How to reduce cyber insurance premiums.
Five specific controls that underwriters evaluate, how to implement each one, and how to collect the evidence that proves it. Organisations following this approach typically achieve 15-25% premium reductions at renewal.
Why Cyber Insurance Premiums Keep Rising
Understanding the problem is the first step to solving it
The pressure
Premiums keep climbing
Cyber insurance premiums have risen sharply over the last four years. Ransomware claims, business email compromise losses, and supply chain attacks have pushed loss ratios up - so insurers have raised premiums, tightened underwriting, and in some cases refused renewal for organisations that cannot evidence adequate controls.
The opportunity
Underwriters are transparent
The controls that drive premium reductions are well-documented and consistent across carriers. Organisations that can demonstrate these controls with verifiable evidence are rewarded - lower premiums, better coverage terms, fewer exclusions.
The challenge
Evidence in the right format
For most organisations the gap isn't knowing which controls matter - it's collecting and presenting the evidence in a format underwriters actually accept. That's where an automated compliance platform becomes essential.
Before and After: Premium Impact
Real-world scenarios showing the financial impact of security controls
Before
Limited controls
50-person professional services firm
- MFA on email only, not on VPN or admin consoles
- No documented patch management policy
- Annual penetration test, no continuous scanning
- Incident response plan exists but untested
Annual premium
£18,500
After
Comprehensive controls
Same firm, six months later
- 100% MFA coverage including privileged accounts
- Documented patching SLAs with 12 months of evidence
- Continuous vulnerability scanning with trending data
- Tested incident response plan with tabletop exercise logs
Annual premium
£14,400
22% reduction
These figures are illustrative based on typical premium reductions reported by organisations implementing comprehensive security controls. Actual results vary by insurer, industry, and claims history.
Five Steps to Lower Premiums
The controls underwriters evaluate and how Fig helps you prove them
Implement Multi-Factor Authentication Everywhere
MFA is the single most impactful control underwriters evaluate. Apply it to all remote access, email, administrative consoles, cloud platforms, and VPN connections. Underwriters specifically look for MFA coverage across privileged accounts, not just general user accounts. Organisations that can demonstrate 100% MFA coverage on critical systems frequently see premium reductions of 5-10% on this control alone.
How Fig collects evidence
Fig automatically collects MFA deployment evidence from Azure AD, Microsoft 365, Google Workspace, and other identity providers. Auditors and underwriters receive a real-time report showing exactly which accounts have MFA enabled and which do not.
Establish a Documented Patch Management Programme
Unpatched systems are involved in a significant proportion of successful breaches. Insurers want to see that you have a defined patching cadence: critical vulnerabilities remediated within 14 days, high-severity within 30 days, and routine patches applied within 90 days. Beyond the policy, they want evidence that you actually follow it.
How Fig collects evidence
Fig tracks patch status across your infrastructure, generates compliance reports against your defined SLAs, and flags overdue patches automatically. This evidence is exactly what underwriters request during the application process.
Encrypt Data at Rest and in Transit
Encryption is a baseline expectation for any organisation applying for cyber insurance. This means full-disk encryption on all endpoints, TLS 1.2 or higher for data in transit, and encryption of sensitive data stores including databases and backups. Insurers view encryption as a fundamental control that significantly limits the blast radius of a breach.
How Fig collects evidence
Fig verifies encryption status across endpoints and cloud services, documenting compliance with your encryption policy. Reports show encryption coverage percentages and highlight any gaps.
Build and Test an Incident Response Plan
Having an incident response plan is not enough. Underwriters want to see that the plan has been tested, that roles and responsibilities are clearly defined, and that the plan includes specific procedures for ransomware, data breaches, and business email compromise. Organisations that conduct tabletop exercises at least annually and can provide evidence of these exercises demonstrate operational maturity that insurers reward.
How Fig collects evidence
Fig includes pre-built incident response playbooks, tracks tabletop exercise completion, and maintains a full audit trail of every incident and response action. This documentation serves as direct evidence for insurance applications.
Deploy Continuous Vulnerability Scanning and Remediation
Point-in-time penetration tests are valuable, but insurers increasingly expect continuous vulnerability management. This means regular automated scanning of internal and external assets, prioritised remediation based on exploitability and business impact, and documented evidence of vulnerability closure rates over time. Organisations that can show a declining trend in open vulnerabilities demonstrate proactive risk management.
How Fig collects evidence
Fig runs continuous vulnerability scans, prioritises findings by severity and exploitability, assigns remediation tasks, and tracks closure rates. Trend reports show underwriters that your risk posture is improving, not static.
Frequently Asked Questions
Common questions about cyber insurance and premium reduction
How much can you actually reduce cyber insurance premiums?
Organisations that implement the five controls outlined on this page typically see premium reductions of 15-25%. The exact figure depends on your industry, size, claims history, and the specific insurer. MFA coverage and incident response maturity tend to have the largest individual impact on premium calculations.
Which controls do cyber insurance underwriters care about most?
The controls that consistently appear in underwriting questionnaires are: multi-factor authentication (particularly on privileged and remote access), patch management with defined SLAs, endpoint detection and response, email security and anti-phishing measures, backup and recovery procedures, encryption, incident response planning, and security awareness training. MFA and patch management are the two most heavily weighted.
Do I need Cyber Essentials certification to get better insurance rates?
Cyber Essentials is not strictly required by most insurers, but it is increasingly recognised as a benchmark. Some UK insurers offer preferential rates for organisations with Cyber Essentials or Cyber Essentials Plus certification. Beyond the potential premium benefit, the certification process itself ensures you have the foundational controls that underwriters evaluate.
How does Fig help with cyber insurance applications?
Fig generates evidence packs that map directly to common underwriting questionnaire items. Instead of manually gathering screenshots, logs, and policy documents, you can export a pre-formatted evidence bundle showing MFA coverage, patch compliance, vulnerability scan results, incident response documentation, and encryption status. This saves significant time during the application process and ensures accuracy.
Can demonstrating compliance with frameworks like ISO 27001 or NIS2 reduce premiums?
Yes. Formal compliance certifications signal to underwriters that your organisation maintains a structured approach to information security. ISO 27001 certification, SOC 2 reports, and Cyber Essentials Plus are all viewed favourably. NIS2 compliance, while primarily a regulatory requirement, also demonstrates a level of maturity that insurers recognise. Fig supports over 65 compliance frameworks and makes maintaining certifications significantly less burdensome.
What evidence should I prepare before my insurance renewal?
Start preparation at least 60 days before renewal. Gather: a current MFA deployment report showing coverage percentages, patch compliance reports for the past 12 months, vulnerability scan results showing trending improvement, a copy of your incident response plan with evidence of tabletop exercises, encryption status reports, security awareness training completion rates, and any compliance certifications you hold. Fig can generate all of these reports on demand.
How quickly do premium reductions take effect?
Premium adjustments are typically applied at your next renewal date. If you implement controls mid-term, the changes will not affect your current premium, but they will be evaluated during your next underwriting review. Some brokers can facilitate mid-term reviews for significant improvements, but this varies by insurer.
Does Fig integrate with insurance brokers or carriers directly?
Fig generates standardised evidence reports that can be shared with any broker or carrier. We are building direct integrations with selected insurance partners to simplify the evidence submission process further. Contact our team for details on current insurance partnership programmes.
Build Your Insurance Evidence Pack
Fig collects the evidence underwriters need, automatically. Start before your next renewal and demonstrate the controls that drive premium reductions.