Cyber insurance underwriters are quietly raising the bar. Businesses that couldn't get cover two years ago are now being refused entirely — and the reason is almost always the same: no demonstrable security baseline.
Cyber Essentials is the UK government's baseline cybersecurity certification scheme. It covers five technical controls — firewalls, secure configuration, user access control, malware protection, and patch management. It's not complex, it's not expensive, and it's increasingly the minimum threshold that insurers, public sector procurement teams, and large enterprise clients expect to see.
What underwriters are actually looking for
When you apply for cyber insurance, underwriters aren't just asking whether you have antivirus software. They want to know whether your organisation has a documented, tested, and maintained security posture. The questions are getting more specific every year:
- Do you have multi-factor authentication enforced across all remote access?
- Are privileged accounts separated from standard user accounts?
- Is your software patching policy documented and followed?
- Do you have conditional access policies controlling device compliance?
For businesses running Microsoft 365, every single one of these questions can be answered through proper M365 configuration. The problem is that most SMBs have never configured M365 with security in mind — they've configured it for convenience.
The premium impact
The numbers vary by insurer and sector, but the pattern is consistent. Businesses with Cyber Essentials certification typically see lower premiums than those without. More importantly, businesses without any demonstrable security baseline are increasingly being quoted with significant exclusions — or refused cover entirely.
For businesses in professional services, financial services, or any sector that handles sensitive client data, the pressure is even greater. Clients are starting to ask for proof of certification as part of their own supplier due diligence.
What Cyber Essentials Plus adds
The standard Cyber Essentials certification is self-assessed — you answer a questionnaire and a certifying body reviews it. Cyber Essentials Plus adds an independent technical verification, where an assessor actually tests your environment against the five controls.
For most SMBs, standard Cyber Essentials is the right starting point. Cyber Essentials Plus becomes relevant when you're bidding for public sector contracts, working with larger enterprise clients, or when your insurer specifically requires it.
How BlueArc approaches Cyber Essentials
The BlueArc Secure package handles the full remediation process — gap analysis against the NCSC framework, hands-on M365 and Entra ID configuration, patch management policy, and certification application support. Most of the five technical controls can be addressed directly through your M365 environment, which means the work is contained and the timeline is predictable.
If you're not sure whether your current M365 configuration would pass a Cyber Essentials assessment, the BlueArc Discovery engagement includes a security posture review aligned to the framework. It's a good starting point.
Want to know where you stand on Cyber Essentials?
Book a free 30-minute discovery call. We'll give you an honest view of your current security posture and what it would take to get certified.
Book a Free Discovery Call