Cyber Essentials cut claims 92%
What happened
The UK’s National Cyber Security Centre said basic Cyber Essentials controls can reduce cyber‑insurance claims by 92%, stressing supply‑chain weak points and offering an implementation playbook. That finding ties simple security hygiene directly to lower insurer loss experience and suggests underwriting and risk engineering should lean on baseline controls. Carriers will likely use these controls as both premium‑differentiators and underwriting conditions. (x.com/NCSC/status/2039650322092548460)
Why it matters
The National Cyber Security Centre published a Cyber Essentials Supply Chain Playbook that gives procurement and security teams step‑by‑step resources for making supplier cyber checks part of routine procurement, including templates, monitoring options and a recommended seven‑step process. (ncsc.gov.uk) Cyber Essentials is a government‑backed, annually renewable certification scheme delivered through the NCSC’s partner IASME, and the government has required Cyber Essentials or Cyber Essentials Plus for certain public contracts since 2014 under Procurement Policy Note 014, updated February 17, 2025. (iasme.co.uk) (gov.uk) The scheme centres on five technical controls: firewalls (hardware or software that blocks unauthorised traffic at the network edge), secure configuration (removing default passwords and switching off unneeded services), user access control (restricting who can log in and what they can access), malware protection (anti‑malware tools to detect or block malicious software), and security update management (regularly applying software patches to fix known vulnerabilities); Cyber Essentials Plus is the same controls plus independent technical testing. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The government’s Cyber Essentials management information shows material uptake — 55,995 Cyber Essentials certificates were awarded in the 12‑month window January–December 2025 — and the playbook cites a wider awareness problem, noting that only about 14% of firms report being on top of their immediate suppliers’ cyber risks. (gov.uk) (ncsc.gov.uk) The official impact evaluation that underpins the playbook reports two concrete results: the five technical controls were found to mitigate the large majority of internet‑originating vulnerabilities in prior testing, and 48% of organisations said Cyber Essentials saved them time on cyber‑security due diligence when a potential supplier already held certification. (gov.uk) The Playbook’s operational guidance lists actionable steps for buyers — scope supplier security profiles, set minimum security requirements and contract language, incentivise certification, and monitor adoption using the IASME Supplier Check bulk verification tool — and IASME offers mechanisms to validate certificates and bulk‑check supplier lists for large buyers. (ncsc.gov.uk) (supplier.iasme.co.uk)
Key numbers
- The UK’s National Cyber Security Centre said basic Cyber Essentials controls can reduce cyber‑insurance claims by 92%, stressing supply‑chain weak points and offering an implementation playbook.
What happens next
- Carriers will likely use these controls as both premium‑differentiators and underwriting conditions.
Quick answers
What happened in Cyber Essentials cut claims 92%?
The UK’s National Cyber Security Centre said basic Cyber Essentials controls can reduce cyber‑insurance claims by 92%, stressing supply‑chain weak points and offering an implementation playbook. That finding ties simple security hygiene directly to lower insurer loss experience and suggests underwriting and risk engineering should lean on baseline controls. Carriers will likely use these controls as both premium‑differentiators and underwriting conditions. (x.com/NCSC/status/2039650322092548460)
Why does Cyber Essentials cut claims 92% matter?
The National Cyber Security Centre published a Cyber Essentials Supply Chain Playbook that gives procurement and security teams step‑by‑step resources for making supplier cyber checks part of routine procurement, including templates, monitoring options and a recommended seven‑step process. (ncsc.gov.uk) Cyber Essentials is a government‑backed, annually renewable certification scheme delivered through the NCSC’s partner IASME, and the government has required Cyber Essentials or Cyber Essentials Plus for certain public contracts since 2014 under Procurement Policy Note 014, updated February 17, 2025. (iasme.co.uk) (gov.uk) The scheme centres on five technical controls: firewalls (hardware or software that blocks unauthorised traffic at the network edge), secure configuration (removing default passwords and switching off unneeded services), user access control (restricting who can log in and what they can access), malware protection (anti‑malware tools to detect or block malicious software), and security update management (regularly applying software patches to fix known vulnerabilities); Cyber Essentials Plus is the same controls plus independent technical testing. (ncsc.gov.uk 1) (ncsc.gov.uk 2) The government’s Cyber Essentials management information shows material uptake — 55,995 Cyber Essentials certificates were awarded in the 12‑month window January–December 2025 — and the playbook cites a wider awareness problem, noting that only about 14% of firms report being on top of their immediate suppliers’ cyber risks. (gov.uk) (ncsc.gov.uk) The official impact evaluation that underpins the playbook reports two concrete results: the five technical controls were found to mitigate the large majority of internet‑originating vulnerabilities in prior testing, and 48% of organisations said Cyber Essentials saved them time on cyber‑security due diligence when a potential supplier already held certification. (gov.uk) The Playbook’s operational guidance lists actionable steps for buyers — scope supplier security profiles, set minimum security requirements and contract language, incentivise certification, and monitor adoption using the IASME Supplier Check bulk verification tool — and IASME offers mechanisms to validate certificates and bulk‑check supplier lists for large buyers. (ncsc.gov.uk) (supplier.iasme.co.uk)
