If your cyber insurance renewal lands in the next few months, the questions most likely to slow it down are no longer vague. Insurers want to know whether multifactor authentication is enforced across the accounts that matter, whether remote access is properly protected, whether backups have been tested, and whether any devices are still running unsupported operating systems.
For many UK SMEs, the awkward question in 2026 is Windows 10. Standard support ended on 14 October 2025. Consumer ESU cover runs to 13 October 2026, while business devices can remain covered for up to 3 years through Microsoft’s paid commercial ESU programme, subject to licensing. That distinction matters. A Windows 10 device is not automatically unsupported if it is enrolled in commercial ESU, but you need the documentation to prove it, and you need to know how your insurer treats it.
Underwriters have become more evidence-led. Saying “yes, we have MFA” without being able to produce a policy export, enrolment report or screenshot is no longer persuasive. Saying “we have backups” without a restore test is not enough either.
Here is what changed, what insurers are likely to ask for, and what you can do before the renewal pack arrives.
Why the market hardened
Cyber insurers tightened underwriting after years of ransomware, business email compromise and supply chain incidents. Events such as the 2025 M&S and Co-op cyber attacks also reinforced the point that disruption can come from process failures, compromised credentials and third-party access as much as from technical exploits.
The Cyber Monitoring Centre classified the M&S and Co-op disruption as a Category 2 systemic event, estimating total financial impact across affected parties at £270 million to £440 million. Insurers pay attention to events like that because they show how quickly a single class of attack can create widespread business interruption.
That is why IT compliance matters more than it used to, and why good IT service management earns its keep at renewal time. The controls that satisfy an underwriter are mostly the same controls that reduce your chance of needing the policy.
What MFA actually means to an insurer
Many SMEs say they have MFA because they enabled it for standard Microsoft 365 or Google Workspace users. That may not be enough. Insurers increasingly expect MFA across the real risk points:
- Email accounts, including administrator accounts
- Remote access, including VPN, RDP, SSH and remote management tools
- Privileged accounts such as Microsoft 365 global admin, domain admin and finance system admin
- Cloud platforms holding business data
- Finance, HR, CRM and line-of-business systems
- Third-party portals used for support, backup or remote management
Authenticator apps, hardware keys or passkeys are generally stronger than SMS. For privileged accounts, SMS is increasingly viewed as weak.
The common gaps are administrator accounts and legacy protocols. If IMAP, POP or other legacy authentication methods are still enabled, attackers may be able to bypass MFA. Password best practices close part of this gap, while device management through Microsoft Intune and detection covered in why EDR matters close more of it. The practical endpoint hardening steps and endpoint security for remote teams handle the user-side risk.
Expect to provide evidence, not reassurance. Useful evidence includes conditional access screenshots, MFA enrolment reports, remote access configuration exports and a list of service accounts with authentication methods documented.
The old PC question
Windows 10 is now a renewal issue because standard support has ended. Consumer ESU ends on 13 October 2026. Commercial ESU is available for organisations for up to 3 years after end of support, with year 1 priced by Microsoft at $61 per device and the price doubling each consecutive year.
For insurance purposes, do not assume ESU automatically solves the problem. Some policies refer generally to unsupported software, some ask specifically about end-of-life systems, and some treat ESU-enrolled devices differently from fully supported Windows 11 devices. You need to ask your broker how the wording applies.
The practical approach is simple. Every Windows 10 machine should be retired, replaced, upgraded, or documented as a commercial ESU exception with a clear removal date. The same principle applies to end-of-life server software, old network equipment and line-of-business applications running on unsupported versions.
If you are consolidating systems as part of the OS change, that is the right moment to fix the wider estate, which is what our platform migration company work builds in.
What underwriters want versus what SMEs often have
| Underwriter expectation | Common SME reality | What to do |
|---|---|---|
| MFA on all key accounts | MFA on user mailboxes, but admin accounts or legacy protocols left uncovered | Audit every account type, close legacy auth, enforce MFA on admins first |
| EDR on endpoints | Traditional antivirus or inconsistent coverage | Move to managed EDR with documented deployment |
| Tested backups | Backups exist, but no recent restore test | Run and document a restore test |
| Patching cadence | Reactive patching with no evidence | Adopt a patching policy and keep reports |
| Incident response plan | Informal plan in someone’s inbox | Create a 1-page plan and rehearse it |
| No unsupported systems | A few Windows 10 or old server systems still in use | Upgrade, retire or document supported exceptions |
| Staff training | Annual awareness email only | Run regular training and phishing simulations |
| Privileged access control | Long-standing admin rights with no review | Review admin rights and document approvals |
The fix is rarely buying one new product. More often, it is evidencing what you already have, closing the obvious gaps and writing down what you do.
The honest answers problem
Misrepresenting controls at renewal can cause serious problems later. If you tick “MFA enforced on all administrator accounts” and a post-incident review shows the global admin account was not protected, the insurer may have grounds to challenge the claim.
The safer rule is simple: answer accurately. A “no” with a credible remediation plan is better than an optimistic “yes” that cannot be evidenced.
