Do UK Small Businesses Need Cyber Essentials? What Insurers Are Actually Asking For in 2026
Cyber insurers are asking harder questions than ever. Here's what they actually want to know — and how a small business owner can prepare without hiring an IT consultant.
The question most small business owners are suddenly facing
If you've renewed your business insurance recently, or had a larger client ask about your security practices, you'll have noticed something: the questions have got harder.
A few years ago, a tick-box saying "yes, we have antivirus" was enough. Now insurers want to know whether you use multi-factor authentication, how quickly you apply security updates, and whether you have a backup that's stored separately from your main systems.
Most small business owners don't know the answers — not because they're careless, but because nobody has ever walked them through what these questions actually mean.
What is Cyber Essentials, and do you actually need it?
Cyber Essentials is a UK government-backed certification scheme run by the National Cyber Security Centre (NCSC). It covers five core areas of security: firewalls, secure configuration, access control, malware protection, and patch management.
Formal Cyber Essentials certification costs from around £300 plus VAT and is required for certain government contracts. But most small businesses don't need the formal certificate.
What they need is to be able to answer the questions insurers and clients are asking — and to actually implement the controls those questions are about.
What cyber insurers are actually asking in 2026
Based on current insurer application forms, here are the questions that come up most frequently:
Multi-factor authentication (MFA)
Do you use two-step verification on your email and cloud services? This is the single most commonly asked question on cyber insurance applications, and increasingly a condition of cover.
Backups
Do you have backups stored separately from your main systems? Insurers are increasingly refusing to pay ransomware claims where no separate backup existed.
Patch management
Are your computers and software kept up to date? Specifically, are security updates applied within 14 days of release?
Access control
Does everyone have their own login? Is access to sensitive data limited to those who need it? Are former employees' accounts removed promptly?
The five Cyber Essentials areas in plain English
1. Firewalls and internet gateways
Your broadband router is properly secured — the default password has been changed, and unnecessary remote access is blocked.
2. Secure configuration
New devices have secure settings before being used for work, and everyone has their own individual login.
3. Access control
Strong passwords, MFA on cloud services, access removed when staff leave, no unnecessary admin access.
4. Malware protection
All devices have active antivirus. Windows 10 and 11 include Microsoft Defender for free — it just needs to be switched on.
5. Patch management
Devices and software are set to update automatically. Unsupported software like Windows 7 is replaced or isolated.
Where to start
The hardest part for most small business owners is knowing where they currently stand. You can't fix gaps you don't know about.
A structured self-assessment against the Cyber Essentials framework gives you a baseline, identifies your biggest gaps, and produces a document you can share with insurers or clients.
Our tool walks you through 30 plain-English questions across all five Cyber Essentials areas and produces a professional PDF report — including your overall security score, section-by-section findings, and a prioritised action plan. It takes about 10 minutes and costs £49.
Important note on formal certification
Our self-assessment tool is aligned to the Cyber Essentials framework but does not confer formal certification. For government contracts requiring a certificate, visit iasme.co.uk to find an accredited assessor. Formal certification starts from around £300 plus VAT.
The bottom line
Most UK small businesses don't need formal Cyber Essentials certification — but they do need to demonstrate they've thought seriously about security, implemented the basic controls, and can evidence this when asked.
The most efficient use of your time is starting with a structured assessment so you know where to focus.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.
Start Your Free Assessment →£49 for the full report · No account required