What Your Cyber Insurer Wants to See — and How to Get There Fast

A Galway professional services firm applied for cyber insurance in late 2025 and was declined. Not because they were a bad risk — but because they could not evidence Multi-Factor Authentication, had no Endpoint Detection and Response solution, and their backup had not been tested in fourteen months. Three years ago, they would have been approved with a self-declaration form and a modest premium. Today, insurers want proof — and the standards have shifted substantially.

For Irish SMEs, this is a compliance problem and a business risk combined. You need cyber insurance. But you cannot get it without controls you may not yet have. This article explains what insurers want, why they want it, and how to get there in eight to twelve weeks.

Why Cyber Insurance Underwriting Has Tightened

The insurance industry is responding to data. Cyber claims have escalated significantly in recent years, and insurers have analysed thousands of breaches to identify a consistent pattern: businesses without specific baseline controls are substantially more likely to suffer a significant breach. So they are now requiring those controls as a condition of coverage, not as optional good practice.

The controls they are demanding are not exotic. They are the baseline security measures that the NCSC Ireland, ENISA, and the NIS2 Directive all recommend[^1]. But many Irish SMEs have not yet implemented them — and the gap between knowing you need them and actually having them in place is what is causing application declines and policy exclusions.

The 7 Controls Insurers Now Require

These are the seven controls that cyber insurers are now asking for. If you cannot evidence all seven, you will struggle to get coverage — or you will get coverage with exclusions that eliminate protection for the very scenarios you are most worried about.

Multi-Factor Authentication is the first and most universal requirement. A second proof of identity — usually a code sent to your phone or generated in an app — required in addition to your password. Insurers want this because Microsoft data shows MFA blocks over 99% of automated credential attacks. Without it, a single stolen password is all an attacker needs.

Endpoint Detection and Response (EDR) software monitors devices for suspicious behaviour and can isolate infected machines. Insurers want EDR because it detects and contains ransomware before it spreads across a network — the single most expensive claim scenario they face.

Dedicated email security beyond the built-in Microsoft 365 filter stops phishing, Business Email Compromise, and ransomware delivered by email — the primary attack vector against Irish businesses.

Tested, immutable backups stored offline with documented recovery procedures allow businesses to recover from ransomware without paying the attacker. Insurers specifically ask whether backups have been tested — an untested backup is treated the same as no backup for underwriting purposes.

A documented patch management process for applying security updates to all systems within 30 days of release closes the vulnerabilities that attackers exploit for initial access.

Access control based on the principle of least privilege — users have only the permissions their role requires — limits the damage if an account is compromised.

A documented incident response plan outlines who to contact, what to preserve, and how to communicate if a breach occurs. Insurers have found that businesses with documented plans recover faster and at lower cost — reducing the insurer's exposure[^2].

Does your business have all seven controls in place and evidenced? Book a free 20-minute strategy call — we will identify which controls are missing and build a realistic implementation plan.

What Happens Without These Controls

Three scenarios play out repeatedly for Irish SMEs. In the first, you apply for cyber insurance, the insurer asks for evidence of MFA, EDR, and backup, and you do not have EDR. The insurer declines your application.

In the second, you have most controls but your backup has not been tested in eighteen months. The insurer approves your policy but excludes "recovery from ransomware" from coverage. Six months later, you suffer a ransomware attack and file a claim. The insurer denies it because the exclusion applies.

In the third, you have cyber insurance and suffer a breach. The insurer investigates and discovers that your incident response plan exists only as a document nobody has read. The insurer argues that your failure to follow a documented process increased the cost of the breach, and reduces their payout.

An Garda Síochána has confirmed that ransomware remains the most financially damaging cyber threat facing Irish businesses, and that most victims would have benefited from precisely the controls listed above[^3].

The Gap Between Knowing and Doing

Most Irish SMEs know they need these controls. They have read the NCSC Ireland guidance. They understand the risk. But they have not implemented the controls because implementation requires specialist knowledge and time. Your IT person knows how to manage Microsoft 365. They may not know how to evaluate EDR products, configure email security effectively, or design a tested incident response plan.

The Data Protection Commission has noted that many GDPR breach notifications it receives from Irish businesses reflect inadequate technical controls that were known to be insufficient but had not been addressed.

So the controls remain on the to-do list, quarter after quarter — while cyber insurance premiums keep rising and underwriting keeps tightening.

How to Get There in 8 to 12 Weeks

The fastest way to implement all seven controls is to hand the job to someone who does it professionally. Not a consultant who produces a report and leaves. Someone who takes ownership of the entire implementation from assessment through to ongoing management.

The implementation timeline for each control is predictable. MFA can be deployed across most Irish SME environments in one to two weeks. Email security takes two to four weeks including testing and policy tuning. EDR requires three to six weeks for rollout across all endpoints. Backup and recovery architecture — including testing — takes four to eight weeks. Patch management process definition and tooling takes two to four weeks. Access control review requires four to eight weeks depending on the size of your team. An incident response plan with stakeholder input and documentation takes two to three weeks.

Total timeline with a focused implementation partner: eight to twelve weeks to have all seven controls in place and evidenced for your insurance application.

Implementing these seven controls does more than get you insurance. It reduces your actual risk of a breach by an order of magnitude — and demonstrates to clients and regulators that your security is genuine, not performative.

What Next

1. Request a cyber insurance application from your broker now. Use the application questions as a gap assessment even if you are not ready to apply yet. The questions will tell you exactly which of the seven controls you need to evidence.

2. Start with MFA. This is the highest-impact, lowest-effort control on the list, and it is universally required. If you have not yet deployed MFA across all email and cloud accounts, this is the first action to take.

3. Engage an implementation partner, not just an advisor. The gap between a security report and implemented controls is where most Irish SMEs stall. The right partner takes ownership of the entire implementation — not just the assessment.

Related Reading

• When Should an SME Hire a vCISO? 7 Warning Signs
• Your Systems Are Encrypted Right Now — What to Do in the First 60 Minutes
• Why Your vCISO Should Also Handle Implementation

[^1]: NCSC Ireland — Advice for Organisations [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — Cyber Crime

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.