Phishing simulation results are a useful example. If you have never run one, say so and schedule it. If you have, keep the completion records. The principles in anti-phishing basics, anti-phishing controls, and create an anti-phishing policy all matter here, alongside knowing how to spot a phishing email and the wider risk of business email compromise. As an anti phishing testing london provider, the simulations we run for clients often double as useful renewal evidence.
Build the evidence pack before you need it
Renewal often lands when nobody has time to gather evidence. Build a small folder now and keep it current.
Include:
- MFA and conditional access policy screenshots
- Evidence that legacy authentication is blocked
- EDR deployment report by device
- Backup restore test results
- Patch management report
- Incident response plan with named roles
- Staff training and phishing simulation records
- Penetration test or vulnerability scan with remediation status
- Windows 10 and unsupported software register
The testing side matters because insurers increasingly ask about it. Network penetration testing explained covers the rationale, the importance of penetration testing in cybersecurity covers the value, how often you should run network penetration testing covers cadence, and pen testing versus vulnerability scanning explains the distinction. Fixing what you find is the point, set out in common network vulnerabilities and fixes, and internal and external network penetration testing helps scope the work sensibly.
Backups are the other place where evidence pays off. The principle is set out in cloud to cloud backup, the common failures are in common cloud backup mistakes, and the case for Microsoft 365 backup is straightforward. Google Workspace teams should see Google Workspace backup. As a cloud backup company for UK businesses, we keep seeing the same issue at renewal: the underwriter wants restore evidence, not just a backup confirmation.
The Cyber Essentials shortcut
Cyber Essentials is worth considering before renewal. For UK organisations with turnover under £20 million, Cyber Essentials certification covering the whole organisation includes cyber liability insurance arranged through IASME, with a 24-hour incident helpline and support up to the policy limit.
Cyber Essentials is also a recognised signal for insurers and customers. Cyber Essentials Plus, with independent technical verification, carries more weight. The April 2026 Cyber Essentials v3.3 update tightened requirements, including stronger expectations around MFA and timely patching, so older approaches may no longer pass.
The case is set out plainly in why your business should become Cyber Essentials accredited. For SMEs, it is one of the simplest formal ways to demonstrate a security baseline.
Dark web monitoring and the pre-bind review
Insurers and brokers may use external checks before offering terms. They may look for exposed services, leaked credentials, weak email security, vulnerable systems or signs of poor hygiene.
It pays to monitor this before they do. Dark web monitoring explained covers the basics, what to do if your company credentials appear on the dark web is the playbook, and dark web monitoring versus breach monitoring explains the distinction. Our dark web monitoring company london service is built to give that early warning.
Continuity matters too, because business interruption is a major part of many cyber claims. Why your business needs a business continuity plan and the small business guide to ransomware cover this side of the picture. Tips for securing your small business network handles the fundamentals.
Cross-border and multi-site realities
If your business operates across more than one country, expect more questions. Different jurisdictions may have different breach notification rules, sub-limits, incident response panels and evidence requirements. Your renewal may look different if your Paris office handles personal data your London office never sees.
We support businesses in this position through european support services and global it support services. For the wider picture, our security services, consulting team and the full range of services we offer as a managed business it support services partner cover the rest of what a renewal-ready setup looks like. The case for handing it off is set out in outsourcing your IT to an MSP, with the broader rationale in why businesses should consider an MSP for their IT needs.
Frequently asked questions
Will an insurer really challenge a claim if we said yes to MFA but had a gap?
Potentially, yes. If your renewal declaration said MFA was enforced across all required accounts and the evidence later shows otherwise, the insurer may review whether the declaration was accurate. Honest answers with a remediation plan are safer than optimistic ones.
What counts as MFA on every account?
In practice, it means MFA on email, remote access, privileged accounts, cloud platforms and systems holding business data. Legacy authentication should also be blocked where it can bypass MFA.
Can we still get cyber insurance if we have Windows 10 PCs?
Possibly. It depends on whether the machines are supported, whether they are covered by commercial ESU, what role they perform, and how your insurer’s wording treats them. Ask your broker before renewal, not after.
Does Cyber Essentials reduce our premium?
It can help, but the effect varies by insurer. Its bigger value is that it provides a recognised baseline and, for eligible UK organisations under £20 million turnover, includes cyber liability insurance through the scheme.
Should we wait for the renewal pack before fixing gaps?
No. By then, you may not have enough time to fix issues properly. Close the obvious gaps before renewal and keep evidence ready.
The sensible next step
If you do one thing after reading this, audit MFA across every account, paying special attention to administrator accounts and legacy authentication. If you do a second thing, list every device still running Windows 10 and decide whether it will be upgraded, retired or covered by commercial ESU. If you do a third thing, build a small evidence pack with screenshots and dated reports.
If you would like help running the audit, building the evidence pack or getting your environment ready for the questions your insurer is about to ask, speak to Northern Star. We will help you go into renewal with answers that stand up to scrutiny.
