A : The underlying controls MFA, EDR, backups, patching are similar across the US, UK and EU, but the regulatory flavour changes. US underwriters lean heavily on HIPAA, PCI DSS, SOC 2 and state breach laws; UK carriers look closely at UK GDPR, ICO guidance and NHS requirements; EU and German insurers increasingly align with NIS2 and BaFin’s IT risk expectations. The more you can show alignment with your local regime, the easier it is to justify better limits and pricing.
Q : What types of cyber incidents are often excluded under 2025 cyber insurance policies?
A : Common exclusions in 2025 include incidents arising from war or state-sponsored attacks, known but unremediated critical vulnerabilities, intentional acts by insiders, and certain types of fines where law prohibits insuring them (for example, some GDPR penalties). Many policies also limit or sublimit ransomware payments, reputational harm and long-term loss of market share. It’s critical to read exclusions carefully with your broker and to fix obvious hygiene issues that could give an insurer grounds to deny a claim.
Q : Do GDPR or NIS2 fines themselves get covered by cyber insurance?
A : In many EU jurisdictions, public law fines—like GDPR or future NIS2 penalties are hard or impossible to insure, and insurers are cautious about offering explicit cover. What policies more commonly cover are the costs around a regulatory investigation: legal advice, forensics, notifications and sometimes class actions. Always check how your policy treats administrative fines and discuss local legal constraints with your broker or counsel before assuming they’ll be paid by insurance.
Q : How often do insurers reassess my security controls once a cyber policy is in place?
A : Historically, underwriting was largely a once-a-year exercise at renewal. In 2025, more carriers are introducing continuous cyber underwriting, where they periodically scan your external attack surface or review updated questionnaires. Some may request mid-term attestations when major vulnerabilities emerge, or after large incidents in your sector. Expect at least an annual deep dive plus ongoing light-touch monitoring, and treat your controls as a living programme rather than a “set-and forget” project.