When a Sligo-based accountancy practice approached a specialist cyber insurance broker in late 2025, the broker ran through their standard pre-qualification checklist. The firm had no MFA on their remote access system, no documented patching schedule, and no incident response plan beyond "call our IT company." The broker told them that the market had tightened significantly over the past two years, and that firms presenting this profile would face either a declined application or premiums 40 to 60% higher than firms that could demonstrate basic security controls.
Three months later, after working through a structured improvement programme with a virtual CISO, the same firm returned with documented controls and evidence. Their premium was 28% lower than the initial indicative quote, and they obtained a higher coverage limit.
Insurability is not a fixed state. It is a reflection of your security maturity, and it is improvable — with effort that is also good for your business beyond the insurance premium.
Why Insurers Are More Selective Than They Were
The cyber insurance market hardened significantly between 2020 and 2025 in response to a surge in ransomware attacks and large claim payouts. Insurers who had previously offered broad cyber coverage with minimal scrutiny found themselves paying out at far higher rates than their models had anticipated. The response was to introduce stricter underwriting criteria, warranty conditions, and sub-limits.
For Irish SMEs, this means that the cyber insurance application process now resembles a cybersecurity assessment rather than a standard insurance form. Underwriters ask about MFA, endpoint detection, patch management, backup configuration, and incident response planning because these are the controls that most directly determine whether an incident occurs and how severe it is when it does.
The NCSC Ireland has mapped the most common initial access methods for cyberattacks affecting Irish organisations — credential theft enabled by absent MFA, exploitation of unpatched systems, and phishing leading to business email compromise are consistently the top three.[^1] Insurers have followed the same analysis, and their warranty requirements directly target these pathways.
Do you know how a cyber underwriter would score your current security posture — and which controls would most improve your insurability? Book a free 20-minute strategy call — we'll assess your current position and identify the improvements that have the greatest impact on your insurance terms.
The Controls That Change Your Insurance Position
Multi-factor authentication is the highest-impact single control for improving insurability. Insurers view MFA as the primary defence against credential-based attacks, which account for a large proportion of Irish cyber incidents. Implementing MFA universally — on email, cloud services, remote access, and administrative accounts — and being able to document that it is enforced moves you from a standard risk category to a preferred one.
Universal MFA requires no additional software for businesses already using Microsoft 365 or Google Workspace — it is built into the platforms. The work is in the configuration and the staff communication. Every account that gains MFA reduces your incident probability, and the documented evidence of that coverage is what changes your underwriting result.
Endpoint Detection and Response tools provide capabilities beyond traditional antivirus. EDR solutions monitor device behaviour continuously, detecting patterns associated with malware activity before it completes its objective. Insurers distinguish between businesses with EDR and those with legacy antivirus because the detection and containment capability is materially different. For businesses in Donegal with remote workers accessing systems over home networks, EDR on every managed endpoint is the baseline that modern underwriting expects.
Tested backups are the control that most directly affects ransomware coverage. Insurers covering ransomware losses want evidence that recovery does not require paying a ransom — that you have a demonstrable, tested path back to your data. Offline or immutable backups tested quarterly with documented restoration results provide that evidence. An untested backup is not evidence of recoverability; it is a hypothesis.
Documented incident response planning signals to an underwriter that your organisation has thought through how it will respond when an incident occurs. The plan does not need to be complex — it needs to specify who does what, who contacts the insurer, who notifies the Data Protection Commission, and who contacts An Garda Síochána's National Cyber Crime Bureau if a criminal act is involved.[^2] A one-page procedure that has been communicated to senior staff is more valuable to an underwriter than a fifty-page plan that exists only in a filing cabinet.
Security awareness training for staff addresses the human factor in most cyber incidents. Insurers ask whether your staff receive regular training on phishing, social engineering, and data handling because human error remains the most common initial cause of Irish cyber breaches. Documented training — completion records, topics covered, frequency — is evidence that you have addressed this risk category.
Supply Chain and Third-Party Risk Management
NIS2 introduced explicit supply chain security obligations, and insurers have followed suit in their underwriting criteria. Businesses that can demonstrate they have assessed the security posture of their critical suppliers — and included security requirements in supplier contracts — present a lower risk profile than those with no third-party oversight.[^3]
This does not require a complex vendor risk management programme for most Irish SMEs. A simple list of critical suppliers, documented evidence that you have reviewed their security practices (security questionnaire responses, certification status, or DPA reviews), and a note of contractual security requirements in key agreements is sufficient to demonstrate that you are not ignoring supply chain risk.
The vCISO Advantage
A virtual CISO provides the strategic security oversight that most Irish SMEs cannot justify employing full-time. For the specific purpose of improving insurability, a vCISO can articulate your security posture in the language underwriters use, identify warranty gaps before application, negotiate with brokers and underwriters based on documented evidence, and oversee the implementation of improvements that change your premium outcome.
The Sligo accountancy practice in the opening scenario reduced their premium by 28% through three months of structured improvement. The cost of the vCISO engagement was recovered within the first year's premium saving. Beyond the premium saving, the controls implemented remain as genuine protection — not compliance theatre, but functional security measures that reduce the probability and impact of a real incident.
Insurability is not a fixed characteristic of your business. It is a score that improves as your security programme matures — and improving it has benefits far beyond the premium line on your insurance invoice.
Three Steps to Start Improving Your Insurability Now
Run a self-assessment against the five core warranty conditions most cyber policies require: MFA universally deployed, current software patches applied, offline backup tested within 90 days, incident response plan documented and communicated, and staff security awareness training completed in the past 12 months. Score yourself honestly against each. The gaps you find are your improvement roadmap.
Schedule your next cyber insurance renewal conversation with your broker eight weeks out rather than at the last moment. Use that time to gather evidence of your controls and present it proactively. Ask your broker to request competing quotes from multiple insurers, with your evidence presented to each. Market competition, combined with demonstrated controls, produces better terms.
Contact an independent cybersecurity advisor or vCISO for a pre-renewal assessment. This gives you an objective view of your posture — identifying gaps you may not see from inside your own organisation — and produces documentation that directly supports your insurance application.
Related Reading
- Cyber Insurance Maximising Coverage
- Cyber Insurance Broker Checklist: What Your Broker Should Ask
- Cyber Insurance Questionnaire: What Insurers Are Actually Asking
[^1]: NCSC Ireland — Threat landscape analysis and security control guidance for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cybercrime reporting and National Cyber Crime Bureau contact: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — Data protection and GDPR compliance guidance for organisations: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.