Skip to main content
Vantyris

For accountants

The 12 cyber questions on your PI renewal, decoded.

Published 2026-05-25 · 12 questions · Approx. 15-minute read

Professional indemnity renewal arrives once a year with a cyber-security questionnaire that your insurer treats as a serious underwriting input. Most accountants we talk to have no idea what half the questions actually mean, copy answers from last year, and then wonder why their premium went up.

The questions are not random. They map to the specific failure modes UK PI underwriters have learned to price: phishing rides in through compromised supplier email, ransomware encrypts the file server, a partner clicks a link and a client transfers funds to the wrong account. Each question on the form is the underwriter asking "have you closed THIS gap?"

Below: the 12 questions we see across most ACCA, ICAEW, and CIOT-friendly PI providers (Hiscox, Towergate, Lockton, Markel, Arch). What each question means in plain English, why the insurer asks it, and what a Vantyris report can (and cannot) contribute to the answer. Some questions are about internal process and Vantyris doesn't help; some are about external configuration and Vantyris is the cheapest, fastest evidence you can produce.

The 12 questions

  1. 01

    Do you have a documented information security policy?

    What it means

    A written document covering how staff handle client data, who has access to what, and how access is revoked when staff leave. The insurer wants to see it exists, is dated, and has been updated within the last 12 months.

    Why they ask

    Without one, the insurer assumes you're handling client data ad-hoc, which raises their estimate of your breach probability. A clear policy doesn't prevent breaches but tells the insurer you've thought about the problem.

    How Vantyris fits

    Outside Vantyris's scope; this is internal documentation. The Vantyris report doesn't replace a policy, but the audit-trail footer on every report (with scan ID, date, methodology version) is the kind of evidence a policy section on 'external security verification' can cite.

  2. 02

    Have you completed Cyber Essentials certification (or Cyber Essentials Plus)?

    What it means

    An NCSC-accredited certification covering five basic controls: firewalls, secure configuration, security update management, user access control, malware protection. CE is the entry-level; CE+ adds a hands-on assessment.

    Why they ask

    Most UK PI insurers offer a premium discount for CE-certified firms (often 5-10%). It's also a reasonable signal that the firm runs the basics.

    How Vantyris fits

    Vantyris is NOT a CE certifying body; you need a registered certification body (IASME and partners) to issue the certificate. But every verified Vantyris scan includes a Cyber Essentials alignment section that maps each finding to the five CE control areas. That's the starting checklist for a CE submission and tells you which controls external scanning can speak to (A2 secure configuration, A3 update management) versus which need internal evidence (A1 firewalls, A4 user access, A5 malware). Read the explainer →

  3. 03

    Do you run regular external vulnerability scans on your public-facing systems?

    What it means

    Some insurers ask for evidence of an external scan within the last 12 months. Some ask for monthly scans. Some ask quarterly. The exact cadence varies by insurer.

    Why they ask

    External scanning surfaces configuration drift that nobody at the firm would otherwise notice (an expired TLS certificate, a DMARC record someone disabled, a CMS plugin update that broke security headers).

    How Vantyris fits

    Vantyris's continuous monitoring fires a scan weekly or monthly and emails you only when something changes that matters. The dated PDF report is the evidence; the public trust page is the URL the insurer can check themselves.

  4. 04

    Do you use multi-factor authentication on all administrative accounts?

    What it means

    Email, accounting software, client portals, banking. The insurer asks whether MFA (an authenticator app, a hardware key, or at minimum SMS) is enabled on every account that handles client money or data.

    Why they ask

    Stolen passwords are the single most common breach vector. MFA closes most of that.

    How Vantyris fits

    Outside Vantyris's scope; MFA is an internal configuration on each service. But Vantyris does scan for the email-authentication backbone (SPF, DKIM, DMARC) that catches the impersonation attempts MFA doesn't see.

  5. 05

    How often do you patch your software, and what's the policy for emergency updates?

    What it means

    The insurer wants a policy: 'high-risk vulnerabilities patched within 14 days, all others within 30 days' is a common standard. Cyber Essentials requires 14 days for high/critical.

    Why they ask

    Most exploits used against SMEs target known vulnerabilities with available patches the firm just didn't apply. The CISA Known Exploited Vulnerabilities catalogue lists the worst offenders.

    How Vantyris fits

    Vantyris's priority engine bumps any finding tied to a CISA-KEV CVE by 15 points, surfacing the patches that genuinely matter. The report's references library links each finding to the relevant CVE entry.

  6. 06

    Do you have a documented incident response plan?

    What it means

    A written plan covering: who decides whether something is a breach, who calls the ICO (UK-GDPR requires notification within 72 hours), who calls affected clients, what gets disclosed, and how the firm communicates externally.

    Why they ask

    Insurers know that the first 72 hours of a breach determine the legal and reputational damage. A firm without a plan improvises poorly.

    How Vantyris fits

    Outside Vantyris's scope; this is internal process. Vantyris does provide the audit-trail history on every finding (status changes, comments, who decided what when) which IS the kind of evidence you cite in the 'we monitored for X and responded by Y' section of an incident response retrospective.

