A conversation I keep coming back to

I was on a call a while back with a partner who told me that one of her clients had failed their cyber insurance renewal despite holding Cyber Essentials Plus certification. The client was genuinely surprised. They felt they'd done the right thing, invested in the certification, and expected it to carry more weight than it did. What the insurer was asking about went well beyond what Cyber Essentials covers, and the client simply didn't have documentation ready for those additional areas.

I've heard versions of this story quite a few times since then, and I think it points to a misconception that's worth addressing directly. Cyber Essentials is a well-designed certification that covers the foundational technical controls. It is not a comprehensive insurance questionnaire preparation tool. The two serve different purposes, and conflating them creates a gap that tends to surface at exactly the wrong moment. The reason I mention this is not to undermine Cyber Essentials, which I think is genuinely useful, but to help MSPs position it correctly with their clients.

What Cyber Essentials covers

Cyber Essentials covers 5 control areas: boundary firewalls and internet gateways, secure configuration of devices, access controls and administrative account management, malware protection, and patch management. The Plus version adds an independent technical audit of those controls, which gives it more credibility for insurers than the basic self-assessment.

These are the right controls to have. An organization that genuinely meets Cyber Essentials Plus is in a better security position than one that does not. The point is not that these controls are unimportant. It is that the compliance landscape your clients are navigating extends considerably beyond them, and the insurer questionnaire reflects that broader landscape.

What insurers ask for that Cyber Essentials does not cover

Incident response planning

Cyber Essentials does not require a documented incident response plan. Insurers do. They want to see a plan that names roles and responsibilities, defines escalation paths, covers communication procedures and has been reviewed within the last 12 months. From what I've seen, this is the single most common gap for clients who hold Cyber Essentials but are encountering a detailed insurer questionnaire for the first time.

Privileged access management

Cyber Essentials covers access controls at a fairly high level: administrative accounts should be separate from day-to-day accounts and should be used only for administrative tasks. Insurer questionnaires go further, asking about step-up authentication for admin access, privileged access workstations, just-in-time access provisioning and a formal review process for admin rights. Most SMB clients have not implemented these controls at the level insurers are now asking about.

Continuous monitoring and detection

Cyber Essentials does not require continuous security monitoring or a formal detection and response capability. Insurer questionnaires increasingly ask about both. The specific questions tend to cover whether the organization has an EDR tool deployed and actively managed, whether there is a process for reviewing security alerts, and whether there is a record of how recent alerts were handled. The difference between proactive and reactive detection matters here because insurers are starting to distinguish between organizations that detect incidents quickly and those that find out about them days or weeks later.

Backup testing

Cyber Essentials requires that backups exist and are configured appropriately, but does not require evidence of successful recovery testing. Insurers ask specifically about this. When were backups last tested? Was recovery successful? Is there a documented record of the test? A backup that has never been tested for recovery is one of the highest-risk assumptions in a client environment, and insurers are increasingly treating untested backups as a material risk factor in renewal decisions.

Identity and email controls

Insurers now routinely ask about multi-factor authentication coverage in detail, DMARC and SPF configuration for email domains, and controls around phishing. Cyber Essentials covers access control and configuration broadly, but does not drill into email authentication controls at the level insurers have started to require. For clients who have had their Cyber Essentials certification for more than a year or two, what the questionnaire is actually asking about in these areas is likely to be more detailed than what the certification required at the time.

How to position this with clients

One of the things I find most useful in this conversation is the iceberg analogy. Cyber Essentials is the visible part of the iceberg: the baseline that everyone should have and that's visible to anyone looking at the organization's security posture. What insurers are asking about is the part below the waterline: the monitoring, the incident response planning, the identity controls, the evidence trail. That part is harder to see but it's what determines whether a claim gets paid.

The reason I like that framing is that it doesn't dismiss what the client has already done. They've invested in Cyber Essentials. That's a good thing and worth acknowledging. What the conversation then does is open up the question of what sits above it and how to evidence it. That's a much more productive conversation than telling a client their certification is inadequate. And it maps well to how the myths that prevent MSPs from selling more security tend to operate in practice: clients who believe they've done enough often need a gentle and specific conversation about what 'enough' means for their insurer's purposes.

What I've seen work is running a structured gap analysis between the client's current Cyber Essentials coverage and a typical insurer questionnaire, and presenting the results as a prioritized list of what needs to be added and evidenced. It gives the client something concrete to act on and gives the MSP a clear scope of work. The gaps between what Cyber Essentials covers and what insurers assess tend to fall into a consistent pattern once you've done a few of these, and building a repeatable assessment process around them is worth the investment.

The partner story that comes to mind when I think about this conversation going well is Shinka IT's approach, where running the security platform internally before offering it to clients gave them the direct experience to talk about evidence and controls from a position of genuine knowledge rather than a sales pitch. That credibility matters when you're asking a client to invest in additional controls beyond what they thought was sufficient.