BIBA's 2026 broker conference opens in Manchester on 13 May with cyber insurance as a feature topic for the first time, and the timing is not accidental. Premiums, exclusions and claim outcomes are now driven by a small set of security controls - the same controls Cyber Essentials Danzell now treats as auto-fail and the same controls the M&S, Co-op and Harrods stories told us actually matter. We unpack what underwriters are asking in 2026, where claims are getting denied, and what UK schools, charities and smaller businesses should have ready before they renew.
Key takeaways
BIBA's 2026 conference (Manchester Central, 13-14 May) features a dedicated Cyber Hub for the first time. The cyber insurance market for UK smaller organisations is materially tighter than 12 months ago - the M&S, Co-op and Harrods cluster alone removed an estimated £270-440m from one carrier-pool's loss budget, and underwriters have responded by hardening the minimum-controls list.
DSIT's Insuring Resilience study (the most recent UK government work on SME cyber insurance) found that 65% of surveyed SMEs hold cyber cover but only 8% find the information from insurers or brokers 'very clear'. The 2025/2026 Cyber Security Breaches Survey shows 43% of businesses and 28% of charities had an incident in the last year. The gap between 'we have a policy' and 'the policy will pay out' is now where most UK SMB and charity risk actually sits.
In 2026, almost every UK underwriter wants the same six controls before they will quote a competitive premium: enforced MFA on email and remote access, EDR or MDR on endpoints, tested offsite backups, a written incident response plan, timely patching and removal of unsupported software, and a managed approach to privileged accounts. Where these are missing, premiums rise materially or cover is declined.
That list is not an accident. It is essentially the same list Cyber Essentials Danzell (mandatory since 27 April 2026) made into auto-fail questions. Holding a current Cyber Essentials certificate is now used by Hiscox, Aviva, Zurich, AIG, CFC and Beazley as an underwriting input. Passing Danzell and being cyber-insurable have effectively become the same question.
The British Insurance Brokers' Association opens its 2026 conference in Manchester on 13 May - nine days from now - with a dedicated Cyber Hub on the agenda for the first time. That decision is not branding. It reflects a market that has hardened significantly for UK smaller organisations over the last twelve months, and a recognition by the broking community that the gap between 'we sold them a cyber policy' and 'the cyber policy paid out' has become uncomfortably wide.
For the schools, charities and smaller businesses ReadyToday usually writes for, this matters in three practical ways. Premiums are still affordable, but no longer cheap. The questions on the proposal form are sharper than they were 18 months ago, and the answers are checked against real evidence at claim time. And the gap between an organisation that has 'all of the basics' and one that has 'the basics, configured properly, with logs to prove it' is now the difference between a policy that responds and one that does not.
What changed in the last twelve months
Three things, mostly.
First, the cluster of major UK retail incidents in spring 2025 - M&S, Co-op and Harrods - removed an estimated £270-440m of impact from the carrier pool in a few weeks. The Cyber Monitoring Centre formally rated that cluster a Category 2 systemic event. Whatever the precise economic number, the message to insurance underwriting committees was the same: we have under-priced helpdesk and supplier risk for years, and we are not going to repeat the mistake.
Second, the Cyber Security Breaches Survey 2025/2026 confirmed what carriers already suspected: phishing is still the dominant attack at 38% of businesses and 25% of charities, and AI-assisted lures are rising while staff training stays under one in five. Carriers respond to that pattern by demanding controls that make phishing structurally less effective - phishing-resistant MFA, passkeys where they are supported, tightly scoped privileged access, and EDR that catches the second-stage tooling when a credential does get phished.
Third, Cyber Essentials Danzell became mandatory on 27 April. For the first time the scheme has true automatic-fail rules, and they sit on exactly the controls that have historically been the soft spots for UK smaller organisations: MFA on cloud services, timely patching, and unsupported software. Major UK cyber insurers - Hiscox, Aviva, Zurich, AIG, CFC and Beazley among them - already reference Cyber Essentials in their underwriting questions; an organisation that cannot pass the new Danzell question set will struggle to give an underwriter a clean answer to most of the proposal form.
The 'minimum bar' to be insurable in 2026
Strip back the brochures and the broker decks and the actual list of controls insurers expect to see, before they quote a competitive premium for an SMB, charity or independent school, is short. Six items appear on almost every proposal form:
The biggest claim-denial trap in 2026 is not 'did you have MFA' - it is 'can you prove MFA was enforced on every account on the day of the incident'. SMBs, charities and schools that get cover but cannot produce enforcement logs, enrolment reports, backup restore tests and a dated incident response plan are quietly underinsured. The fix is operational hygiene, not bigger limits.
Enforced multi-factor authentication on email, remote access, VPN, admin portals and any internet-facing service. Not 'MFA available' - MFA enforced for every user, with no opt-out, and with phishing-resistant methods (passkeys, FIDO2 keys, or app-based push with number matching) preferred over SMS.