  7. 07

    Are your backups offline, encrypted, and tested?

    What it means

    Offline (or immutable-cloud, like AWS Glacier with object lock) so ransomware can't encrypt them too. Encrypted at rest. Tested by actually restoring from them at least once a year.

    Why they ask

    Ransomware is the modal threat against small firms. A firm with tested offline backups recovers in days; without them, they pay the ransom or close.

    How Vantyris fits

    Outside Vantyris's scope; backups happen at your accounting software vendor + your file storage. But your client portal's security posture (which Vantyris does scan) is the gate ransomware typically rides in through.

  8. 08

    Do you train staff on phishing and social engineering?

    What it means

    An annual training session, with simulated phishing tests at least quarterly. Some insurers explicitly ask for evidence of phishing-simulation results.

    Why they ask

    Most successful breaches against accounting firms start with a phishing email. Training reduces the click rate from ~20% to ~5%.

    How Vantyris fits

    Outside Vantyris's scope. But the email-authentication checks Vantyris runs (DMARC, SPF, DKIM) close the door to phishing emails that impersonate YOUR domain to YOUR clients. That's a complementary protection: training teaches your staff not to click, DMARC stops the phishing emails from reaching your clients' inboxes at all. Read the explainer →

  9. 09

    Are you using cloud services for any client data, and which ones?

    What it means

    The insurer wants a list of every cloud service that touches client data: accounting software (Xero, QuickBooks, Sage), document storage (Dropbox, Google Drive, OneDrive), email (Google Workspace, Microsoft 365), file portals (your own, or your software's), MFA tooling, password manager.

    Why they ask

    Each cloud service is a potential breach vector. The insurer wants to know they're all reputable vendors with at least SOC 2 or ISO 27001.

    How Vantyris fits

    Outside Vantyris's scope (we scan your public-facing surface, not your vendor list). But Vantyris's processor list on /legal/privacy is the template format the insurer expects you to maintain: name, purpose, region, where the data lives.

  10. 10

    Have you had any cyber-related incidents in the last 12 months?

    What it means

    Anything from a successful phishing attempt against a partner's email to a malware infection on a workstation to a ransomware attempt. The insurer asks for full disclosure.

    Why they ask

    Honesty matters here. If the insurer finds out later you concealed an incident, they can refuse to pay a claim citing material non-disclosure.

    How Vantyris fits

    Outside Vantyris's scope; this is a recall-and-disclose question. Vantyris's audit-trail history can help reconstruct the timeline of when you noticed a finding, marked it 'accepted with reason', and acted on it.

  11. 11

    Do you have cyber insurance separately from PI?

    What it means

    Most UK PI policies don't fully cover cyber incidents. A dedicated cyber policy covers ransomware payments, breach notification costs, regulatory fines, and business interruption.

    Why they ask

    The insurer is checking your overall risk exposure, not selling you cyber cover (though some carriers offer both).

    How Vantyris fits

    Outside Vantyris's scope; this is an insurance-buying question. The report Vantyris produces is the kind of evidence that lowers your cyber premium, the same way evidence of external scanning lowers your PI premium.

  12. 12

    Can you provide evidence of recent security testing?

    What it means

    A penetration test report (if you've had one), a vulnerability scan report, or an internal audit. The insurer wants something dated within the last 12 months on letterhead.

    Why they ask

    Empty assertion ('we take security seriously') is worth nothing. Dated evidence is worth a premium discount.

    How Vantyris fits

    Every verified Vantyris scan produces a PDF report with the firm's domain in the header, the scan date in the audit-trail footer, the methodology version, and a unique scan ID. Three layouts: full editorial for the file, executive summary for the underwriter, single-issue work order for any specific question the underwriter follows up on. The same data renders as a public trust page (vantyris.com/trust/your-firm-slug) the insurer can verify directly without you forwarding a PDF.

The short version

Of the twelve questions, Vantyris produces real evidence for four: external scanning cadence (Q3), Cyber Essentials alignment (Q2), patching of known vulnerabilities (Q5), and recent security testing (Q12). For the other eight, Vantyris is silent: they're internal-process questions about policy, MFA, backups, training, and incident response.

That's the point. Vantyris doesn't replace the answer to "do you have an incident response plan"; you write that plan yourself. What Vantyris does is take the four external-facing questions off the table by producing dated PDFs and a public trust page URL the insurer can verify themselves. That's typically enough to move the premium needle 3-7% on a firm-wide policy, which pays for the scan budget many times over.

None of this is unique to Vantyris; you could pay £1,800/month for Qualys and get the same evidence. We just don't see the case for a small firm to do that.

Run a free check on your firm's website before the next renewal.

The free teaser scan covers half the external-facing CE controls in 60 seconds. If you like the format, the verified scan is €10 and produces the PDF + trust page you can hand to the underwriter.

Editorial

Vantyris editorial team · methodology v1.0.0 · references: NCSC Cyber Essentials · ICO guidance · CISA KEV catalog