Fig Group

Cyber Essentials for Lloyd's Syndicates Managing Agents, Coverholders & MGAs

Fig Group certifies Lloyd's syndicates, managing agents, coverholders and MGAs across the London Market. We work with the specific compliance reality of Lime Street - PRA SS1/21 operational resilience, Lloyd's Minimum Standards, Principles for Doing Business, and the internal IT standards each managing agent enforces on its bureaux. Certification is delivered on a published flat fee with six-hour turnaround for compliant submissions.

View pricing Speak to the team

The London Market operates on trust, and trust in 2026 requires evidence. Lloyd's managing agents routinely ask their coverholders, MGAs, bureau service providers and data vendors to demonstrate Cyber Essentials as a baseline, with Cyber Essentials Plus increasingly expected for any counterparty touching bound business or claims data. Fig Group assesses every tier of the London Market supply chain on the same flat fee, applies the Cyber Essentials six-hour SLA to compliant self-assessments, and separates Plus into its independent audit timeline. We sit a ten-minute walk from Lime Street.

Why the London Market now requires Cyber Essentials

PRA Supervisory Statement 1/21 put cyber at the top of the supervisory agenda for UK insurers, and Lloyd's Minimum Standards now expect each managing agent to enforce the equivalent framework across its own supply chain. The result: Cyber Essentials is now a near-universal explicit baseline on London Market supplier due-diligence questionnaires.

PRA SS1/21

Operational resilience: impact tolerances for important business services. Put cyber at the top of the supervisory agenda for UK insurers and made it a board-level conversation.

Lloyd's Minimum Standards

Each managing agent is expected to have an equivalent operational-resilience framework in place across its own supply chain - driving the standards downstream into coverholders, MGAs, and bureau service providers.

Supplier DDQs

Increasingly name Cyber Essentials - and increasingly Cyber Essentials Plus - as an explicit baseline alongside ISO 27001 mapping, SOC 2 Type II, and bespoke Lloyd's IT Security Self-Assessments.

The claims-pricing reality

The lowest-cost piece of paper through a DDQ

London Market reinsurers and retro counterparties price in the cyber risk they can see in the chain. Coverholders and MGAs that cannot evidence baseline hygiene get quoted punitive retention loadings or excluded from certain categories altogether. Cyber Essentials will not replace a sophisticated ISMS, but it is the lowest-cost piece of paper that gets a London Market supplier through the first pass of a managing agent's DDQ.

What Cyber Essentials actually covers for a syndicate

The scheme assesses the five NCSC control categories - firewalls, secure configuration, patching within 14 days, user access control with mandatory MFA under v3.3, and malware protection. For a Lloyd's managing agent, the practical scoping decisions usually matter more than the controls themselves.

Bureau workstation domain

Are the bureau workstations running on the managing agent's own domain or the coverholder's? The answer changes which side of the supply chain owns the certificate.

Remote-access VPN

Is the underwriter's VPN terminating into the agent's infrastructure or a third-party broker platform? Determines whether the broker's controls are in scope of yours.

SaaS back-book systems

Does the back-book policy administration system count as in-scope even though it is provided by a software vendor on a SaaS contract? Usually yes - for the user-access and admin-credential controls, at minimum.

When Plus matters

Bound-business and claims data

Cyber Essentials Plus adds an external vulnerability scan of internet-facing assets and a sampled technical audit of end-user devices, confirming the controls operate in practice rather than only on paper. For systems touching bound business or claims data, Plus is increasingly the only variant carrying procurement weight on a managing agent's DDQ.

Fig Group's approach with Lloyd's clients

Four commitments to every Lloyd's syndicate, managing agent, coverholder, and MGA we certify - fixed-fee, fast, and a ten-minute walk from Lime Street.

Same fee regardless of GWP

From £299.99 + VAT for Cyber Essentials, £1,499 + VAT for Cyber Essentials Plus. A coverholder writing £100m GWP a year pays no more than an MGA writing £2m - no revenue-based quoting.

Six-hour SLA

Compliant Cyber Essentials submissions are returned certified within six hours. Plus completes in 1-3 working days. Useful when a managing agent's onboarding deadline is fixed.

Three feedback rounds included

If remediation is needed at any stage, three structured-feedback rounds are included at no additional cost - material when a syndicate's compliance team cannot go back to the R&C committee for a second budget line halfway through.

Ten minutes from Lime Street

Office at 167-169 Great Portland Street, twenty minutes from most City managing agent buildings. Useful when a Plus scoping call benefits from being in the room with the head of IT and the CRO.

6-hour guarantee

Issued within six hours of a compliant submission.

From £299.99 + VAT

Published flat fee. Never quoted on revenue.

IASME licensed

Authorised certification body for CE and CE Plus.

3 free reviews

Included if remediation is needed.

Where Lloyd's Syndicates concentrate in London

Fig Group certifies organisations across every London borough. These boroughs are the main clusters for lloyd's syndicates:

City of London Westminster Tower Hamlets

Lloyd's Syndicates: Frequently asked questions

How quickly can I get Cyber Essentials certified?

Fig Group guarantees Cyber Essentials certification within 6 hours of self-assessment submission for orders placed before midday, provided the submission is compliant. If corrections are needed, up to three rounds of structured feedback are included at no extra cost. Cyber Essentials Plus takes 1-3 working days due to the external technical verification requirement.

How much does Cyber Essentials cost?

Cyber Essentials costs from £299.99 + VAT (micro, 1-9 employees) to £549.99 + VAT (large, 250+ employees). Cyber Essentials Plus costs from £1,499 + VAT to £4,499 + VAT. Fig Group pricing is fully inclusive - no hidden fees, no revenue-based quoting, no mandatory add-ons.

Is Cyber Essentials mandatory?

Cyber Essentials is required under PPN 014/21 for certain UK central-government contracts handling sensitive or personal data. It is also increasingly required by NHS supplier frameworks, local authorities, regulated financial-services counterparties and private-sector enterprise procurement teams as the baseline evidence of foundational cybersecurity.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessed questionnaire reviewed by an IASME-licensed assessor. Cyber Essentials Plus adds an external vulnerability scan and a sampled technical audit of end-user devices, independently verifying that the five controls are operating in practice. Both certifications are valid for 12 months and carry the same NCSC badge.

Ready to certify your lloyd's syndicates organisation?

Six-hour guarantee for compliant submissions. Three free review rounds. Published flat fee from £299.99 + VAT.

View pricing Ask a question

Speak to the team

Tell us about your lloyd's syndicates organisation and we will come back with a fixed price and a target certification date.