How to achieve and maintain Cyber Essentials and Cyber Essentials Plus certification, strengthening your insurance firm security posture and demonstrating compliance commitment.
Insurance firms are among the most targeted sectors for cyber attacks, handling vast quantities of sensitive personal and financial data that criminals seek to exploit. The Cyber Security Breaches Survey 2024 found that 50% of UK businesses identified a cyber security breach or attack in the past 12 months, with financial services firms experiencing disproportionately sophisticated threats.
While Cyber Essentials certification is not a legal requirement for insurance firms, it has become a de facto industry standard. Many Lloyd market managing agents now require their coverholder and delegated authority partners to hold Cyber Essentials certification. Similarly, insurers writing cyber insurance increasingly expect their own supply chain to demonstrate baseline cyber hygiene.
Beyond commercial expectations, Cyber Essentials provides a practical, auditable framework that aligns with the technical security measures expected under Article 32 of the UK GDPR. The ICO has cited the absence of basic cyber security controls as an aggravating factor in data breach enforcement actions, making certification a valuable evidential tool.
Cyber Essentials covers five fundamental technical controls: firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. For insurance firms with mature IT environments, many of these controls may already be in place — the challenge is documenting and formalising them to meet the certification standard.
The scheme offers two levels: Cyber Essentials (self-assessment questionnaire verified by a certification body) and Cyber Essentials Plus (includes an independent technical audit with vulnerability scanning and on-site testing). Insurance firms handling special category data should aim for Cyber Essentials Plus, as the independent verification provides stronger evidence of compliance for both the ICO and commercial partners.
A structured implementation approach, working through each control area systematically and using the NCSC guidance documents, can typically achieve certification within 8-12 weeks for a well-prepared insurance firm.
Follow this implementation pathway to prepare for and achieve Cyber Essentials or Cyber Essentials Plus certification.
Determine which IT infrastructure falls within scope of certification. For insurance firms, this should include all systems that process policyholder personal data, claims information, and financial data. Define the network boundary, identify all devices and software within scope, and document any exclusions with justification.
Conduct a gap analysis against the five Cyber Essentials control themes. Review your firewall configurations, software update policies, user access management procedures, anti-malware deployment, and device security settings. Document current compliance status for each requirement and identify gaps that need remediation.
Ensure all devices that connect to the internet are protected by a properly configured firewall. Change default passwords on all network devices, disable unnecessary services and ports, and implement network segmentation to protect sensitive insurance data systems. Document your firewall rules and review them to remove any outdated or unnecessary entries.
Remove or disable unnecessary software, user accounts, and services from all devices. Configure operating systems and applications according to vendor security guidance. Implement device encryption on all laptops and mobile devices that may access insurance data. Create documented build standards for each device type in your environment.
Enforce the principle of least privilege across all systems. Ensure every user has a unique account, implement multi-factor authentication for all cloud services and remote access, and establish a process for promptly removing access when staff leave or change roles. Conduct a full access review across insurance systems to identify and revoke excessive permissions.
Install anti-malware software on all in-scope devices and configure it to update automatically and scan regularly. Implement application whitelisting where practical, and ensure sandboxing or filtering is in place for email attachments and web downloads. Configure browsers to block known malicious sites.
Implement a process to apply security patches to all software within 14 days of release, as required by Cyber Essentials. This includes operating systems, applications, firmware, and plugins. Remove any unsupported software that no longer receives security updates. Establish automated patching where possible and manual patch tracking for systems that cannot be auto-updated.
Select an accredited Cyber Essentials certification body and complete the self-assessment questionnaire for Cyber Essentials, or arrange the technical audit for Cyber Essentials Plus. The Plus assessment includes external vulnerability scanning, internal scanning, and verification of controls on a sample of devices. Address any findings promptly and resubmit if required.
Cyber Essentials certification is valid for 12 months. Rather than treating recertification as an annual scramble, embed the five control themes into your ongoing IT management processes. Conduct quarterly internal reviews against the requirements to maintain continuous compliance.
Insurance firms with remote or hybrid workers must ensure that home devices meet Cyber Essentials standards. This includes personal devices used to access company systems under BYOD policies. Consider issuing managed devices or implementing mobile device management solutions.
Use Cyber Essentials as a foundation and build towards more comprehensive frameworks such as ISO 27001 or the NIST Cybersecurity Framework. Many of the Cyber Essentials controls map directly to these broader standards, making future certification more efficient.
Structure your Cyber Essentials documentation so that it also serves as evidence of UK GDPR Article 32 compliance and FCA operational resilience requirements. A single set of well-maintained security documentation can satisfy multiple regulatory and commercial obligations.
All systems processing insurance personal data included with clear boundary definition.
Current compliance status documented with remediation plan for identified gaps.
All internet-facing devices protected with unnecessary services disabled.
Default passwords changed, unnecessary software removed, encryption enabled.
MFA enabled, unique accounts for all users, access review completed.
Coverage verified including laptops, desktops, servers, and mobile devices.
All software patched within 14 days of security update release.
Try these related tools — no sign-up required.
How to detect, contain, assess, and report personal data breaches within the 72-hour ICO notification window — with insurance-specific considerations.
data protectionA comprehensive guide to meeting your data handling responsibilities under the UK GDPR, tailored specifically for insurers, brokers, and MGAs.
fca complianceA practical guide to preparing for FCA supervisory visits, skilled person reviews, and internal compliance audits — with checklists, common findings, and response strategies.
SwiftCase is built with Cyber Essentials-aligned security controls including encryption, role-based access, MFA, and comprehensive audit logging — helping your insurance firm meet certification requirements.
