How much can you actually reduce cyber insurance premiums?

Organisations that implement the five controls outlined on this page typically see premium reductions of 15-25%. The exact figure depends on your industry, size, claims history, and the specific insurer. MFA coverage and incident response maturity tend to have the largest individual impact on premium calculations.

Which controls do cyber insurance underwriters care about most?

The controls that consistently appear in underwriting questionnaires are: multi-factor authentication (particularly on privileged and remote access), patch management with defined SLAs, endpoint detection and response, email security and anti-phishing measures, backup and recovery procedures, encryption, incident response planning, and security awareness training. MFA and patch management are the two most heavily weighted.

Do I need Cyber Essentials certification to get better insurance rates?

Cyber Essentials is not strictly required by most insurers, but it is increasingly recognised as a benchmark. Some UK insurers offer preferential rates for organisations with Cyber Essentials or Cyber Essentials Plus certification. Beyond the potential premium benefit, the certification process itself ensures you have the foundational controls that underwriters evaluate.

How does Fig help with cyber insurance applications?

Fig generates evidence packs that map directly to common underwriting questionnaire items. Instead of manually gathering screenshots, logs, and policy documents, you can export a pre-formatted evidence bundle showing MFA coverage, patch compliance, vulnerability scan results, incident response documentation, and encryption status. This saves significant time during the application process and ensures accuracy.

Can demonstrating compliance with frameworks like ISO 27001 or NIS2 reduce premiums?

Yes. Formal compliance certifications signal to underwriters that your organisation maintains a structured approach to information security. ISO 27001 certification, SOC 2 reports, and Cyber Essentials Plus are all viewed favourably. NIS2 compliance, while primarily a regulatory requirement, also demonstrates a level of maturity that insurers recognise. Fig supports over 65 compliance frameworks and makes maintaining certifications significantly less burdensome.

What evidence should I prepare before my insurance renewal?

Start preparation at least 60 days before renewal. Gather: a current MFA deployment report showing coverage percentages, patch compliance reports for the past 12 months, vulnerability scan results showing trending improvement, a copy of your incident response plan with evidence of tabletop exercises, encryption status reports, security awareness training completion rates, and any compliance certifications you hold. Fig can generate all of these reports on demand.

How quickly do premium reductions take effect?

Premium adjustments are typically applied at your next renewal date. If you implement controls mid-term, the changes will not affect your current premium, but they will be evaluated during your next underwriting review. Some brokers can facilitate mid-term reviews for significant improvements, but this varies by insurer.

Does Fig integrate with insurance brokers or carriers directly?

Fig generates standardised evidence reports that can be shared with any broker or carrier. We are building direct integrations with selected insurance partners to simplify the evidence submission process further. Contact our team for details on current insurance partnership programmes.

Insurance + Compliance

How to Reduce Cyber Insurance Premiums

Five specific controls that underwriters evaluate, how to implement each one, and how to collect the evidence that proves it. Organisations following this approach typically achieve 15-25% premium reductions at renewal.

Get an Evidence Pack Insurance Solutions

Why Cyber Insurance Premiums Keep Rising

Understanding the problem is the first step to solving it

Cyber insurance premiums have increased significantly over the past four years. Ransomware claims, business email compromise losses, and supply chain attacks have driven loss ratios up across the industry. Insurers have responded by increasing premiums, tightening underwriting criteria, and in some cases refusing to renew policies for organisations that cannot demonstrate adequate security controls.

The good news: underwriters are transparent about what they want to see. The controls that drive premium reductions are well-documented and consistent across carriers. Organisations that can demonstrate these controls with verifiable evidence are rewarded with lower premiums, better coverage terms, and fewer exclusions.

The challenge for most organisations is not knowing which controls matter. It is collecting and presenting the evidence in a format that underwriters accept. That is where an automated compliance platform becomes essential.

Before and After: Premium Impact

Real-world scenarios showing the financial impact of security controls

Before: Limited Controls

50-person professional services firm

MFA on email only, not on VPN or admin consoles
No documented patch management policy
Annual penetration test, no continuous scanning
Incident response plan exists but untested

Annual Premium

£18,500

After: Comprehensive Controls

Same firm, six months later

100% MFA coverage including privileged accounts
Documented patching SLAs with 12 months of evidence
Continuous vulnerability scanning with trending data
Tested incident response plan with tabletop exercise logs

Annual Premium

£14,400

22% reduction

These figures are illustrative based on typical premium reductions reported by organisations implementing comprehensive security controls. Actual results vary by insurer, industry, and claims history.

Five Steps to Lower Premiums

The controls underwriters evaluate and how Fig helps you prove them

Implement Multi-Factor Authentication Everywhere

MFA is the single most impactful control underwriters evaluate. Apply it to all remote access, email, administrative consoles, cloud platforms, and VPN connections. Underwriters specifically look for MFA coverage across privileged accounts, not just general user accounts. Organisations that can demonstrate 100% MFA coverage on critical systems frequently see premium reductions of 5-10% on this control alone.

How Fig Collects Evidence

Fig automatically collects MFA deployment evidence from Azure AD, Microsoft 365, Google Workspace, and other identity providers. Auditors and underwriters receive a real-time report showing exactly which accounts have MFA enabled and which do not.

Establish a Documented Patch Management Programme

Unpatched systems are involved in a significant proportion of successful breaches. Insurers want to see that you have a defined patching cadence: critical vulnerabilities remediated within 14 days, high-severity within 30 days, and routine patches applied within 90 days. Beyond the policy, they want evidence that you actually follow it.

How Fig Collects Evidence

Fig tracks patch status across your infrastructure, generates compliance reports against your defined SLAs, and flags overdue patches automatically. This evidence is exactly what underwriters request during the application process.

Encrypt Data at Rest and in Transit

Encryption is a baseline expectation for any organisation applying for cyber insurance. This means full-disk encryption on all endpoints, TLS 1.2 or higher for data in transit, and encryption of sensitive data stores including databases and backups. Insurers view encryption as a fundamental control that significantly limits the blast radius of a breach.

How Fig Collects Evidence

Fig verifies encryption status across endpoints and cloud services, documenting compliance with your encryption policy. Reports show encryption coverage percentages and highlight any gaps.

Build and Test an Incident Response Plan

Having an incident response plan is not enough. Underwriters want to see that the plan has been tested, that roles and responsibilities are clearly defined, and that the plan includes specific procedures for ransomware, data breaches, and business email compromise. Organisations that conduct tabletop exercises at least annually and can provide evidence of these exercises demonstrate operational maturity that insurers reward.

How Fig Collects Evidence

Fig includes pre-built incident response playbooks, tracks tabletop exercise completion, and maintains a full audit trail of every incident and response action. This documentation serves as direct evidence for insurance applications.

Deploy Continuous Vulnerability Scanning and Remediation

Point-in-time penetration tests are valuable, but insurers increasingly expect continuous vulnerability management. This means regular automated scanning of internal and external assets, prioritised remediation based on exploitability and business impact, and documented evidence of vulnerability closure rates over time. Organisations that can show a declining trend in open vulnerabilities demonstrate proactive risk management.

How Fig Collects Evidence

Fig runs continuous vulnerability scans, prioritises findings by severity and exploitability, assigns remediation tasks, and tracks closure rates. Trend reports show underwriters that your risk posture is improving, not static.

Frequently Asked Questions

Common questions about cyber insurance and premium reduction

Build Your Insurance Evidence Pack

Fig collects the evidence underwriters need, automatically. Start before your next renewal and demonstrate the controls that drive premium reductions.

Book a Demo Insurance Solutions