Sell the Evidence Package: How Cyber Insurance Renewals Became an MSP Revenue Line in 2026
Cyber insurers now want documented proof of security controls at renewal, not a signed form. Here's how MSPs can turn that demand into a productised, recurring service.
A Nottingham manufacturing firm we work with received their cyber insurance renewal pack last spring. The previous year it had been a two-page form: tick the boxes, sign at the bottom, done in fifteen minutes. This time it ran to eleven pages and asked them to attach evidence. Show us your MFA coverage. Export your backup test logs. Provide your incident response plan with a revision date. Confirm, with screenshots, that email filtering is switched on for every mailbox.
The finance director rang us in a mild panic. The renewal deadline was three weeks out, the premium had already gone up, and now the insurer wanted proof of things nobody had ever asked them to prove before. "Can you just... put this together for us?"
That phone call is the whole business case for this article. What used to be a self-attestation exercise has become an evidence exercise, and most SMEs have no idea how to build the file the insurer wants. You do. That gap is a service line.
What actually changed at renewal
For years, cyber insurance underwriting relied on trust. The client answered a questionnaire, the insurer priced the policy, and everyone assumed the answers were roughly true. Then the claims started landing. Ransomware payouts, business interruption claims, breach notification costs — insurers paid out heavily and discovered that a lot of the boxes ticked at underwriting had not reflected reality. A firm that swore it had MFA everywhere turned out to have it on nothing but the admin accounts. A backup marked "tested regularly" hadn't been restored in eighteen months.
So the market corrected. Insurers now treat the questionnaire as the start of a conversation, not the end of one. At renewal they want documented proof, and they want it to match what you told them last year. If a control was in place in 2024 and you can't show it in 2026, that's a red flag. Worse, if a claim is ever made and the evidence doesn't support the attestation, the insurer has grounds to reduce or refuse the payout. The policy the client thought they'd bought quietly evaporates.
This is where SMEs get stuck. They don't keep evidence as they go. Nobody screenshots the MFA policy in March in case an insurer asks in October. Nobody logs the quarterly backup restore test in a format an underwriter would accept. The information exists — it's scattered across your RMM, your Microsoft 365 tenant, your ticketing system — but it has never been assembled into a coherent package. Assembling it is a specialist job, and it repeats every single year.
The evidence package, defined
Stop thinking of this as answering a questionnaire and start thinking of it as producing a document. A cyber insurance evidence package is a dated, organised file that demonstrates each control the insurer cares about, with supporting proof. For a typical UK SME renewal it covers:
- Multi-factor authentication — coverage reports showing MFA enforced across email, remote access, VPN and privileged accounts, exported from the identity platform.
- Backup and recovery — the backup configuration, retention policy, and crucially the log of the most recent successful restore test, not just that backups ran.
- Endpoint protection — the deployment report showing EDR or managed antivirus on every device, including the count of unmanaged or offline machines.
- Email security — filtering, anti-phishing and DMARC/SPF/DKIM records with screenshots.
- Patching and vulnerability management — patch compliance figures and the process behind them.
- Access control — evidence that admin rights are limited and reviewed, and that leavers are deprovisioned promptly.
- Incident response — a written IR plan with a visible revision date and evidence it has been reviewed or tested.
- Security awareness training — completion records for phishing simulations and staff training.
Each item needs a source, a date, and a screenshot or export. That's the deliverable. It's tedious to build the first time and straightforward to maintain once the plumbing is in place — which is exactly the shape of a good recurring service.
Why this belongs with the MSP
Nobody is better placed to produce this than the MSP already running the client's estate. You own the tools that generate the evidence. You configured the MFA, you manage the backups, you deployed the endpoint agents. Pulling a coverage report is a matter of minutes for you and a matter of days of confused guesswork for the client.
There's a second reason. When a client answers an insurance questionnaire alone, they get things wrong — and those wrong answers create the very gap that voids a claim. If you're the one preparing the evidence, you catch the discrepancies before they reach the insurer. You find the three mailboxes without MFA and fix them. You spot that the IR plan hasn't been touched since 2023 and update it. You're not just documenting the controls; you're closing the holes the documentation exposes. That's genuine risk reduction the client can feel, and it makes the service easy to justify.
Productising it
Don't offer this as ad-hoc project work you scramble to deliver each time a client waves a renewal form at you. Build it into a defined, recurring engagement — call it a Cyber Insurance Readiness service or fold it into a light GRC (governance, risk and compliance) tier. Structure it around the renewal calendar:
- Baseline — an initial assessment mapping the client's current controls against what their insurer typically asks for, delivered as a gap report.
- Remediation — fixing the gaps, either as part of the package or as billable project work.
- Ongoing evidence collection — quarterly capture of the key exports and screenshots, stored and dated, so the package is never built from scratch.
- Renewal support — assembling the final evidence pack and sitting with the client (or the broker) when the questionnaire is completed.
Price it as a monthly or annual retainer per client. The recurring revenue comes from the evidence collection and renewal support; the project revenue comes from remediation. The margins are healthy because most of the effort is standardised across your client base once you've built the templates and pulled the reporting together.
The pitch
Keep it concrete. Don't lecture the client about the threat landscape — they've heard it. Lead with the renewal.
"Your insurer used to take your word for it. Now they want proof, and if the proof doesn't match what you signed, they can refuse to pay when you claim. We'll build and maintain the evidence they ask for, catch the gaps before the insurer does, and take the renewal panic off your desk. It's a fixed monthly cost, and it protects the policy you're already paying for."
The money argument writes itself. The client is spending thousands on a premium. A voided claim makes that premium worthless. A modest retainer to guarantee the policy actually pays out is easy maths for any finance director — including the one from that Nottingham manufacturer, who signed within a week.
Start with your renewal calendar
You already know when your clients' policies renew — it's in your records or a quick email away. Pull that list, flag anyone renewing in the next quarter, and reach out before their form arrives rather than after. Being the MSP who anticipated the problem lands very differently from being the one who cleaned up after it. The demand is already in the post. The only question is whether you're the one who answers it.