Endpoint detection and response on every device that touches business data. EDR or MDR is now the cyber equivalent of having a fire alarm rather than a smoke detector - it does not stop the fire starting, but it tells you and your responder that the fire has started, in time to do something about it.
Tested offsite backups with a documented restore process. The two failure modes underwriters have been most badly burned by are 'we had backups but they were on the same domain as the ransomware' and 'we had backups but we had never tried to restore from them'. A backup that has not been test-restored in the last twelve months is not a control; it is a hope.
A written incident response plan that names the people, the steps and the suppliers. Carriers are increasingly asking for evidence that the plan has been tested in the last year, even if only as a tabletop exercise. For a school the test can be 30 minutes around a coffee table; the point is that it was done and there is a one-page note to show it was done.
Timely patching and the removal of unsupported software. Danzell makes both auto-fail questions; insurers ask broadly the same question with slightly different wording. Anything still running on Server 2012, Windows 7 or out-of-support PHP is treated as an open door.
A managed approach to privileged accounts. That means: no shared admin passwords, no domain admin used for daily email, separate accounts for privileged work, and a clear list of who has those rights. The M&S story turned on a privileged third-party account; it is the example every underwriter quotes in 2026.
There are other questions on the form - employee training cadence, supplier review process, mobile device management, encryption at rest - but those six items are the ones that move premium and decide whether cover is offered at all.
The proof problem - the trap most SMBs fall into
The pattern that has emerged from claim disputes over the last 18 months is quietly devastating. Most denied claims do not involve organisations that lied on the proposal form. They involve organisations that had every control listed, broadly believed they were doing the right thing, and could not produce the evidence under forensic scrutiny when the claim was investigated.
The bar in 2026 is not 'did you have MFA?'. It is closer to: can you produce an MFA enforcement policy, an enrolment report showing 100% coverage on the day of the incident, a list of any service-account or break-glass exceptions, and the audit log entries that show enforcement was active for the user account that was compromised? The same logic applies to backups (can you show the last successful restore test?), to patching (can you show the patch level on the affected server on the day of the attack?), and to incident response plans (when was this version dated, and who has signed off on it?).
This is the part Cyber Essentials Danzell drags into the open. The new question set effectively forces the same conversation a forensic claims investigator would have, twelve months earlier and at much lower cost. Organisations that pass Danzell now will, almost by accident, have the documentation they need at renewal and at claim time.
Questions to ask your broker before you renew
If you have a renewal in the next ninety days, four questions are worth raising explicitly with your broker, in writing.
What does this policy require for MFA, and what counts as 'enforced'? Get specific: every user, every account, every access path. Ask what the carrier's position is if a single break-glass account is found to have MFA disabled at the time of an incident.
How does the policy treat sub-limits and waiting periods for ransomware, social engineering and business email compromise? Many SMB-aimed policies have headline limits that look reassuring but sub-limit those three categories - which are the categories you are most likely to claim under - to a fraction of the headline.
Is Cyber Essentials (or Cyber Essentials Plus) a discount, a requirement, or a future requirement at this carrier? It increasingly is one of those three.
What is the carrier's position on supplier and helpdesk-mediated incidents? Carriers are tightening cover where the breach starts at a third party with a credentialed connection into your network. Ask the question now rather than after a Scattered-Spider-style call to your outsourced IT helpdesk.
A 60-day action plan for your next renewal
In the first two weeks: pull a clean MFA enforcement report from your identity provider for every account, including service accounts and external collaborators. Fix any exceptions. Document the residual ones with a dated risk-acceptance note signed by a named person.
In the next two weeks: run a real restore test from your most recent offsite backup into an isolated environment. Time it. Note any data loss. File the result.
In weeks five and six: write or update a one-page incident response plan that names the responder, the deputy, the cyber insurance number, the legal contact and the public-relations contact. Run a 30-minute tabletop against a ransomware scenario and a Scattered-Spider-style supplier scenario.
In weeks seven and eight: gather the evidence into a single 'cyber file' - MFA report, restore test note, IR plan, patch status report, supplier list, latest Cyber Essentials Danzell self-assessment. Send it to your broker before they ask. The premium impact is small but real, and the claim-time impact is large.
The honest summary
The cyber insurance market for UK smaller organisations has not collapsed. It has matured. Premiums for organisations that can show the standard six controls remain manageable; cover for organisations that cannot is becoming either expensive, narrow, or both. The Cyber Essentials Danzell rules and the underwriting standards have converged on the same shortlist of must-haves, which is an opportunity rather than a burden: the work you do for one is largely the work you have done for the other.
If you are renewing in the next quarter, the most useful thing you can do is treat the proposal form as an audit checklist and the broker conversation as the easy version of a claims investigation. The organisations that come out of 2026 with cover that actually responds will be the ones that did the boring documentation work this spring. We help schools, charities and smaller businesses get that work done in a few weeks, not a few quarters - if you would like a hand, our cybersecurity resilience service and a free discovery call are the right starting points.